• Security guide

    Bitcoin, as a technology, is extremely secure but sometimes the way we use it is unsafe.

    Hackers and scammers are always looking to take your bitcoins because bitcoin transfers are irreversible. With a few simple precautions, you can keep your account and your bitcoin safe.  

    Here are some of the ways to secure your account:

    1. Have a strong password.

    When creating a password, use both upper and lower case letters, as well as numbers and special characters. Also, use different passwords for different online or social media accounts to keep the hackers off your back. 

    2. Don't use the same password for your email and your Paxful account.

    It is very important to have different passwords for your email and your Paxful account. This is because hackers usually target your emails. All email domains have different levels of security. In the worst-case scenario, once hackers gain access to your email, they will be able to access the funds in your Paxful wallet. 

    3. Never share your password.

    As obvious as it may sound, there are cases when users are forced to give away their passwords. For instance, scammers may impersonate Paxful administrators and request you to share your account details. Please remember that Paxful staff and representatives will never ask for your password or other sensitive account information.

    Also, if you happen to be in a trade dispute and you are asked by our moderators to provide a screenshot or a video as proof, make sure that your passwords cannot be seen on those files.

    4. Configure security questions.

    It is a fundamental part of building up your account’s security. You must set your security questions as soon as possible. It can be easily done from your account settings. It is important to memorize the security questions that you set and the answers to them as well. So pick questions and answers that you will never forget. It would be unwise to write them down somewhere because they are just as important as your password if not more.

    5. Enable two-factor authentication.

    Two-factor authentication adds an additional layer of security to your account.  Using Authy or Google Authenticator is recommended over using SMS as hackers have a tactic called “SIM swapping” through which they can get a hold of your SMS messages. Receiving SMS also depends on the network provider and can be intermittent in some countries or regions and during times of high cellular activity. You can activate 2FA in your account settings. You can also check our guides for setting up Authy and Google Authenticator.

    6. Keep your email information safe.

    Protect your email address linked to your Paxful account and never share it with someone you don't know, during trades or private chats. Hackers can target your email to get access to your account or to your personal information.

    7. Verify your account. 

    Verifying your phone number and email will not only indicate you’re a safe trade partner but verifying your account with further identity documents will also help you to restore access to your account should you lose access to it.

    Useful links:
    Where to verify my phone and email?
    Where to verify my ID?
    Phone verification guide
    Email verification guide
    ID verification guide
    Address verification guide

    8. Avoid phishing scams. 

    There are different ways scammers can try to attack you: impersonating websites, sending you fake emails and SMS, sharing suspicious and malicious links in trade chats.

    We as a service provider are constantly improving our security levels. However, we cannot protect you completely without some effort from you as well.

    • Always make sure to check the domain address you are visiting.

    Check your address bar https://paxful.com before entering your account details. HTTPS SSL certificate is important.

    • Do not interact with suspicious emails. It is best to not even open emails that look suspicious to you.

    Do not give away sensitive data or click on suspicious links. For additional information see: I received a suspicious email. Is it from Paxful?

    • Be wary of unexpected SMS messages from unfamiliar senders.

    Paxful sends you SMS only with security codes related to 2FA and phone verification.

    • Be mindful of trade chat conversations.

    You must not share contact information in trade chats as scammers can try to cheat you on off-site trades, try to impersonate you or show that you had traded with them off-escrow. Do not provide any personal information, unless it was clearly mentioned in the offer terms or instructions. 

    Do not click unknown links in the trade chat. Ideally, avoid trades that require using third-party links completely.

    9. Don't try to buy a Paxful account from someone else.

    Most likely, the seller is trying to cheat you and get into the account after you load coins into it. Furthermore, this is a violation of Paxful Terms of Service and such accounts will be banned.

    10. Force devices and apps to log out.

    Simply locking the screen of your PC or smartphone is not safe enough. It may always happen that you lose your device or use a public PC which may give additional opportunities to people with malicious intent. It is a good practice to log out of the Paxful app or platform at the end of your session, especially while using public devices that others may have access to.

    11. Keep your browser and operating system up to date.

    Hackers constantly find new methods to go around existing security levels. This is why browsers and operating systems are constantly improved by developers and get updates regularly. So it is important to install these updates on your machine and ensure that your browser is always up to date. At the same time, do not download unnecessary software from untrusted developers.

