Our Security

Our addresses require at upto 5 signatures for every withdrawal: one of ours, and upto 4 of yours. Simply put: we do not have access to your coins.
This section tells you how we approach our systems' and users' safety, and provides guidelines for you to follow.


Distributed Trust:
Customize your security

Our Distributed Trust (dTrust) framework helps you establish custom signature configurations for your addresses. This feature exponentially enhances your system's security compared to the single-signature addresses in general use today.

dTrust lets you add up to 4 keys next to the key we keep, and allows you to set your own signature requirement. You can then keep your keys on different machines, USB-sticks, print them to paper, assign to friends and family, run an escrow service, etc. In a high-security automated environment, you’d send your keys across the globe and store your secrets on different continents.

Moreover, you can use your dTrust addresses without using CofredCoin.



Basic multi-signature:
Keep your coins safe

To withdraw from our basic (default) addresses, 2 keys are needed. Multiple signatures have a number of security benefits over single-signature (regular) addresses.

One key is held by you, to make sure you always sign off on every transaction.

The second key is held by CofredCoin, which enables us to provide extra security to you through enbable wallet PIN.

With our double spend protection (through Green Address functionality) the second key also enables everyone that receives coins from a CofredCoin Green Address to spend them without having to wait for a large number of confirmations.

How we secure your data

Strong Encryption Standards

We encrypt all user secrets linked to your wallets through a 256-bit AES cipher and 25,000 PBKDF2 hash rounds. This makes cracking a single Wallet PIN extremely resource intensive: requiring over 1 million days on state of the art computers today!

Zero Knowledge of your Secrets

We are unaware of your Wallet PIN, and cannot recover these even if we tried. Your Wallet PIN is never sent over the network.

We minimize use of Secrets

We use Multi-signature wallets built on top of Hierarchical Deterministic wallets (HD wallets), as outlined by the BIP0032 standard, to generate new addresses for your account without ever needing access to old or new addresses' private keys.

Security Best Practices

Our website and API libraries use the up-to-date security standards such as BIP0062, and RFC6979.

Continuity, integrity, and transparency

Backups

Backups of all (encrypted) account data are made to "cloud servers" on 4 continents every hour.

Ongoing Security Audits

We work with over 1,000 security experts to discover hidden security issues before the bad guys do.

Account audits via the Block Chain

All addresses on our system are on-chain and that makes them publicly auditable through third-party Block Explorers. You can always verify your CofredCoin wallet balances are accurate using a block explorer of your choice.

Always-On Infrastructure

Our entire infrastructure is built to be redundant, eliminating all single points of failure. We target over 99.999% system availability.

Other ways we protect your security

Client-side signing

We provide a growing number of libraries that allow you to sign your transactions yourselves, outside of CofredCoin.

Third party verification

The "Green Bar" showing our company name and jurisdiction promises you that you are on CofredCoin, not an imposter site.

No password systems

None of our systems use passwords for access control, and all our internal systems are isolated from public access.

Highly available 24/7

We target over 99.999% system availability to ensure you always have access to your account 24 hours daily, all year round.



What you can do

Being a user-facing service, CofredCoin needs your help in order to ensure your security. You, as the account owner, are responsible for the safety of your account credentials, Wallet PIN, and Secret Phrase words. We recommend you follow these guidelines.

Use Wallet PIN authentication.

We can make sure it's you who's logging into your Wallet by prompting you for your enabled wallet PIN. You must use enter your wallet PIN to login if you have enabled Wallet PIN through your account.

Do not share your secrets.

Your Wallet PIN is the key that controls your coins, and your Secret Phrase words are the only key to reset your Wallet PIN in an emergency. You should never, ever share your Wallet PIN and Secret Phrase words with anyone.

Save your secrets offline.

Always store your Wallet PIN and Secret Phrase words in a safe place. Storing them in e-mail accounts or in un-encrypted text files on your computers is definitely not recommended. If you do not know how to secure your Wallet PIN and Secret Phrase words electronically, just write them down on pieces of paper, and remember where you keep these pieces of paper!