Local Bitcoins– one of big peer to peer bitcoin trading platform was hacked through their forum software Saturday Jan 27th 2019.
Several users email, passwords were Phished and it seems even 2-factor authentication was bypassed. My comment on the reddit thread was deleted for some time (on Jan 28, its up again), possibly by a bribed moderator so I am presenting it here below for all to read.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Hi, Ray CEO of Paxful here,
About to get on a plane to Rwanda to see our second school opening with some special guests ( big surprise ) but this is important so here goes.
Transparency is vital in our industry now more than ever.
Paxful has been working in the background to make sure our platform is the safest it can possibly be for our users and for customers. As Paxful and LBC are both marketplaces which provide escrow services for those who sell BTC for profit, vendors, must keep BTC in their wallets to have their offers up. This is required for a healthy marketplace so that buyers time is not wasted and ensure that they can’t be scammed as the bitcoins are proven to be there. This is the whole point of an escrow. Thus P2P platforms will always have a large volume of BTC in wallets for vendors. That being said we make certain let our users know that the Paxful wallet is for trades NOT storage and they should always have control of their own keys in storage wallets.
Here is what we have done to protect them.
- After an internal security audit, we decided to take down our forums in early 2017 specifically because of the fear of phishing attacks. The forum was never on the main domain like LBC’s forum but rather a subdomain. We still deemed this too much of a risk for our users and took the forum down. We thought LBC had also taken down their forum and were shocked to see that they, in fact, did not, especially considering how big of a red flag this proved to be in our own audits. A poor move from an otherwise secure marketplace that has been around the longest.
- We have a fulltime security officer joining us soon who will be building a team and contracting several external security firms to run pen tests and perform audits on our platform, not just app security or network security but with a special focus on social engineering and educating our own staff as well.
- We employed PhishFort ‘s services to secure our webapp in early 2018. They are proven players and always put out great research to help the ecosystem. Please do check them out to learn more about how they’ve strengthened our platform.
- We recognize that education is driving effort number #1 in crypto and should also be the driving force in fintech. We are still looking for a fulltime Education Officer but we have put out many educational videos since 2017 and have begun developing a new series, specifically focused on helping first-time users in emerging markets. Look for an announcement here soon and some key partners that will join the effort. This will be focused on Africa in the beginning and then translated into Spanish and several Asian languages as our Feedback Analysis Team (our fancy name for our customer support reps ) have found users from these nations most in need of security education. See our Paxful school videos here. https://www.youtube.com/watch?v=KT6OBCPopnA&list=PLFrSeSznTed3jQfkIrX71DgpFiEMWBpCX
- I’ve been writing articles on user security for quite some time and as CEO and I will continue to do so. For example, I wrote the article below specifically for our African users as so many of them rely only on a password for protection. Sadly a majority of their passwords are not secure since most African website databases have been breached many times and often do not encrypt their passwords. https://medium.com/the-paxful-blog/your-password-can-not-protect-your-money-anymore-welcome-to-a-post-crypto-world-71e013c6edf6
- Our Co-Founder Artur Schaback has made security his priority for 2019 and he will be putting out industry-wide guides soon. Please follow him on Twitter. https://twitter.com/skyzer4ever
- We have been using BitGo for our warm wallets for over 3 years now and they are an industry proven success. We will also begin a program of full cold wallet transparency and of course, Paxful is 100% backed by reserves at all times. https://paxful.com/university/paxful-is-now-secured-by-bitgo/
- We have always encouraged our users to only use wallets where they own their private keys for storage and that all web wallets are inherently not for storage purposes, including ours. https://paxful.com/support/en-us/articles/360009976514-Is-my-Paxful-wallet-secure-
- 24/7 Support. No matter how secure your platform is things will happen like losing your phone with your 2FA keys, your email getting hijacked etc.. We all need support to help us through these times. Paxful has 24/7 support 365 days of the year and we always answer back in less than an hour, in less than five minutes usually. We have support reps in Asia, North America and Europe covering all the major time zones and are doubling the size of our support and doubling their training time as well. Everyone at Paxful starts out in Support but their eventual goal is to become “Feedback Analysts” by knowing the product and especially how our customers USE the product so well that they can help develop and improve the product itself. As CEO I myself partake in support every week myself and I will always do so as it is the only way to truly know your customer and have a product that they truly make a positive day to day difference in their lives. LBC support is good also but limited to 9–5 Finnish time and I don’t think the bros do support themselves anymore. Life in Switzerland is good.
- We have launched VIP support for our vendors and power users. This is a super awesome program and we are super excited about it! 24/7 personal access to your own senior support rep who will hold your hand cradle to grave and even proactively show you new ways of using Paxful, including ways of accessing better trade routes and new ventures as well. This is what my co-founder and I did in the beginning and it is the reason Paxful is here. Why should super power users who have built this marketplace and helped so many people have to wait in the same line as a newbie just asking questions? We have been listening and are going to develop this program even more. Stay Tuned as trials have already begun and we will be introducing this into our Vendor Dashboard soon!
- Our mission is to further true social justice in the world through a SAFE and OPEN financial system. Making a day to day difference in the lives of working-class people around the world is how we measure our success and we take our mission and the livelihood of our users very seriously. We’re not perfect but we give it our best every day and with your help, we will make P2P Finance the primarily wealth driver for the emerging world as a tool of empowerment and a way to provide wealth creation for humanity.
Paxful CEO & normal (formerly homeless dude, thanks bitcoin 😉