    12. Keep your Endpoint Security software up to date. (Antivirus, antimalware, personal firewall)

    We suggest you use officially licensed versions of security software on your machines.  Remember that this software also requires frequent updates and maintenance. 

    13. Try to avoid the usage of public Wi-Fi hotspots.

    There are numerous technical ways for hackers to misuse wi-fi hotspots. Ideally, use a wired connection or a protected wi-fi network.

    The points listed above are the most important. However, there is more to learn on the subject of online security. Read more on the topics of online security, identity protection, and so on, and implement the latest recommendations and best practices that you come across.

  • What to do if someone logged into my account?

    If you think someone has gained access to your account or you suspect that your login details have been compromised, then you must take care of a few things even before contacting support. Enabling 2-Factor Authentication is a good way to prevent this from ever happening. But, in the case of such a mishap, here’s what you can do:

    If someone logged into your account but you still have access to it.

    Do one of the following:

      1. Usually, whenever there is a new or unexpected login on your account, we immediately notify you via email with a link to report to lock your account if you suspect intrusion. So just click the link in the email. Your account is locked immediately and all sessions are terminated. The faster you act, the higher the chances of saving your BTC. Next, contact support to restore access to your account. After, take steps to protect your account
      2. Alternatively, while logged in to your account, simply proceed with the following steps.

    Steps to protect your account:

    1. Change your password to something secure (a password that you have NOT USED on other sites or emails). Try to make your password as complex as possible, but at the same time be sure to remember it.
    2. Check to ensure that none of your other settings such as your email or phone number were changed. If they were changed to something you don’t recognize, change them back.
    3. Go to your active sessions (Settings > Security > Active Sessions) and log out all sessions by clicking the Close icon next to them.
    4. Log out of your account.
    5. Log back in using your new password.
    6. Download Google Authenticator(iPhone/Android) or Authy (Mac/Windows).
    7. Turn on 2FA on Paxful and scan the code with your phone. Remember to turn 2FA on for BOTH login and sending out as it will make your transactions more secure. We recommend using Google Authenticator or Authy over SMS 2FA as it is more secure. Just bring up the app and get the code every time you want to log in or send bitcoin.
    8. Set your security questions and write them somewhere. You’ll need them if you ever lose your phone and need to reset your 2FA.

    Note:

    • If the support team can trace the hacker and recover any funds, we will contact you. Hackers often cover their actions very well and it is not possible to track them down to reverse Bitcoin transactions.
    • It is advised that you change passwords to any other accounts you have online as hackers normally gain access by getting into your email or other accounts. 

    If you can’t log in to your account:

    1. Contact support and provide all the information required by our support agents. Once it’s verified that you are the account owner, inform support that you need an ACCOUNT LOCKDOWN. Support Team will see if there is enough data to prove you are not a hacker (and will try to give you access to your own account). Once it is verified that you are the victim and rightful account owner, account access will be restored.
    2. Once you log in, secure your account immediately.

    How did this happen and how can I prevent it from happening again?

    To prevent this from happening again, we suggest that you don’t use the same password across websites and that you have 2FA with Google Authenticator enabled.

    At Paxful, we are constantly improving our security processes to keep your funds as safe as possible.

    So where did the bitcoins go?

    • Check your account activity to see who logged into your account. Take note of their IP address.
    • Check your wallet ledger to see the bitcoin address they sent your coins to.

    With the Bitcoin address and the IP address of the thief, you have some information but it is often impossible to track them down. Our support team does not have the resources to help you investigate further because hackers often use VPNs and also due to the general anonymity of Bitcoin. It is nearly impossible to track them down, so try your best to make your account as secure as possible.

  • I received a suspicious email. Is it from Paxful?

    If you received a suspicious email that looks like it’s from us or an entity claiming to be associated with us don’t click links in such emails, download attachments included, or reply to them. Report such emails to our Support by forwarding the entire email to [email protected]. Include the email header and subject line, which will help us investigate where it came from and take action to stop it from spreading to other customers.

