Issue with transactions

Dear Users,

Yesterday, 6th August 2017 at 18:30 Hrs we were informed of some small unauthorised transaction(s) happening from few of our user wallets. At a moment’s notice, we looked into the matter and stopped all pending transactions and blocked access to our website. We have investigated and this does not a look to be a server compromise.

Due to our security protocol, just after a few transactions our server identified the pattern and stopped the subsequent transactions by marking it as pending. We are now working on cancelling the pending transactions to users. Unocoin has taken the responsibility to refund the few transactions that happened to get processed.
We will soon enable user Logins shortly. The Send feature will be enabled once our security experts feel that it is perfectly safe to do so.

Rest assured, we are working round the clock to fix the issue and resume to normalcy.

Sathvik Vishwanath

Co-Founder and CEO, Unocoin

 

[Update (11th Aug 2017) : We identified that our error logging configuration was logging the error messages including the access token that eventually was getting stored in an external device but with wrong permissions on it and this was used to create unauthorized transactions. Now, we have cancelled all the transactions. We have fixed the issue and have returned to operations.]

Information on the ongoing event of Bitcoin Hard fork

Chronology of foreseen events:

  • July 31, 2017: Suspended bitcoin related operations

  • August 1, 2017: The event of hard fork and chain split (resulting in two tokens “Bitcoin” and “Bitcoin Cash”)

  • After August 1, 2017 (hours, days, or even weeks): Unocoin will resume their services after there is a clear majority in support for the Bitcoin and reduced chance of confusion between the two chains.

Dear Unocoin users,

Unocoin would like to bring to your notice about the stance we have taken in the light of an ongoing hard fork (chain split) in the bitcoin network (initiated on August 1st).

We have already suspended a greater part of services pertaining to bitcoin transactions (such as sending, receiving bitcoin) on our platform from 31st July. This means, the coins stored in your Unocoin wallet are absolutely safeguarded from the ongoing network discrepancies and will be available to transact once the ambiguity of network support is attained.

In the current situation, Unocoin is technically not equipped to support both “Bitcoin” & “Bitcoin Cash” simultaneously and is looking forward to extend the support for “Bitcoin” only.

As Unocoin has no control over the happening Bitcoin fork, there is no way of predicting when Unocoin will be able to resume the services again. Our services will be re-enabled when the network has been deemed safe (ie when the results of the fork are clear and significant).

Users are advised to stay up-to-date with more updates on Unocoin services by following us on Twitter & Facebook

Thank you for your patience and understanding during a time of critical update in the network.

Unocoin Team

Unocoin is back online!

Dear Customers,
As you know, Unocoin’s services were unavailable for about 4 days from 23rd June until 27th June. Our team had discovered a security vulnerability on our platform on June 23rd at 12:07 PM which was the result of server migration that took place on 14th June 2017. To be precise, our server had ended up with a vulnerable version of third party module. Though the vulnerability didn’t cause any damage to the platform, in the best interest of our customers and their funds, we stopped customer withdrawals, blocked access to our customers and shut down all operations to investigate and analyse the issue. We rebuilt the server infrastructure and also took to the task of fortifying the servers with strong security measures and protocols.
Customer’s interest is always of highest priority for Unocoin and the downtime of the platform was a conscious decision that was taken on the same line. We want to assure you that your funds’ security and trust continues to be our top priority and we continue to strive for serving you better. Our engineering team had been very committed and actively contributing round the clock to gear up the security for our services.
The downtime and its inconvenience it has caused to you is highly regretted by the entire team of Unocoin.
Appreciate your understanding and we thank you for your continued support and the trust you have placed with us – for which we will be always grateful!. We are ending the post by announcing a 0% transaction fee for trading till 30th June 2017. Happy trading!
Thank you!

Unocoin Maintenance Notice

Dear Customers,
We regret to inform you that a security vulnerability was discovered on our server on June 23rd at 12:07 PM and it was the result of a server migration that took place on June 14th, 2017 at midnight.  Despite this unfortunate incident, please note that ALL customer funds are safe and secure.  As soon as we identified the threat, we stopped customer withdrawals, blocked access to customer accounts and moved our database to read-only mode.  We’re also taking this opportunity to upgrade our infrastructure and security protocols.  To finish testing our system before going live, we require another day and plan to be online by end of day Tuesday.  Your account security and funds are of primary concern to us.  To help increase overall security for our users, we will make it mandatory that everyone changes their passwords when we go live.  Thanks for your patience.
Sincerely,
Sathvik Vishwanath
CEO and Co-Founder, Unocoin

