Our company prioritizes the protection and safety of our client’s assets as the most important aspect of our business operations and are thorough in separate management. In investing and managing cryptocurrency, security is condensed into the “Private Key” required and used to move cryptocurrency. Here, we would like to introduce the concept of the attacks targeted at cryptocurrency, the preventative measures and management our company is taking, and explain the security structure the private key provides.
At our company, we separately manage all customer assets from company assets. To physically separate and store cryptocurrency of company-held assets and customer-held assets, we use a “Cold Wallet” system.
To ensure that there are no deficiencies in customer and company funds, we thoroughly review and calculate assets every business day.
At our company, aside from the assets needed for immediate remittance, cryptocurrency will be stored in cold wallets isolated from the internet.
When transferring cryptocurrency from a cold wallet to a “hot wallet”, we will utilize a system where the approval of multiple persons is required with an exclusive device. Only under the strict surveillance of multiple persons will cryptocurrency be transferred from cold wallets.
The “Multi-sig” (multi-signature) system, which requires multiple private keys when sending or remitting cryptocurrency is implemented in all cryptocurrencies that meet the security standards of our company. By storing multiple private keys outside the security system, this will lower the risks of security breaches.
At our company, to counter a third party’s malicious attempts to cyber-attack, we have devised countermeasures from the below four viewpoints:
・Customer account hacking and takeover
・Infiltration inside the system
・DDos attacks and clickjacking
・Mandatory utilization of a 2-stage authentication system when withdrawing and sending cryptocurrency.
・Similarly, utilize a 2-stage authentication system when a login attempt was made from a location with no login history.
・To detect any invasions of the system by preparing a 24-hour/365-day surveillance system and alert signal of the servers.
・Conduct periodic vulnerability diagnosis’s by an outside security advisor.
・Shutting out an overload of packets, implementing countermeasures to DDoS attacks and also implementing a WAF (Web Application Firewall) tool.
・By including an “X-Frame-Options” header in the HTTP response header, the browser will interpret it’s value and we will prevent clickjacking.
・For communication of the various pages that contain personal information, we will use SSL/TLS.