    Official Paxful email addresses:

    [email protected]

    [email protected]

    [email protected]

    [email protected]

    [email protected]

    [email protected]

    Information Paxful will never request:

    • Your full credit card number or other financial details
    • Your password
    • Your one-time 2FA password (code)

    How to spot a phishing email:

    While scammers change their tactics frequently, look for these classic signs of a phishing or spoofing attempt:

    • A request for your bank account, username, password, social security number, or identity. Never share this information.
    • A claim that your account is compromised. In such cases, we may send only automated messages from “no-reply” email addresses.
    • An unsolicited email with a link to verify your account information.
    • Typos in the email address. It’s common to see something like [email protected] (typo).
    • Suspicious links that don’t lead to www.paxful.com. Before you enter your login information or click on a link, double-check the URL by copying it into your address bar without pressing Enter.
    • Emails that mimic our design. Such emails aim to distract you from typos in the email address or website links by using pictures and colors similar to our platform.
    • Emails with .html attachments.

    For more information on how to protect your account see our security guide.

     

  • Setting security questions

    Security questions are an essential part of protecting your account on Paxful. Security questions help to restore access to your account in case you lose it. Follow these steps to configure your security questions.

    1. Log in to your Paxful account, hover over your username on the top right of the page and click Settings from the context menu that appears.
    Email_verification_1_2_copy.png
    The Settings page appears.
    2. On the menu on the left, click SET SECURITY QUESTIONS.
    Questions2.png

    Set your security questions dialog box appears.
    3. Click the Set answers link.
    Questions3.png
    The Set answers dialog box appears.
    4. Select 3 security questions from drop-down lists. Type the corresponding answers into the fields under the questions.
    Questions4.png

    Warning: Double-check your answers and ensure that you remember them. In case of necessity, you must provide answers to these questions exactly as they were written in the fields. If you forget your answers, this will make the process of restoring access to your account more difficult.

    Tip: When choosing answers for your security questions, consider using information that cannot be found on your social media profiles. For example, do not answer the question “who was your best friend in school?” with a person's name but consider using his nickname instead.

     5. Click Save.
    Questions5.png
    Your security questions are set. You are redirected to return to the Account settings page.


    For additional information on how to secure your account, check our security guide.

  • Troubleshooting 2FA

    If you are having issues receiving a two-factor authentication (2FA) 2FA SMS code, or if your 2FA Google Authenticator (GA) code isn’t working, please try the following troubleshooting tips:

    Google Authenticator

    If your Google Authenticator code does not work, it might be because the time on your Google Authenticator app is not synced correctly with your device. Make sure to check the clock on your device and set it to the correct timezone. An incorrect clock can cause codes to be out of sync.

    SMS

    Check for the following points if your device is not receiving 2FA SMS messages. 

    • Ensure your device is turned on when a 2FA code is generated
    • Ensure your device has sufficient cellular signals when a 2FA code is generated. 
    • Ensure your device is not roaming off your home network, as our SMS provider cannot guarantee SMS delivery on roaming devices.
    • Ensure your device’s SMS inbox is not full.

    Note: If you’ve tried to generate 2FA SMS codes several times and still have not received the codes, our system may have stopped sending the codes. If that is the case, please wait 24 hours and attempt to generate 2FA SMS codes again. If you’re still having issues receiving 2FA SMS codes, check with your network provider to see if they are blocking our SMS messages.

    See our article on how to set 2FA with Google Authenticator or Authy. Also, check our security guide for tips on how to protect your account.

     

  • I forgot my password

    To reset your password when you are not signed in to your Paxful account: 

    1. Click Log in button on the home page
    2. Click “Forgot your password?” at the bottom.
    3. Enter your registered email address.
    4. Click REQUEST PASSWORD.
    An email from [email protected] is sent to your email address.
    5. Open the email and click RESET YOUR PASSWORD NOW.
    You are redirected to the website.
    6. Complete the following fields.
    ForgotPassword.png

    Field Name Description Comments
    Email Enter your email address.  
    Password Enter a new password. Your new password must :
    Be at least 6 characters long
    Have one lower case character
    Have one special character (@#* etc.)
    Have one number
    Have one uppercase character

    Confirm password

    Re-enter the new password. The password should be exactly the same as entered in the previous field.

     7. Click RESET PASSWORD.

    Note: 

    • The password reset link received on your email is valid for 60 minutes.
    • If you requested a link multiple times, use the latest link received in the email.

    See our security guide for additional information on improving the safety of your account. You can also check how to change the password in your profile settings.

  • Changing password from profile settings

    You can reset your Paxful password from your account security settings.