An update regarding a few of our customer’s account getting compromised

2nd June 2017: While this is not the first time we are hearing from a customer whose Unocoin’s account got hacked for various reasons, we have seen this number to be a bit high this week (9 of them have reported so far as compared to 3-4 per month). Among these, some of the customers have provided an update over the phone while some have walked into our Bangalore office. After collecting the facts explained by these customers, we have understood quite a few facts and a series of events that is happening on their account before their account getting compromised. Most of the cases have sounded genuine to us. We have taken this opportunity to share what we know about such compromise so that you are informed as well. The facts we were able to acquire are:

  1. None of the customers who had 2-factor authentications has got affected. All the ones are the customers who had OTP coming to their mobile phone or/and emails.
  2. All the customers except one are on Android devices.
  3. Either the customer had the same password for their email id and Unocoin account, or have had the Forgot Password email and the password reset confirmation email received in their email inbox.
  4. For most of the customers, the forgot password and sending of bitcoin out have happened just within the first half an hour of receiving of some bitcoin into their account.

Based on our understanding of the same, the sequence of operation starts with the compromised mobile phone or email id which usually is due to the clicking of malicious links, running malicious scripts or installing malicious apps. The hackers are able to monitor the email inbox to see when there is bitcoin deposit. This is when the users are ending up getting the Forgot password link to their email inbox and getting the confirmation email that the password got changed successfully. In some cases, these two emails were found in the trash folder. The apps on mobile phones are so smart that the notification it sent you when an email arrived also disappears if you open that particular email over your computer – hence the user could miss this notification unless he is staring at his phone when the forgot password email arrived. OTP is getting acquired through the email inbox itself if such option is enabled by the user or through an app that can read an SMS. The story is a bit different for each customer but overall this is the outline. If we get to know more info, we would update this post.

As a part of our due diligence, we have taken the following steps so far

  1. Just after first 3 reports, we have stopped sending the OTP through email by default but the customer has to log in and enable this in their settings at their own risk. Enabling this also means that there is a single point of failure which is their email inbox (they can get the link to reset their password and OTPs are always getting delivered to their email inbox).
  2. We have made sure that the compromise is not from our services or from our server.
  3. We had reduced the automatic approval limit so that we can call our customers to confirm their action before manually processing the BTC withdrawals.
  4. We have forcefully logged out all the mobile app users.
  5. We have reset the credentials and API keys for our SMS gateway which handles the OTPs delivery to customers. Now, this gateway also masks the OTPs in their viewable and downloadable reports.

And we will be taking the following steps going forward.

  1. Increase the frequency in educating our customers regarding the security measures they should be taking to keep their accounts secure.
  2. Considering the hardware based authentication preferably through UbiKey for the customers who would want to opt for it.
  3. We will be adding an extra OTP requirement whenever the customer buys bitcoin directly to a bitcoin address. The customer would need an OTP to log in anyway but this is one another OTP we would ask for as this operation also include sending of bitcoin from your wallet that you just purchased.

Presently we have more than 6000 account verifications pending as we do this manually and take KYC seriously and have about 3500 tickets pending due to 3X the activity of user base since the third week of May. While we have hired and still hiring new hands, the orientation and training take time before they can get on the field to help the customers. Hence, this has given rise to increased number of calls to our toll-free number which have kept the customer care very busy and this has led to lot of our customers not able to reach us either through tickets or through customer care. We look forward to being clearing the backlog and getting back on track to serve you in about two weeks.

To reiterate, there has not been any security breach in Unocoin management, services or servers. This is similar to someone’s Gmail id getting hacked and not the Gmail servers getting hacked. We request you to take suitable measures as outlined in our Security page to secure your account. We look forward to growing stronger with your patience and support.

Update on 14th June 2017: There are no new similar reports so far. We are aware that not each of our customers follows the best security practices but we continue to push our efforts to educate them and remind them of what are the Do’s and Don’ts. Some of the customers who faced the issue have contacted us asking if there is any way of reversing the transactions or if there would be any refunds. As the bitcoin transactions are irreversible, there is not much we can do about it. There will not be any kind of refunds as we do not have that bitcoin with us. However, we were able to stop some of the authorised transactions when we reduced the automatic approval limit and contacted the customer for re-confirmation. These are already (or will be) cancelled and those bitcoin will get back to their Unocoin wallet. We will also be adding the Block account feature on web, mobile and through a link on password reset emails to the customer which could come handy in this kind of situations.