Security Practices

Coindeal adheres to the highest standards of security. In fact, we proudly declare we contribute to creating Security Standards in the CryptoWorld. Below you can find out what makes CoinDeal so unique.


Swiss Operations Empowerment.

Even though we need to wait up to 2 years to get regulated in Switzerland, in the meantime we are already using our office located there for some of our operations:

  • Storing cold wallet keys in Swiss banks’ deposits
  • Securing company funds in Swiss banks (but not user funds yet - we need to obtain a license in order to do that).


User funds security standards.

  • Our company owns a bank account in Denmark exclusively for accepting customer funds (EURO). This is possible because we have over one-year-long track record of selling Bitcoin to customers (under the brand name Verified Solutions Ltd. on BuyCoinNow.com) - with turnover of over 10 million dollars (currently around 1.5 million USD a month).
  • We, being a trusted company, were recommended to this particular bank. Danish banks are more open to cryptocurrency businesses than those in other countries. And you should be aware that it’s nearly impossible to open up a bank account for such a business at this moment, in any country in the world. Even the biggest exchanges are struggling to own any bank accounts - for example, there is not a single bank account owned by cryptocurrency-related companies in England. We are therefore glad and proud to be positively verified and accepted by the Danish bank.


Cryptocurrencies security standards.

There is absolutely no way for hackers to steal money from our platform. It is not possible neither for a hacker nor an insider (such as a programmer, devops or administrator, not even for the management of the company). Here’s why.

  • We decided to build our system using microservices architecture. This means our system is build from many independent elements. They are maintained by separate teams and not a single person has access to all modules.
  • Our innovation is that each module signs (in a similar manner to that what happens on blockchain) each request (with its private key). Other modules know its public key so they can check if the signature is correct. If some signature is missing, other modules won't accept such a request. Therefore, even if someone breaches the system but has access to all modules but one, they cannot do anything.
  • Some modules require user input, like OTP or e-mail confirmation, where only the user knows the proper answer. So, for example, no one can make a payout from the user’s account without said user’s consent - not even the administrator.


Incoming payments security standards.

  • On the first day of its run, CoinDeal exchange generated many public addresses, allowing payments, and stored its private keys in secure places (including Swiss Banks).
  • We only connected the public addresses to the computer system, without their respective private keys.
  • Computer system is monitoring these addresses to check if there are any new funds. If yes, we credit funds to the user's account, without actually moving them or having access to them.
  • A separate computer system, with no connection to the first one, is collecting money from these addresses and sends them to either withdrawal addresses or cold wallets - depending on the type of transaction.
  • Money is stored on the payment addresses for no more than few days (in most cases one day at most). There is no way for someone to find out where this system is located, and even if someone does (or the owner/administrator of this system decides to steal the money), they will only have access to the incoming payments from a single day (which will be less than 1% of exchange funds and will immediately get noticed by automated systems).


Outgoing payments security standards.

  • An external system is responsible for the payouts and always requests all modules’ digital signatures.
  • Additionally, we use multi-signature addresses for payouts, needing two blockchain signatures (these are other signatures than the ones used by internal system modules).
  • You might think that someone could hack this external system - but it is not possible. Here is why:
    • one system is preparing a payout while checking all the (modules’) signatures. If everything is OK, the payout is prepared and signed with a single blockchain signature
    • another system, which is offline (meaning it cannot be accessed from the internet), connects to the internet for a few seconds periodically, only to download the file with the prepared payouts (and even during this short period of time it is not visible from the outside). This system verifies all the signatures - not only the ones from modules, but also the ones from the first system. The system checks if the payout makes sense - for example, if the moved funds are relatively small and if the address belongs to the exchange. If everything is correct, it proceeds with the payout. Otherwise it requests manual check from the exchange’s staff (additional acceptance criteria). However, it is important to note that funds are stored on multisig addresses, so the system can’t make a payout without signatures from point a). It cannot modify the payouts sent from system a), as it is already signed and any modification will make the signature invalid.

As you can see, a hacker would need to hack numerous systems, including one that is offline and unaccessible from the Internet. As you can see, it is entirely impossible.


Cold Wallets Security Standards

  • To be absolutely sure that situations like private key losses, programming errors or system failure are inconceivable, 90% of funds are stored OFFLINE and are out of reach of the computer system.
  • For the funds’ storage we use multi-signature addresses with five keyholders, whereas 3 of them are needed to move the funds.
  • Keys are assigned to particular people. In this case, if funds were stolen, it would be absolutely clear which one of these 5 people had moved the funds. Moving funds around needs consent of 3 out of 5 people. This is ensured by the blockchain on its own.
  • We have chosen these five people very carefully, since they are people of great responsibility. They are not disclosing publicly who they are, but their public keys (not the private ones) are stored in Swiss bank deposit with their names. Therefore, in case of any doubts, it can always be checked who signed a particular transfer.
  • We periodically check if all of these people still have access to their private keys. This way, we can react properly if even one of them has lost access to his keys.

This system is used by the biggest cryptocurrency exchange markets, such as Bitfinex. It is the most secure way to store funds.


Personal Data security standards

  • Your personal data, such as your document number or even your birth date, are stored on separate servers. This means that our primary servers do not store this data. The data are only available by request and are requested only if a certain user needs them - and of course, the user can only download their own data. So in (a purely theoretical) case of breaching our world-visible servers, a hacker would need to hack our internal servers as well, which makes it a much more complicated task.
  • A very limited number of people has access to these data. After being checked by AML specialists, the data are hidden and are not accessible to anyone anymore, unless requested by the authorities (or by the user).


Personal Documents security standards

  • Scans of your IDs and pictures of you are stored in an external company’s (under the brand Jumio) servers.
  • These data are directly uploaded to Jumio without ever reaching our servers. This ensures that there is no possibility of your documents leaking out.

Jumio is a well-known company, cooperating with such giants as Coinbase or Airbnb.


SSL

We use SSL (https) so your data are always encrypted and cannot be eavesdropped when entering our websites.


Password security standards

  • Your password is hashed using industry-standard algorithms, so it is never stored in plain text and is not known even to our administrators. This way, the so-called rainbow tables cannot be used to hack passwords.
  • We enforce strong passwords, so any brute force methods will not be effective either.
  • We use OTP (one time password / two factor authentication / google authenticator)
  • We use SMS authentication

Thanks to our high security standards, even if you give your CoinDeal account password and your private e-mail password to a hacker, he will not be able to withdraw any funds from CoinDeal! Obviously, do not ever give your passwords to anyone, as they will be able to harm you in many ways. However, it sure feels good to be sure your funds cannot be moved without someone having access your email, passwords and phone at the same time. Even without you being able to access your account, not only your funds, but also your private data are safe here.

There are many more additional ways CoinDeal secures its funds and data. We are open for discussion if you have any concerns or ideas. Feel free to drop us a note at our support page.