Coin.mx Interview Following Security Incident

By
Drew Cordell (@DrewjCordell) @DrewjCordell
June 2, 2014

One redditor decided to shut down their account at Coin.mx because they felt a lack of security on the site. The user then contacted the coin.mx support via the chat feature on the site to close their account. He mentioned the email account, and that he  had no balances or pending transaction. The site staff member then locked the account from access without any form of verification to the user.

[divider]CCN[/divider]

[dropcap size=small]T[/dropcap]he thread on reddit quickly took off and climbed to the front page. For your reference, here is the image of the conversation that took place between the coin.mx user and the tech support representative.

Following the Turmoil,  I got a chance to Interview Senior Tech support Manager Jen, from coin.mx about the incident and what is being done about it. Here is the interview:

Can you explain what happened in the incident today?

One of our members requested that their account be deleted. One of our live chat agents disabled the member’s account.

Was what happened in the incident today a mistake?

What happened today was not a mistake, but we are reviewing our procedures in this specific situation and for all of our procedures. We feel our security is one step above bank level security and the reasons below will explain why.

Is it common for coin.mx to lock accounts without any verification of identity?

Locking or disabling of an account is simply making an account inactive. We do not use email for account verification or security as we do not feel this is a valid way to protect against fraud or malicious activity. Our two main sources of verification are video and SMS/Text. For all withdrawals and deposits we utilize SMS/Text confirmations to validate transaction requests and for protection of our members accounts. For large withdrawals or inconsistent activity we reach out to our members for phone verification as well.

If a user requests to change anything we either require verification through SMS and or Video.

In regards to today’s incident, the user requested his account to be deleted. In the past we have not requested any documentation to either disable or re-enable an account because we did not feel that this type of request has any affect on the users security or funds in any manner. We feel that this is a simple and quick option for our users to take if they have concerns that their computer has been compromised and want to disable their account immediately. Many users don’t know that email is not a secure way to protect them but we do and that’s why we have systems in place to protect our users.

The possible scenarios that would affect a users account:

1. If the user was currently using our API, by disabling the account it would disable this functionality of the API

– Our system does not allow an account to be disabled if an API is active, we request that the user disables the API first.

2. If the user has current open orders

– Our system does not allow an account to be disabled if there are open orders. We require all open orders be deleted or executed first.

3. A member’s coins or funds

– 95% of all coins are stored in cold storage, our servers still have the proper ledgers to know exactly how much every user has at any point. Disabling an account does not affect the users funds in any way, it simply just denies access to the account until it is requested to be re-opened. When the account is re-opened, if a user requests a withdrawal of funds or any type of change that affects the security of the account we either require SMS or Video verification depending on certain requests. For phone number changes, we require video proof. By doing this we protect our members to the fullest extent because if a hacker were to put spyware on one of our members computers and tries to change account information we require SMS verification for any withdrawal of funds and if the fraudster tries to change the phone, we would request that they submit a video requesting this. Our support staff then must match the person in the video to the original documentation used when opening the account.

What steps will be taken to ensure something like this doesn’t happen again in the future?

We may request a user send a request from their email, but once again, this is not a proper way to protect a user. If a hacker were to install a trojan on the users computer, the hacker would be able to send an email on behalf of the user anyway. Simply disabling and re-enabling accounts in our eyes is for banning users.

What training will be given to support representatives going forward?

We have 24/7 chat and email support and our phone support is currently open for 18 hours a day. This is 7 days a week and 365 days a year. We pride ourselves in our support and feel that we have certain procedures in place and mechanisms in the technology to protect all of our members to the fullest. We have already addressed this situation with that specific representative. At all times we strive to be professional and courteous to all of our members. If you have a look at reviews on Reddit, Facebook, blogs and comments on Twitter, you will see that our support has a great reputation. There is always room for improvement and we strive for this daily.

Conclusion:

To get in contact with Jen, I used the chat feature and was quickly helped by a very friendly member of support and was quickly given the manager’s email address without a problem. Coin.mx has systems in place that will prevent accounts from being disabled if they have an active API, funds, or open orders. These features would make it impossible for a user to contact support, give the email address of a competing business that also uses coin.mx and shut them down for a few days as they would still have funds, and an API set in place that would have to be disabled from the inside. The incident does reiterate the need for enhanced security on any exchange or online business dealing in cryptocurrency. In conclusion, I believe that coin.mx still has quality security and that the systems in place are effective in protecting their members. coin.mx might need to review a few things and change them in the future, however, the exchange has security systems that will protect active users. The reddit thread inflated the issue as users were not aware that accounts with coin.mx could not be closed as the one in chat was if they were active.

Disclaimer: The author has no relations with coin.mx and has never used coin.mx for any Bitcoin transactions. Featured image by Shutterstock.

Last modified (UTC): June 2, 2014 09:36

Show comments