Our Security Overview
bitwallet (bitwallet PTE LTD) is a leading payment service provider that possess high levels of security both online and offline to keep customers' funds safe and secure on our platform. Our mission is to continuously strive for security improvement while achieving an intuitive browsing experience for all users. The team believe that by establishing a better security on our platform, it will strengthen the trust between our customers and us.
Our team takes security measures against fraud and unauthorised use seriously. Regulations such as AML (Anti-Money Laundering), KYC (Know Your Customer Identity Verification), etc. has been implemented to ensure international compliance standards on our platform.
View the detailed security measures below
Compromising cyber security can pose great threat to your personal financial assets. bitwallet is constantly building on strategies to safeguard our customers against security threats.
bitwallet observes the industry best practices and principles written in the Executive Order under Improving Critical Infrastructure Cybersecurity. This enables bitwallet to fulfil international security standards and improve resilience of the infrastructure. The following are the information security measures based on the Framework of National Institute of Standards and Technology (NIST), which consist of three parts: the Framework Core, the Implementation Tiers, and the Framework Profiles.
The Framwork Core is composed of five functions - Identify, Protect, Detect, Respond, Recover.
(1) Offering custody and management of customer's currency funds
User's assets are safely protected on bitwallet. Assets such as currency are managed separately in a secure manner. Balance are checked regularly at both end of accounts.
(2) Customised Wallet Policy - Multi-sig -
To help keep user's private keys safe from theft when stored in cold wallets, private keys can be secure with the addition feature of Multi-sig (Multi-signature) which requires multiple indenpendent approvals to be spent. In this case, even if one of the private keys get stolen, the transaction will be blocked without access to other keys. Therefore, bitwallet is proud to be introducing this feature to our platform, protecting our user against theft.
(3) Managing customer's funds with cold wallet
If your private keys get disclosed, it may lead to loss of all currencies. Therefore, to safeguard your private keys against theft, you should choose wisely between the following 2 types of wallets - Hot Wallets and Cold Wallets. Hot wallets hold your private keys on an online server which make it easier for hackers to hack and steal the funds while cold wallets hold the private keys offline the much preferred storage method at bitwallet.
(4) High-level Financial Institution Management
High-level finanicial institution dealer should not only implement security measures on the system itself but also improving on the organisation and process. As such, bitwallet has implemented a security framework capable of triggering a recovery process upon anomaly detection; identifying the root cause and to diagnose the anomaly promptly. We intend to implement this feature, and further refine it.
(1) SSL Certificate
bitwallet uses SSL encryption technology for data communications. SSL is a security certificate that enables a secure connection between our platform and server while ensuring all data to remain confidential.
(2) SSL-VPN Certificate
Our network server SSL-VPN encrypted to prevent unauthorised third party access from stealing of data as the all data will be encrypted before transmitting.
2.2 Firewall Network Security
Firewall act as a filter between network and the internet. Firewall add security to our server as it prevents threats such as malware, virus from transmistted.
(2) Web Application Firewall
bitwallet uses web application firewall (WAF) to protect against malicious attempts to compromise our system or exfiltrate our data. bitwallet WAF blocks common attack pattern for our operating system, software and service.
(3) IP Anycast
A Dos (Denial of Service) attack is an attempt to flood the user network with usless traffic, attack with spam emails (mail bomb) and multiple ping request packets that cause a machine or network to shut down, making it inaccessible to the intended users. There are also DDoS attack that will crash network functionality permanently. bitwallet uses IP Anycast to redirect the request away.
(4) Intrusion Detection System (IDS)
Upon receiving multiple network traffic to server, IDS is able to monitor and detect suspicious activity and issues alerts among them. The system is capable of taking actions on discovered malicious activity and abnomal traffic. bitwallet uses 2 types of the systems - Network Intrusion Detection System and Host Intrusion Detection System. Network intrusion detection monitors inbound and outbound traffic while host intrusion detection can identify malicious traffic that comes the host itself.
(5) Unified Threat Management (UTM)
UTM consolidates multiple security services and features such as IDS, IPS and other web contents to protect bitwallet from security threats.
2.3 Identity Verification
(1) Strong Password
Reusing or making a simple password with only letters such as "bitcoin" make it weak and easy to break. bitwallet only allow strong password that contains a long combination of upper and lower case characters, numbers and punctuation marks, making it harder to break.
(2) Account Lock
If the user have multiple failed attempts of login, it will be taken as unauthorized access from third party and as a result, the account will be locked. Reset your password if you have forgotten it. Your account will only be recovered when you have went through identity authentification.
(3) 2-Factor Authentication
To prevent unauthorised access from third party, 2-Factor Authentication (2FA) will act as an extra layer of security when you login to bitwallet. User will require account password and a second time login with their own token to access to their account. This makes it harder for potential intruders to gain access as they do not have the token to login.
(4) Monitor Login History
Your login history will be saved in the server each time you have logged in from a particular device or through the web, including the general location and IP address. View them to see if there is any unrecognised login.
