All Posts in “Security”

Five Commandments For Those New To Bitcoin

Given the year Bitcoin has had, it’s no surprise there’s been a whole lot more interest since it first started. Eight years ago, no one even really knew what cryptocurrency was. You can’t avoid someone mentioning Bitcoin at the pub or dare we say it, your family’s annual Christmas BBQ.

So, if you’ve just decided to jump on the bitcoin bandwagon, welcome – it’s great you’ve finally seen the light. Now sit tight and pay attention before you pay to play.

Update on Heartbleed Challenge

Last week we posted about Heartbleed and how it affected our services. At the time of writing our servers had been patched and tested to ensure that Heartbleed did not effect us when the news was made public.

New developments took place over the weekend. CloudFlare set up the Heartbleed challenge and confirmed that it is possible to access a server’s SSL key using the exploit. This means that it is possible that any server that ever used a vulnerable version of OpenSSL could be insecure. This includes CoinJar servers, though the chance of an exploit is highly unlikely.

We had already begun the process of replacing our certificates last week, prior to hearing the news. Once we have updated things on our end we will let you know and recommend you change your password. Until then we will be monitoring our systems for suspicious activity.

As always, we strongly encourage you to set up MFA (Multi Factor Authentication) on your account as an extra level of security.

Heartbleed and CoinJar Security

We published an update about the Heartbleed Challenge on Monday, 14 April.


By now, you’ve probably heard of the ‘Heartbleed’ bug. It’s a serious bug in OpenSSL that allows an attacker to access information on a secured server. OpenSSL is an industry standard and is part of the backbone of Internet security.

While there’s not a lot of good news around this flaw, we are happy to confirm that we are not affected by the bug. CoinJar’s SSL sites were patched by our service providers prior to the exploit being disclosed. Once the announcement was made we also verified that none of our services were running any of the affected versions (OpenSSL 1.0.1 through 1.0.1f inclusive).

Although we aren’t affected by this flaw, many other organisations are. If you use your CoinJar password in any other place, we strongly recommend you change it as a precautionary measure. This serves as a timely reminder to use a strong, unique password for each of your Internet accounts and consider MFA (Multi Factor Authentication) as an added level of protection.

As always, please contact us via our Support Forum if you have any questions or concerns. You can learn more about Heartbleed here.

Please see the update we published about the Heartbleed Challenge on Monday, 14 April.

Update – Support Ticketing System

11 Apr 2014

In a blog post published yesterday, ENTP (the creator of CoinJar’s support ticketing system, named Tender) confirmed that Tender was never affected by the Heartbleed bug.

Information submitted to CoinJar Support via Tender is safe and sound.

Update – ID Verification Service

11 Apr 2014

CoinJar reached out to GreenID, our ID verification service provider, who confirmed that GreenID “are not using an affected version of the OpenSSL library“.

ID information submitted to CoinJar is safe and sound, and held in accordance with our Privacy Policy.

Multi Factor Authentication

At CoinJar security is our top priority.  To enhance customer account security we provide Multi-Factor Authentication (MFA).  When enabled, MFA requires that you authorise payments on at least one other device (such as your mobile phone) before a transaction can be processed.  The following article describes MFA, and we have an associated knowledge base article to assist you in getting it all set up.

What is Multi Factor Authentication?

Multi factor authentication (MFA) means a website requires confirmation from more than one device before you can perform a particular action (e.g. to log in or process a transaction). Once set up correctly the system will send a code, via SMS or an authentication app (e.g. Google Authenticator), that you input into that website to authorise the transaction.

Let’s use sending bitcoin using CoinJar as an example. The first factor authentication comes from logging in with your CoinJar username and password. The second factor is required when you go to send bitcoin or alter your account settings.

CoinJar will send a MFA code to your phone, which you will then input where requested. This tells CoinJar that the person who has requested the withdrawal also has access to your phone, thus confirming that the requester is most likely you. This helps protect your account from hackers in case they manage to gain access to your password.

This guide was previously a walkthrough of MFA activation; this information is now captured in our knowledge base.  See the links below for more details.

Setting up SMS authentication

Follow the steps under the heading Setting up SMS Authentication in the knowledge base article, Keeping your CoinJar Secure with Multi Factor Authentication.

Setting up Application (TOTP) authentication

Follow the steps under the heading Setting up TOTP Authentication in the knowledge base article, Keeping your CoinJar Secure with Multi Factor Authentication.

Using MFA to send bitcoin

Follow the steps under the heading Sending Bitcoin in the knowledge base article, Sending Bitcoin.


 

MFA is becoming a standard across the board as hackers think of more and more complicated tricks compromise internet based accounts. Using MFA requires at least two of your devices to be compromised so it greatly reduces the chance of your account being accessed.

If you have any questions about this article please take a look at the knowledge base and also feel free to contact our Support team.