Better Two-Factor Authentication (2FA)

We have required all of our customers to use two-factor authentication (2FA) from day one. In keeping with our security-first philosophy of protecting and educating our customers, we want to provide some background on our 2FA system to encourage our customers to use the Authy app for 2FA rather than SMS, and to dispel some common misconceptions. About Authy Gemini uses the Authy service for 2FA. Authy is an independent cloud service called on to perform secondary verification once we have checked that a customer has provided correct login credentials (i.e., email and password). Authy offers multiple options for second-factor […]

Coinfloor moves to Zero Fee Trading

Summary of the change

Coinfloor is moving to zero fee trading and will be replacing trading fees with percentage fees (in addition to bank processing fees) on GBP and other fiat deposits and withdrawals. Bitcoin deposits will be free and bitcoin withdrawals will be charged a flat 0.0005 XBT fee to cover fees charged by the bitcoin network. Zero fee trading will go live later this week (17/1/2017) and fiat deposit and withdrawal percentage fees will go live early next week (24/1/2017).  Full details of the new fees can be found on our fees page.

Why the change?

We are already the most liquid GBP/XBT exchange but we believe this change will increase trade volumes and improve liquidity even further.

What does this mean for you?

If you are a regular buyer or seller on Coinfloor, you should find that your overall costs (i.e. deposit/withdrawal costs and trading costs) will stay roughly the same.

If you are a regular trader on Coinfloor Exchange, you can now trade bitcoins for free, not paying fees other than as part of any occasional deposits or withdrawals. Also, if you are depositing, trading and withdrawing profits in XBT, you will only pay the nominal XBT withdrawal fees.

What does this mean for Coinfloor?

We are setting the deposit, withdrawal and trade fees at levels which we believe are sustainable for Coinfloor and attractive to our customers.

However, this is a significant and unprecedented change so we will be monitoring how it performs and if necessary, we will revert to a more traditional trading fee based structure.

We are excited to see how this change is adopted by our customers and are happy to hear any feedback that you may have.

Coinfloor Team

Coinfloor diamond logo

Is Coinfloor right for you?

As the UK’s No.1 Bitcoin exchange, Coinfloor has to make business decisions as to who we accept as customers for commercial, compliance, fraud risk and impending regulatory reasons.

For the absence of doubt, below we clarify the customers we do and do not accept.

Coinfloor is for:

Investors:

Individuals or businesses looking to invest in bitcoins as:

  • A new kind of commodity that many believe could have supernormal returns over the mid to long term*
  • An uncorrelated asset that could strengthen their investment portfolio*
  • A potential inflation hedge to help maintain the value of some of their savings / holdings*

* This should in no way be considered or treated as investment advice.

Traders:

Individuals or businesses looking to trade bitcoins on Coinfloor (in a way that is similar to trading traditional assets on stock, FX or commodity markets).

Regulated and pre-emptively compliant brokerages, payment processors and remitters:

  • Brokerages: Individuals or businesses looking to provide a bitcoin brokering service
  • Payment processors: Businesses offering bitcoin payment processing for merchants.
  • Remitters: Businesses offering bitcoin remittance.

All the above customer types must be carrying out the level of “Know Your Customer”, Anti Money Laundering, Counter Terrorist Financing and compliance processes befitting a high risk space such as this.

Other customers not in the “Coinfloor is not for” section below:

Coinfloor would need to review on a case by case basis to decide if they are acceptable.

Coinfloor is not for:

Money launderers / financial criminals / terrorist financers:

  • Anyone looking to use bitcoins for the purposes of hiding wealth to avoid paying tax.
  • Anyone receiving bitcoins from the proceeds of theft, extortion (eg. ransomware) or other illegal (as defined under UK law) activity.
  • Anyone planning to use bitcoins to support a terrorist organisation or send funds to a sanctioned country (as defined under UK law).

Darknet market users:

  • Anyone planning to use bitcoins to buy products or services on the darknet or tor markets.

Unlicensed gambling site users:

  • Anyone looking to use “dice” sites or any other form of unlicensed (under UK law) gambling sites.

Unlicensed brokerages, payment processors and remitters who are not preemptively compliant:

  • This includes any individual or company whose activity on Coinfloor could be described in significant part, as constituting brokerage, payment processing or remittance and who are not carrying out the level of “Know Your Customer”, Anti Money Laundering, Counter Terrorist Financing and compliance processes befitting a high risk space such as this.

Coinfloor continually enhances the measures it employs to identify the types of customers using our site.  If we determine that you are not an individual or organisation we are willing to serve, we will take immediate action to disable and or exit your account.

We hope that the above helps clarify who Coinfloor is and is not right for.  If you have any questions please feel tree to contact us.

Coinfloor Team

Is Coinfloor right for you?