(5) Session Timeout
If you are inactive for a while after loging in, you will be automatically signed out of your account to prevent unauthorised access.
2.4 Program Measures
(1) Cross-Site Scripting
Cross-site scripting is a security attack where attacker may go after a vulnerable website from other trusted website. bitwallet is sanitised to prevent this kind of attack. Potentially dangerous data will be removed or changed in the process making it inexecutable.
(2) SQL Injection
SQL injection is a programming language used to communicate with vulnerable and open source databases. It will send commands to the server to disclose user information. bitwallet uses input sanitisation is preventing malicious commacn to be executed. Data will be changed to inexecutable SQL language.
(3) Cross-Site Request Forgery
Cross-site request forgery is a security attack that forces user to executed unwanted actions which are not authenticated. bitwallet uses secured coding and WAF to block such potentially harmful attack while monitoring security system.
(4) Brute Force Attack
Brute force attack is a trial and error password cracking method by decoding various passwords to break through your account by force. Using strong password and setting 2FA to strengthen your account from this attack as your account will be locked within a limited attempts.
(5) Password Encryption
The password you have entered will be encrypted and saved to database, undergo a hashing process by adding salt to the password, making it complex to read.
(6) IP Whitelisting
Only whitelisted IP address can proceed with payment transaction at bitwallet. Usage and access by any unrecognised IP address will be blocked.
2.5 Operational Check
(1) ID Selfie Submission
Submission of Identity Document, Proof of Residential Address and ID Selfie is required. ID Selfie has been adopted by various Western countries for online identity verification purpose. The user will take a frontal shot with the identity picture displayed in all the identity verification documents. This verification purpose of such procedure is to prevent fake identity theft from happening.
(2) Mail or SMS Authentication
A generated ID will be sent to you via mail or SMS for authentication if you wish to raise the credit card limit. The authentication will be completed once you have entered the ID within the given time.
(3) Withdrawal Bank Account Confirmation
Our team will be checking for incorrect account information such as bank name, branch name and account number daily.
(4) Remitter Account Confirmation
All transaction information will be verfied before sending and may be delayed due to the additional time required for checking. Please include your Account Identification Number (Account ID + 3 Digits) in the Remitter's Name during a bank transfer.
(5) Outsource Unauthorised Use Checks
We have engaged an outsource service to monitor the daily usage by each user to look out for any unauthorised use.
(6) Withdrawal and Refund Guidelines
To prevent cases of money laundering and misuse of credit card, we will first review the past usage history of the user manually before any refund and withdrawal transaction can be made. This will help to stop any card fraud on time.
(1) Server Examination
Once any error is found in our server, an emergency call will be activated via our scheduled automatic server examination, shutting down all system to minimise the damages it may incur.
(2) Database Encryption
Your sensitive data will all be encrypted while storing in our database. Encrypted data is hard to decrypt.
(3) Independent Fraud Detection System
A public blockchain is a network created with multiples node. It is completely open and anyone can join and participate in the network. Node requires monitoring on its process and performance. bitwallet has implemented an monitoring server that allows real-time information collection of each note while saving its log down. This enables us to check and put to action to any unauthorised access or transaction detected early using the validation between nodes' transaction.
(1) Contingency Plans
Contingency plans are in place to address security failures. Countermeasures and prevention are efficiently formulated and executed by having extensive scenario-based challenges mimicking security failures.
(2) Incident Analysis
bitwallet has went through many validation tests and analysis during the development process and will continue to perform security check after it has been released. Should there be any security hole discovered during the check, the team will work on locating and rectifying the problem swiftly.
(1) Recovering Plans
Recovering plans are in place to address security failures and are executed based on the extensive and detailed steps written in troubleshooting manual that allows faster recovering time.
(2) The engineering team are constantly working on improving stability and formulate solution for new risk
The bitwallet team is made up of encryption specialists, professional individuals and skillful engineers in combating unexpected risk with the latest technology.
(3) Improve Security Response Process
In the event of a joint security failure between multiple companies, the information will be saved and archived for sharing to improve data correspondence. In addition, constant reviews and improvements are made to the response process to deal with security breaches.
The Implementation Tiers
Tiers reflect how an organization implements the core functions and manages its risk. bitwallet aims to achieve the highest tier with enhanced managing process.
1. Risk Management Process
At bitwallet, security risk management measures are approved by management and established as a policy. Our team will address security measures as the top priority.
2. Integrated Risk Management Program
Any and all bitwallet employees participate in risk management relate to cybersecurity information.
The profile that helps bitwallet to establish a roadmap to reduce cybersecurity risk and to describe our current state, desired target state and risk management process.
bitwallet is based on the United States Executive Order - "Framework for Improving Critical Infrastructure Cybersecurity" and combines best practices in the industry from an international perspective.
Copyright © 2013-2021 Bitwallet Service Group All rights reserved.
PCI DSS 3.2 Assessed to Bitwallet Pte. Ltd. by ICMS-PCI 0287, a QSA for the Payment Card Industry Data Security Standard Council.