Security

Security

Compromising cyber security can pose great threat to your personal financial assets. bitwallet is constantly building on strategies to safeguard our customers against security threats.

bitwallet observes the industry best practices and principles written in the Executive Order under Improving Critical Infrastructure Cybersecurity. This enables bitwallet to fulfil international security standards and improve resilience of the infrastructure. The following are the information security measures based on the Framework of National Institute of Standards and Technology (NIST), which consist of three parts: the Framework Core, the Implementation Tiers, and the Framework Profiles.

Framework Core

The Framwork Core is composed of five functions – Identify, Protect, Detect, Respond, Recover.

1. Identify

(1) Offering custody and management of customer’s assets

User’s assets are safely protected on bitwallet. Assets such as currency are managed separately in a secure manner.

(2) High-level Financial Institution Management

High-level finanicial institution dealer should not only implement security measures on the system itself but also improving on the organisation and process. As such, bitwallet has implemented a security framework capable of triggering a recovery process upon anomaly detection; identifying the root cause and to diagnose the anomaly promptly. We intend to implement this feature, and further refine it.

2. Protect

2.1 Encryption

(1) SSL Certificate

bitwallet uses SSL encryption technology for data communications. SSL is a security certificate that enables a secure connection between our platform and server while ensuring all data to remain confidential.

(2) SSL-VPN Certificate

Our network server SSL-VPN encrypted to prevent unauthorised third party access from stealing of data as the all data will be encrypted before transmitting.

2.2 Firewall Network Security

(1) Firewall

Firewall act as a filter between network and the internet. Firewall add security to our server as it prevents threats such as malware, virus from transmistted.

(2) Web Application Firewall

bitwallet uses web application firewall (WAF) to protect against malicious attempts to compromise our system or exfiltrate our data. bitwallet WAF blocks common attack pattern for our operating system, software and service.

(3) IP Anycast

A Dos (Denial of Service) attack is an attempt to flood the user network with usless traffic, attack with spam emails (mail bomb) and multiple ping request packets that cause a machine or network to shut down, making it inaccessible to the intended users. There are also DDoS attack that will crash network functionality permanently. bitwallet uses IP Anycast to redirect the request away.

(4) Intrusion Detection System (IDS)

Upon receiving multiple network traffic to server, IDS is able to monitor and detect suspicious activity and issues alerts among them. The system is capable of taking actions on discovered malicious activity and abnomal traffic. bitwallet uses 2 types of the systems – Network Intrusion Detection System and Host Intrusion Detection System. Network intrusion detection monitors inbound and outbound traffic while host intrusion detection can identify malicious traffic that comes the host itself.

(5) Unified Threat Management (UTM)

UTM consolidates multiple security services and features such as IDS, IPS and other web contents to protect bitwallet from security threats.

2.3 Identity Verification

(1) Strong Password

Reusing or making a simple password with only letters such as “bitcoin” make it weak and easy to break. bitwallet only allow strong password that contains a long combination of upper and lower case characters, numbers and punctuation marks, making it harder to break.

(2) Account Lock

If the user have multiple failed attempts of login, it will be taken as unauthorized access from third party and as a result, the account will be locked. Reset your password if you have forgotten it. Your account will only be recovered when you have went through identity authentification.

(3) 2-Factor Authentication

To prevent unauthorised access from third party, 2-Factor Authentication (2FA) will act as an extra layer of security when you login to bitwallet. User will require account password and a second time login with their own token to access to their account. This makes it harder for potential intruders to gain access as they do not have the token to login.

(4) Monitor Login History

Your login history will be saved in the server each time you have logged in from a particular device or through the web, including the general location and IP address. View them to see if there is any unrecognised login.

(5) Session Timeout

If you are inactive for a while after loging in, you will be automatically signed out of your account to prevent unauthorised access.

2.4 Program Measures

(1) Cross-Site Scripting

Cross-site scripting is a security attack where attacker may go after a vulnerable website from other trusted website. bitwallet is sanitised to prevent this kind of attack. Potentially dangerous data will be removed or changed in the process making it inexecutable.

(2) SQL Injection

SQL injection is a programming language used to communicate with vulnerable and open source databases. It will send commands to the server to disclose user information. bitwallet uses input sanitisation is preventing malicious commacn to be executed. Data will be changed to inexecutable SQL language.

