Is Coinfloor right for you?

As the UK’s No.1 Bitcoin exchange, Coinfloor has to make business decisions as to who we accept as customers for commercial, compliance, fraud risk and impending regulatory reasons.

For the absence of doubt, below we clarify the customers we do and do not accept.

Coinfloor is for:

Investors:

Individuals or businesses looking to invest in bitcoins as:

  • A new kind of commodity that many believe could have supernormal returns over the mid to long term*
  • An uncorrelated asset that could strengthen their investment portfolio*
  • A potential inflation hedge to help maintain the value of some of their savings / holdings*

* This should in no way be considered or treated as investment advice.

Traders:

Individuals or businesses looking to trade bitcoins on Coinfloor (in a way that is similar to trading traditional assets on stock, FX or commodity markets).

Regulated and pre-emptively compliant brokerages, payment processors and remitters:

  • Brokerages: Individuals or businesses looking to provide a bitcoin brokering service
  • Payment processors: Businesses offering bitcoin payment processing for merchants.
  • Remitters: Businesses offering bitcoin remittance.

All the above customer types must be carrying out the level of “Know Your Customer”, Anti Money Laundering, Counter Terrorist Financing and compliance processes befitting a high risk space such as this.

Other customers not in the “Coinfloor is not for” section below:

Coinfloor would need to review on a case by case basis to decide if they are acceptable.

Coinfloor is not for:

Money launderers / financial criminals / terrorist financers:

  • Anyone looking to use bitcoins for the purposes of hiding wealth to avoid paying tax.
  • Anyone receiving bitcoins from the proceeds of theft, extortion (eg. ransomware) or other illegal (as defined under UK law) activity.
  • Anyone planning to use bitcoins to support a terrorist organisation or send funds to a sanctioned country (as defined under UK law).

Darknet market users:

  • Anyone planning to use bitcoins to buy products or services on the darknet or tor markets.

Unlicensed gambling site users:

  • Anyone looking to use “dice” sites or any other form of unlicensed (under UK law) gambling sites.

Unlicensed brokerages, payment processors and remitters who are not preemptively compliant:

  • This includes any individual or company whose activity on Coinfloor could be described in significant part, as constituting brokerage, payment processing or remittance and who are not carrying out the level of “Know Your Customer”, Anti Money Laundering, Counter Terrorist Financing and compliance processes befitting a high risk space such as this.

Coinfloor continually enhances the measures it employs to identify the types of customers using our site.  If we determine that you are not an individual or organisation we are willing to serve, we will take immediate action to disable and or exit your account.

We hope that the above helps clarify who Coinfloor is and is not right for.  If you have any questions please feel tree to contact us.

Coinfloor Team

Is Coinfloor right for you?

Removing SMS 2FA for sign in and password recovery and advice on Email and Phone security

Skip to the bottom of this post if you just want information on setting up the Authy App and details of the additions we have made to our 2FA security processes.

As you may be aware from news stories in the press, there has been a recent increase in the instances of people having their mobile phone numbers taken over by malicious attackers via social engineering of mobile phone operator staff.

In summary, the attack involves a hacker contacting a victim’s phone operator and convincing a call centre agent to transfer the victim’s phone number over to another, hacker controlled, SIM card.  From there, the hacker arranges to reset the victim’s email using the SMS recovery option on their email account by which point the hacker often has all the information they need to access the vast majority of the victim’s online accounts.

What makes this different from other attacks is that someone could have reasonably good security and it can still be circumvented.

To prevent this, we recommend that you do not in any way enable the use of your phone number to recover access to your email address or vice versa.

Below is a short summary of useful steps you can take to secure your email, mobile phone and phone number if you are not already doing so.

How to secure your email

All email systems are different but high level we recommend the following:

  • Do not use SMS or voice for 2FA access to your email (unless there is no other option).
  • Do not use SMS or voice for password recovery for your email account (even if there is no other option).
  • Set up device based 2FA solutions such as Authy* or Google Authenticator so that authentication is only possible if you have the actual phone and not just the phone number.
  • Only ever enter 2FA credentials directly on the site they are meant for. Do not pass the details on to anyone or approve a Google prompt or Microsoft Authenticator notification even if you have previously been contacted and told to expect this 2FA request.
  • Do not reuse passwords anywhere. One account, one password.
  • Do not use password hints.

* Although Authy asks for a phone number to ease setup, by default it does not allow switching physically to a new phone, even if the phone number has not changed.  This should not be disabled (by allowing Multi Device 2FA) unless it is enabled only for the period when a new device is intended to be added (such as the Chrome App or a second known phone) and then immediately disabled.

How to secure your mobile phone and phone number

  • Encrypt your phone.
  • Set up a lock screen password, PIN, etc.
  • Take advantage of any extra security features from your phone operator, such a requiring an extra PIN or password before changes can be made to your account.
  • If your phone stops working and a restart does not fix the problem, contact your phone operator immediately to find out why.
  • Contact your phone operator and, if possible, ask them to require you to personally go into an operator owned store with a proof of identity in order to transfer your phone number to a different SIM card*.

* Unfortunately, this last suggestion is not foolproof and you must take action to secure your phone and email in order to limit the damage caused in the event a hacker succeeds in taking over your phone number.

Coinfloor’s security additions in light of the increased “phone number takeover” risk

Since day one, all Coinfloor users have been required to set up either Authy (SMS and App) or YubiKey Two-Factor Authentication. So if someone were to find out a user’s username and password they would still not be able to log into their account without the user’s Authy One-Time Password token or YubiKey device. 2FA on Coinfloor is, and always has been, mandatory.