    Check our video:

    To change your password while logged into your Paxful account:


    1. Hover over your username on the top right of the page and click Settings from the context menu that appears.
    The Settings page appears.
    2. On the menu on the left side of the page, click Security.
    3. On the Change password dialog box, complete the following fields:
    ResetPassword.png

    Field Name Description Comments
    Current Enter your current password.  
    Enter a new password Enter a new password. Your new password must :
    Be at least 6 characters long
    Have one lower case character
    Have one special character (@#* etc.)
    Have one number
    Have one uppercase character
    Verify password Re-enter the new password. The password should be exactly the same as entered in the previous field.

    4. Click CHANGE PASSWORD.
    Your password is reset. You are logged out and redirected to the Login page. A confirmation email is sent to your inbox from [email protected] The link in the email takes you to the Login page where you can log in using your new password.

    See our security guide for additional information on improving the safety of your account. If you do not remember your password, click here.

  • Restoring access to 2FA

    Having 2FA set on your account significantly improves the security level of your bitcoin wallet. However, sometimes you may lose access to your 2FA due to any of the following reasons:

    • Your phone is lost or damaged.
    • The authentication app is deleted.
    • You switch to a new device, and the app with all the codes cannot be transferred to your new device.
    • Your phone number has changed.

    If this happens, contact our Support and have the answers to your security questions handy.



  • Enabling 2-Factor Google Authenticator

    Taking some time to enable 2-Factor Authentication (2FA) can mean a big difference in terms of your account security. Although you can enable 2FA via SMS, we recommend using Google Authenticator as it is the most secure option. SMS is not reliable because of a prevalent hacker tactic called “SIM swapping”, by which hackers can get a hold of your SMS messages.

    Check our video guide on two-factor authentication:

     

    Note: Before you begin, download the Google Authenticator app for your phone. 

    To enable 2FA with Google Authenticator under your account security settings:

    1. Once the app is installed, on a different device (PC, tablet, another smartphone) login into your Paxful account.
    2. Hover over your username on the top right of the page and click Settings from the context menu that appears.
    Email_verification_1_2.png
    The Settings page appears. 
    3. On the menu on the left, click Security.
    Screenshot_2020-02-04_at_10.15.54.png
    Your Security page appears.
    4. Under 2FA for login, choose GOOGLE AUTHENTICATOR or AUTHY.
    2FaReset3.png

    5. Click UPDATE 2FA FOR LOGIN.

    2FaReset4.png
    A QR-code appears.
    6. Scan the QR-code with your phone by using the Google Authenticator app. A 6-digit code appears on the app.
    7. Enter the 6-digit code into the field next to the QR-code.

    2FAReset6.png
    8. Click UPDATE 2FA FOR LOGIN.
    2FAReset7.png

    Tip: You can set 2FA for sending bitcoin and releasing bitcoin as well. This will highly improve the security of your Paxful wallet.

    See our security guide and safety tips for additional information.

  • Enabling 2-Factor Authy

    Taking some time to enable Two-Factor Authentication (2FA) can mean a big difference in terms of your account security. Although you can enable 2FA via SMS, we recommend using Authy as it is the most secure option. SMS is not reliable because of a prevalent hacker tactic called “SIM swapping”, by which hackers can get a hold of your SMS messages.

    Check our video guide on two-factor authentication:

    Note: Before you begin, download the Authy app for your phone. 

    To enable 2FA with Authy under your account security settings:

    1. Once the app is installed, on a different device (PC, tablet, another smartphone) login into your Paxful account.
    2. Hover over your username on the top right of the page and click Settings from the context menu that appears.
    Email_verification_1_2.png
    The Settings page appears. 
    3. On the menu on the left, click Security.
    Screenshot_2020-02-04_at_10.15.54.png
    Your Security page appears.
    4. Under 2FA for login, choose GOOGLE AUTHENTICATOR or AUTHY.
    2FaReset3.png
    5. Click UPDATE 2FA FOR LOGIN.
    2FaReset4.png
    A QR-code appears.
    6. Scan the QR-code with your phone by using the Authy app. A 6-digit code appears on the app.
    7. Enter the 6-digit code into the field next to the QR-code.
    2FAReset6.png
    8. Click UPDATE 2FA FOR LOGIN.
    2FAReset7.png

    Tip: You can set 2FA for sending bitcoin and releasing bitcoin as well. This will highly improve the security of your Paxful wallet.

    See our security guide and safety tips for additional information.