Our stance regarding SegWit2X hard fork

Key Takeaways:

  1. There is no action required from customers in regard to the upcoming event of fork/split (refer below).
  2. Unocoin will be supporting the chain that gains majority of mining/community support for further trading with INR.
  3. Users will be encouraged to redeem the coins (with in 4 weeks since the fork/split) on the parallel chain that Unocoin does not support in long run by submitting their addresses after the event of fork/split.

Bitcoin SegWit2x hard fork planned for activation in the second week of November 2017 is on the verge of bringing up another divide in the Bitcoin community leading to the split of respective coin holdings onto the two chains.

In case, you wish to read more about what a digital currency fork is? Read here.

All our customers holding any amount of bitcoin in their Unocoin wallet before the event of the fork would be entitled to an equivalent amount of coins on both the chains after the split. There is no action required from customers in this regard either before or during the fork as long as the replay protection is available. However, if the replay protection is not available, then we will be doing our best to split up the coins but there may be extra lead time before we can honour redemption of minority chain coins and hence these will be subject to an extended period of price volatility.

However, only tokens from the majority chain would be supported for further trading on the Unocoin platform after the successful split. On determining the stability of each chain after the fork, users will be encouraged to submit their addresses to redeem their coin balance on the minority chain starting with in two weeks after the split.

We will keep you updated on the detailed schedule of operations regarding the split in the coming days (nearer to the date of the fork).

As the disbursals are manual, there will be a deadline of 4 weeks since the fork within which the users have to submit their address of the minority chain coin on www.unocoin.com (this option won’t be available on the mobile apps). Unocoin will strictly not be accepting the redemption of minority chain coins after this deadline. The disbursals of coins on the minority chain would be processed soon after. A more definitive timeline will be provided soon.

Thank you.

 

Update on 24th October 2017:

To avoid the confusion in the bitcoin community which could seriously affect the bitcoin ecosystem, we have made some revisions to our stance above. We will be treating the legacy bitcoin blockchain (present bitcoin blockchain that is supporting 1MB blocks) as the bitcoin (BTC) and will be allowed to trade for INR. The forked coin which is the result of the SegWit2X implementation will be treated as the minority chain coin (B2X). We will be allowing the B2X to be withdrawn by our customers after the split as per the timelines above.

Update regarding distribution of BCH

Dear Users,

We initially took the stance that we will not be supporting the BCH hardfork. But due to various dynamics, we had to consider the revised stance as mentioned in our recent news article and we had also explained the procedure to claim the BCH. We have now completed the distribution of BCH to the users who have submitted their BCH address with-in the deadline of 28th August 2017. There are still some of the unclaimed BCH from the non-interested (or non-supporting) customers that are left with Unocoin that can no more be claimed. In order to pass on the value of the same to our customers, we have converted the same to BTC and are using it to subsidise the transaction fee for the outgoing BTC transactions at Unocoin. Technically, the regular one input and two output multi-sig transaction cost about 0.0007 to 0.0010 BTC to be paid to the miners who secures your transaction on the blockchain but were collecting only 0.0005 BTC from our customers. The BTC that are obtained through unclaimed BCH will be utilised to subsidise the mining fee further to 0.0004 BTC for the foreseeable future.

Thank you

Unocoin is back online!

Dear Customers,
As you know, Unocoin’s services were unavailable for about 4 days from 23rd June until 27th June. Our team had discovered a security vulnerability on our platform on June 23rd at 12:07 PM which was the result of server migration that took place on 14th June 2017. To be precise, our server had ended up with a vulnerable version of third party module. Though the vulnerability didn’t cause any damage to the platform, in the best interest of our customers and their funds, we stopped customer withdrawals, blocked access to our customers and shut down all operations to investigate and analyse the issue. We rebuilt the server infrastructure and also took to the task of fortifying the servers with strong security measures and protocols.
Customer’s interest is always of highest priority for Unocoin and the downtime of the platform was a conscious decision that was taken on the same line. We want to assure you that your funds’ security and trust continues to be our top priority and we continue to strive for serving you better. Our engineering team had been very committed and actively contributing round the clock to gear up the security for our services.
The downtime and its inconvenience it has caused to you is highly regretted by the entire team of Unocoin.
Appreciate your understanding and we thank you for your continued support and the trust you have placed with us – for which we will be always grateful!. We are ending the post by announcing a 0% transaction fee for trading till 30th June 2017. Happy trading!
Thank you!

