CRYPTOCURRENCIES SECURITY STANDARDS.
There is absolutely no way for hackers to steal money from our platform. It is not possible neither for a hacker nor an insider (such as a programmer, devops or administrator, not even for the management of the company). Here’s why.
We decided to build our system using microservices architecture. This means our system is built from many independent elements. They are maintained by separate teams and not a single person has access to all modules.
Our innovation is that each module signs (in a similar manner to that what happens on the blockchain) each request (with its private key). Other modules know its public key so they can check if the signature is correct. If some signature is missing, other modules won't accept such a request. Therefore, even if someone breaches the system but has access to all modules but one, they cannot do anything.
Some modules require user input, like OTP or e-mail confirmation, where only the user knows the proper answer. So, for example, no one can make a payout from the user’s account without said user’s consent - not even the administrator.
INCOMING PAYMENTS SECURITY STANDARDS.
On the first day of its run, Needyex exchange generated many public addresses, allowing payments, and stored its private keys in secure places).
We only connected the public addresses to the computer system, without their respective private keys.
Computer system is monitoring these addresses to check if there are any new funds. If yes, we credit funds to the user's account, without actually moving them or having access to them.
A separate computer system, with no connection to the first one, is collecting money from these addresses and sends them to either withdrawal addresses or cold wallets - depending on the type of transaction.
Money is stored on the payment addresses for no more than a few days (in most cases one day at most). There is no way for someone to find out where this system is located, and even if someone does (or the owner/administrator of this system decides to steal the money), they will only have access to the incoming payments from a single day (which will be less than 1% of exchange funds and will immediately get noticed by automated systems).
OUTGOING PAYMENTS SECURITY STANDARDS.
An external system is responsible for the payouts and always requests all modules’ digital signatures.
Additionally, we use multi-signature addresses for payouts, needing two blockchain signatures (these are other signatures than the ones used by internal system modules).
You might think that someone could hack this external system - but it is not possible. Here is why:
one system is preparing a payout while checking all the (modules’) signatures. If everything is OK, the payout is prepared and signed with a single blockchain signature
another system, which is offline (meaning it cannot be accessed from the internet), connects to the internet for a few seconds periodically, only to download the file with the prepared payouts (and even during this short period of time it is not visible from the outside). This system verifies all the signatures - not only the ones from modules but also the ones from the first system. The system checks if the payout makes sense - for example, if the moved funds are relatively small and if the address belongs to the exchange. If everything is correct, it proceeds with the payout. Otherwise, it requests a manual check from the exchange’s staff (additional acceptance criteria). However, it is important to note that funds are stored on multisig addresses, so the system can’t make a payout without signatures from point a). It cannot modify the payouts sent from system a), as it is already signed and any modification will make the signature invalid.
As you can see, a hacker would need to hack numerous systems, including one that is offline and inaccessible from the Internet. it is entirely impossible.
COLD WALLETS SECURITY STANDARDS.
To be absolutely sure that situations like private key losses, programming errors or system failure are inconceivable, 90% of funds are stored OFFLINE and are out of reach of the computer system.
For the funds’ storage we use multi-signature addresses with five keyholders, whereas 3 of them are needed to move the funds.
Keys are assigned to particular people. In this case, if funds were stolen, it would be absolutely clear which one of these 5 people had moved the funds. Moving funds around need consent of 3 out of 5 people. This is ensured by the blockchain on its own.
We have chosen these five people very carefully since they are people of great responsibility. They are not disclosing publicly who they are, but their public keys (not the private ones) are stored in Swiss bank deposit with their names. Therefore, in case of any doubts, it can always be checked who signed a particular transfer.
We periodically check if all of these people still have access to their private keys. This way, we can react properly if even one of them has lost access to his keys.
This system is used by the biggest cryptocurrency exchange markets, such as Bitfinex. It is the most secure way to store funds.
PERSONAL DATA SECURITY STANDARDS
Your personal data, such as your document number or even your birth date, are stored on separate servers. This means that our primary servers do not store this data. The data are only available by request and are requested only if a certain user needs them - and of course, the user can only download their own data. So in (a purely theoretical) case of breaching our world-visible servers, a hacker would need to hack our internal servers as well, which makes it a much more complicated task.
A very limited number of people has access to these data. After being checked by AML specialists, the data are hidden and are not accessible to anyone anymore, unless requested by the authorities (or by the user).
PERSONAL DOCUMENTS SECURITY STANDARDS
Scans of your IDs and pictures/video of you are stored in an external company’s servers.
These data are directly uploaded to a third party without ever reaching our servers. This ensures that there is no possibility of your documents leaking out.
We use SSL (https) so your data are always encrypted and cannot be eavesdropped when entering our websites.
PASSWORD SECURITY STANDARDS
Your password is hashed using industry-standard algorithms, so it is never stored in plain text and is not known even to our administrators. This way, the so-called rainbow tables cannot be used to hack passwords.
We enforce strong passwords, so any brute force methods will not be effective either.
We use OTP (one time password / two factor authentication / google authenticator)
We use SMS authentication
Thanks to our high-security standards, even if you give your Needyex account password and your private e-mail password to a hacker, he will not be able to withdraw any funds from Needyex ! Obviously, do not ever give your passwords to anyone, as they will be able to harm you in many ways. However, it sure feels good to be sure your funds cannot be moved without someone having to access your email, passwords, and phone at the same time. Even without you being able to access your account, not only your funds but also your private data are safe here.
There are many more additional ways Needyex secures its funds and data. We are open for discussion if you have any concerns or ideas. Feel free to drop us a note at our support page.