Removing SMS 2FA for sign in and password recovery and advice on Email and Phone security

Skip to the bottom of this post if you just want information on setting up the Authy App and details of the additions we have made to our 2FA security processes.

As you may be aware from news stories in the press, there has been a recent increase in the instances of people having their mobile phone numbers taken over by malicious attackers via social engineering of mobile phone operator staff.

In summary, the attack involves a hacker contacting a victim’s phone operator and convincing a call centre agent to transfer the victim’s phone number over to another, hacker controlled, SIM card.  From there, the hacker arranges to reset the victim’s email using the SMS recovery option on their email account by which point the hacker often has all the information they need to access the vast majority of the victim’s online accounts.

What makes this different from other attacks is that someone could have reasonably good security and it can still be circumvented.

To prevent this, we recommend that you do not in any way enable the use of your phone number to recover access to your email address or vice versa.

Below is a short summary of useful steps you can take to secure your email, mobile phone and phone number if you are not already doing so.

How to secure your email

All email systems are different but high level we recommend the following:

  • Do not use SMS or voice for 2FA access to your email (unless there is no other option).
  • Do not use SMS or voice for password recovery for your email account (even if there is no other option).
  • Set up device based 2FA solutions such as Authy* or Google Authenticator so that authentication is only possible if you have the actual phone and not just the phone number.
  • Only ever enter 2FA credentials directly on the site they are meant for. Do not pass the details on to anyone or approve a Google prompt or Microsoft Authenticator notification even if you have previously been contacted and told to expect this 2FA request.
  • Do not reuse passwords anywhere. One account, one password.
  • Do not use password hints.

* Although Authy asks for a phone number to ease setup, by default it does not allow switching physically to a new phone, even if the phone number has not changed.  This should not be disabled (by allowing Multi Device 2FA) unless it is enabled only for the period when a new device is intended to be added (such as the Chrome App or a second known phone) and then immediately disabled.

How to secure your mobile phone and phone number

  • Encrypt your phone.
  • Set up a lock screen password, PIN, etc.
  • Take advantage of any extra security features from your phone operator, such a requiring an extra PIN or password before changes can be made to your account.
  • If your phone stops working and a restart does not fix the problem, contact your phone operator immediately to find out why.
  • Contact your phone operator and, if possible, ask them to require you to personally go into an operator owned store with a proof of identity in order to transfer your phone number to a different SIM card*.

* Unfortunately, this last suggestion is not foolproof and you must take action to secure your phone and email in order to limit the damage caused in the event a hacker succeeds in taking over your phone number.

Coinfloor’s security additions in light of the increased “phone number takeover” risk

Since day one, all Coinfloor users have been required to set up either Authy (SMS and App) or YubiKey Two-Factor Authentication. So if someone were to find out a user’s username and password they would still not be able to log into their account without the user’s Authy One-Time Password token or YubiKey device. 2FA on Coinfloor is, and always has been, mandatory.

To help reduce the impact of a hacker taking over any of our users’ phones, we have also made the following recent additions to our security processes:

1. We have disabled SMS 2FA authentication for sign in and password recovery

If you have been using YubiKey, you are not affected by this change.

If you have been using SMS tokens to sign in to your Coinfloor account, you now need to install the Authy App and set it up using the same phone number to which you had been receiving the SMS. If you don’t have a smartphone or a tablet, or you use a Windows phone, you can install the app on your computer. The app is available for the following operating systems:

The device you set up with the Authy App will become “something you have” to sign in to your Coinfloor account with the One-Time Passwords generated by the app.
Once the app is set up, Coinfloor will automatically appear on your list of accounts, as you have already had your Coinfloor Authy account set up for the SMS service. Please note that Authy App can not be replaced by Google Authenticator.


2. We require more authentication / verification before changing 2FA settings

If you ever wish to change the 2FA details you store with us (i.e. switch between Authy and YubiKey or change phone number), you will be required to provide a selfie of your face while holding a valid Government ID and paper with text clearly confirming your wish to make the change along with the current date. This is in addition to the information we already require.

These are unfortunately less convenient processes than the ones we had before, but we feel that, as attention towards Bitcoin increases, they are now warranted.

Summary

The above advice goes beyond Bitcoin.  As we all grow to rely on the internet and our phones more, the cost of our smart devices and online accounts being hacked also increases.  Please be vigilant and hopefully you can prevent your phone or email being taken over or at least limit the damage significantly if they are.

Coinfloor Team

Helpful links:

What is a YubiKey?
Why YubiKey wins?
Buy a YubiKey compatible with your Coinfloor account
What is Authy?
Authy for PC – is this still Two-Factor Authentication if I am using the same device?
Using Multi-Device with Authy and device control
PCMag – Two-Factor Authentication: Who Has It and How to Set It Up