(3) Cross-Site Request Forgery

Cross-site request forgery is a security attack that forces user to executed unwanted actions which are not authenticated. bitwallet uses secured coding and WAF to block such potentially harmful attack while monitoring security system.

(4) Brute Force Attack

Brute force attack is a trial and error password cracking method by decoding various passwords to break through your account by force. Using strong password and setting 2FA to strengthen your account from this attack as your account will be locked within a limited attempts.

(5) Password Encryption

The password you have entered will be encrypted and saved to database, undergo a hashing process by adding salt to the password, making it complex to read.

(6) IP Whitelisting

Only whitelisted IP address can proceed with payment transaction at bitwallet. Usage and access by any unrecognised IP address will be blocked.

2.5 Operational Check

(1) Selfie Submission

Submission of Identity Document, Proof of Residential Address and Selfie is required. Selfie has been adopted by various Western countries for online identity verification purpose. This verification purpose of such procedure is to prevent fake identity theft from happening.

(2) Mail or SMS Authentication

A generated ID will be sent to you via mail or SMS for authentication if you wish to raise the credit card limit. The authentication will be completed once you have entered the ID within the given time.

(3) Withdrawal Bank Account Confirmation

Our team will be checking for incorrect account information such as bank name, branch name and account number daily.

(4) Remitter Account Confirmation

All transaction information will be verfied before sending and may be delayed due to the additional time required for checking. Please include your Account Identification Number (Account ID + 3 Digits) in the Remitter’s Name during a bank transfer.

(5) Outsource Unauthorised Use Checks

We have engaged an outsource service to monitor the daily usage by each user to look out for any unauthorised use.

(6) Withdrawal and Refund Guidelines

To prevent cases of money laundering and misuse of credit card, we will first review the past usage history of the user manually before any refund and withdrawal transaction can be made. This will help to stop any card fraud on time.

3. Detect

(1) Server Examination

Once any error is found in our server, an emergency call will be activated via our scheduled automatic server examination, shutting down all system to minimise the damages it may incur.

(2) Database Encryption

Your sensitive data will all be encrypted while storing in our database. Encrypted data is hard to decrypt.

(3) Independent Fraud Detection System

A public blockchain is a network created with multiples node. It is completely open and anyone can join and participate in the network. Node requires monitoring on its process and performance. bitwallet has implemented an monitoring server that allows real-time information collection of each note while saving its log down. This enables us to check and put to action to any unauthorised access or transaction detected early using the validation between nodes’ transaction.

4. Respond

(1) Contingency Plans

Contingency plans are in place to address security failures. Countermeasures and prevention are efficiently formulated and executed by having extensive scenario-based challenges mimicking security failures.

(2) Incident Analysis

bitwallet has went through many validation tests and analysis during the development process and will continue to perform security check after it has been released. Should there be any security hole discovered during the check, the team will work on locating and rectifying the problem swiftly.

5. Recover

(1) Recovering Plans

Recovering plans are in place to address security failures and are executed based on the extensive and detailed steps written in troubleshooting manual that allows faster recovering time.

(2) The engineering team are constantly working on improving stability and formulate solution for new risk

The bitwallet team is made up of encryption specialists, professional individuals and skillful engineers in combating unexpected risk with the latest technology.

(3) Improve Security Response Process

In the event of a joint security failure between multiple companies, the information will be saved and archived for sharing to improve data correspondence. In addition, constant reviews and improvements are made to the response process to deal with security breaches.

The Implementation Tiers

Tiers reflect how an organization implements the core functions and manages its risk. bitwallet aims to achieve the highest tier with enhanced managing process.

1. Risk Management Process

At bitwallet, security risk management measures are approved by management and established as a policy. Our team will address security measures as the top priority.

2. Integrated Risk Management Program

Any and all bitwallet employees participate in risk management relate to cybersecurity information.

Framework Profile

The profile that helps bitwallet to establish a roadmap to reduce cybersecurity risk and to describe our current state, desired target state and risk management process.

bitwallet is based on the United States Executive Order – “Framework for Improving Critical Infrastructure Cybersecurity” and combines best practices in the industry from an international perspective.

---

Additional Clauses

The displayed fee will start from July 1, 2018.

Revision

The 2.5 Operational Check (1) Selfie Submission has been revised on August 1, 2018.
The 1. Identify has been revised on January 21, 2022.