To help reduce the impact of a hacker taking over any of our users’ phones, we have also made the following recent additions to our security processes:

1. We have disabled SMS 2FA authentication for sign in and password recovery

If you have been using YubiKey, you are not affected by this change.

If you have been using SMS tokens to sign in to your Coinfloor account, you now need to install the Authy App and set it up using the same phone number to which you had been receiving the SMS. If you don’t have a smartphone or a tablet, or you use a Windows phone, you can install the app on your computer. The app is available for the following operating systems:

The device you set up with the Authy App will become “something you have” to sign in to your Coinfloor account with the One-Time Passwords generated by the app.
Once the app is set up, Coinfloor will automatically appear on your list of accounts, as you have already had your Coinfloor Authy account set up for the SMS service. Please note that Authy App can not be replaced by Google Authenticator.


2. We require more authentication / verification before changing 2FA settings

If you ever wish to change the 2FA details you store with us (i.e. switch between Authy and YubiKey or change phone number), you will be required to provide a selfie of your face while holding a valid Government ID and paper with text clearly confirming your wish to make the change along with the current date. This is in addition to the information we already require.

These are unfortunately less convenient processes than the ones we had before, but we feel that, as attention towards Bitcoin increases, they are now warranted.

Summary

The above advice goes beyond Bitcoin.  As we all grow to rely on the internet and our phones more, the cost of our smart devices and online accounts being hacked also increases.  Please be vigilant and hopefully you can prevent your phone or email being taken over or at least limit the damage significantly if they are.

Coinfloor Team

Helpful links:

What is a YubiKey?
Why YubiKey wins?
Buy a YubiKey compatible with your Coinfloor account
What is Authy?
Authy for PC – is this still Two-Factor Authentication if I am using the same device?
Using Multi-Device with Authy and device control
PCMag – Two-Factor Authentication: Who Has It and How to Set It Up

Provable Solvency Report #33 – December 2016

Coinfloor is a custodian of client bitcoins and we believe that we must set the industry standard for transparency and regular audits. Without proper public accountability, the industry will not be able to grow and mature. This is why we are committed to releasing a Provable Solvency Report every month. Coinfloor is proud to have the longest standing track record among bitcoin exchanges in regards to auditing.

Today we are publishing our 33rd monthly Provable Solvency Report with step-by-step validation instructions for your convenience.

As of today, Coinfloor holds a total of 6,193.0988 XBT on behalf of our clients. You are invited to verify that your held bitcoins are included in this balance by following the instructions below.

What does the Provable Solvency Report include?

We started out by creating an obfuscated report of all current client balances (the Solvency Report) and then generated a SHA-256 hash of this report.

We then created a bitcoin transaction to ourselves, that includes all currently held client bitcoins, for a value of 6,251.1114 XBT and included in the output script the OP_RETURN of the SHA-256 hash of the report, proving that at the time of making the solvency report, Coinfloor held all of our clients’ XBT funds. You can verify the amount and details of the transaction in the block chain.

Key Pieces of information:

Provable Solvency Report #33 (December 20, 2016):
https://s3-eu-west-1.amazonaws.com/provablesolvency/solvency_20161220.txt

SHA-256 Hash of the Provable Solvency Report: 74eca22a2790bcecbf10e690bef09c48d41c5248b86a57d9ba7903df3513c1c5

Transaction ID: 5185b7374eec400d9f8b70ebe3787aad2b54fdfcf1766b9d6bdb45ea98e0514b

View the transaction here:
https://blockchain.info/tx/5185b7374eec400d9f8b70ebe3787aad2b54fdfcf1766b9d6bdb45ea98e0514b

Your API authentication cookie:
You will find it in My Account > Dashboard in the Coinfloor signed in view, in the API section (visible only for fully verified accounts).

Where is my cookie?!

Instructions for Validating Solvency Report:

      1. Open the Provable Solvency Report file:

https://s3-eu-west-1.amazonaws.com/provablesolvency/solvency_20161220.txt

      2. Go to

http://www.xorbin.com/tools/sha256-hash-calculator or to your SHA256sum calculating application.

      Copy the entire contents of the solvency report into the SHA-256 generator and calculate the SHA-256 hash of the report.
      3. Go to

https://blockchain.info/tx/5185b7374eec400d9f8b70ebe3787aad2b54fdfcf1766b9d6bdb45ea98e0514b

      At the bottom of the page, in the Output Scripts section, you will find the generated hash in the OP_RETURN output script of the transaction that includes all customer bitcoins.
      4. Go to

your local SHA1sum application

      to calculate the SHA-1 digest of a message consisting of the timestamp shown at the top of the Solvency Report (1482251901) and your API authentication cookie.
      Example (Linux):
                timestamp: 1482251901
                API authentication cookie (API Key): 9BTa7M0Z/Mrk6tFMJwEkTV3BQek=
                command: echo -n ‘14822519019BTa7M0Z/Mrk6tFMJwEkTV3BQek=’ | sha1sum
      5. Find the resulting hash in the solvency report. Your balance is shown on that line in satoshi units. 1 bitcoin = 100 000 000 satoshis. For your convenience, here is a link to a bitcoin unit converter:

http://www.satoshi.24ex.com

We believe that this approach is the best way to achieve maximum accountability while retaining privacy for our clients. We welcome your feedback and hope that in time, other exchanges will also help safeguard client funds by providing proof of solvency reports to their users on regular basis.

Thank you for your trust,

Coinfloor Team