Unocoin Maintenance Notice

Dear Customers,
We regret to inform you that a security vulnerability was discovered on our server on June 23rd at 12:07 PM and it was the result of a server migration that took place on June 14th, 2017 at midnight.  Despite this unfortunate incident, please note that ALL customer funds are safe and secure.  As soon as we identified the threat, we stopped customer withdrawals, blocked access to customer accounts and moved our database to read-only mode.  We’re also taking this opportunity to upgrade our infrastructure and security protocols.  To finish testing our system before going live, we require another day and plan to be online by end of day Tuesday.  Your account security and funds are of primary concern to us.  To help increase overall security for our users, we will make it mandatory that everyone changes their passwords when we go live.  Thanks for your patience.
Sincerely,
Sathvik Vishwanath
CEO and Co-Founder, Unocoin

An update regarding a few of our customer’s account getting compromised

2nd June 2017: While this is not the first time we are hearing from a customer whose Unocoin’s account got hacked for various reasons, we have seen this number to be a bit high this week (9 of them have reported so far as compared to 3-4 per month). Among these, some of the customers have provided an update over the phone while some have walked into our Bangalore office. After collecting the facts explained by these customers, we have understood quite a few facts and a series of events that is happening on their account before their account getting compromised. Most of the cases have sounded genuine to us. We have taken this opportunity to share what we know about such compromise so that you are informed as well. The facts we were able to acquire are:

  1. None of the customers who had 2-factor authentications has got affected. All the ones are the customers who had OTP coming to their mobile phone or/and emails.
  2. All the customers except one are on Android devices.
  3. Either the customer had the same password for their email id and Unocoin account, or have had the Forgot Password email and the password reset confirmation email received in their email inbox.
  4. For most of the customers, the forgot password and sending of bitcoin out have happened just within the first half an hour of receiving of some bitcoin into their account.

Based on our understanding of the same, the sequence of operation starts with the compromised mobile phone or email id which usually is due to the clicking of malicious links, running malicious scripts or installing malicious apps. The hackers are able to monitor the email inbox to see when there is bitcoin deposit. This is when the users are ending up getting the Forgot password link to their email inbox and getting the confirmation email that the password got changed successfully. In some cases, these two emails were found in the trash folder. The apps on mobile phones are so smart that the notification it sent you when an email arrived also disappears if you open that particular email over your computer – hence the user could miss this notification unless he is staring at his phone when the forgot password email arrived. OTP is getting acquired through the email inbox itself if such option is enabled by the user or through an app that can read an SMS. The story is a bit different for each customer but overall this is the outline. If we get to know more info, we would update this post.

As a part of our due diligence, we have taken the following steps so far

  1. Just after first 3 reports, we have stopped sending the OTP through email by default but the customer has to log in and enable this in their settings at their own risk. Enabling this also means that there is a single point of failure which is their email inbox (they can get the link to reset their password and OTPs are always getting delivered to their email inbox).
  2. We have made sure that the compromise is not from our services or from our server.
  3. We had reduced the automatic approval limit so that we can call our customers to confirm their action before manually processing the BTC withdrawals.
  4. We have forcefully logged out all the mobile app users.
  5. We have reset the credentials and API keys for our SMS gateway which handles the OTPs delivery to customers. Now, this gateway also masks the OTPs in their viewable and downloadable reports.

And we will be taking the following steps going forward.

  1. Increase the frequency in educating our customers regarding the security measures they should be taking to keep their accounts secure.
  2. Considering the hardware based authentication preferably through UbiKey for the customers who would want to opt for it.
  3. We will be adding an extra OTP requirement whenever the customer buys bitcoin directly to a bitcoin address. The customer would need an OTP to log in anyway but this is one another OTP we would ask for as this operation also include sending of bitcoin from your wallet that you just purchased.

Presently we have more than 6000 account verifications pending as we do this manually and take KYC seriously and have about 3500 tickets pending due to 3X the activity of user base since the third week of May. While we have hired and still hiring new hands, the orientation and training take time before they can get on the field to help the customers. Hence, this has given rise to increased number of calls to our toll-free number which have kept the customer care very busy and this has led to lot of our customers not able to reach us either through tickets or through customer care. We look forward to being clearing the backlog and getting back on track to serve you in about two weeks.

To reiterate, there has not been any security breach in Unocoin management, services or servers. This is similar to someone’s Gmail id getting hacked and not the Gmail servers getting hacked. We request you to take suitable measures as outlined in our Security page to secure your account. We look forward to growing stronger with your patience and support.

Update on 14th June 2017: There are no new similar reports so far. We are aware that not each of our customers follows the best security practices but we continue to push our efforts to educate them and remind them of what are the Do’s and Don’ts. Some of the customers who faced the issue have contacted us asking if there is any way of reversing the transactions or if there would be any refunds. As the bitcoin transactions are irreversible, there is not much we can do about it. There will not be any kind of refunds as we do not have that bitcoin with us. However, we were able to stop some of the authorised transactions when we reduced the automatic approval limit and contacted the customer for re-confirmation. These are already (or will be) cancelled and those bitcoin will get back to their Unocoin wallet. We will also be adding the Block account feature on web, mobile and through a link on password reset emails to the customer which could come handy in this kind of situations.