2nd June 2017: While this is not the first time we are hearing from a customer whose Unocoin’s account got hacked for various reasons, we have seen this number to be a bit high this week (9 of them have reported so far as compared to 3-4 per month). Among these, some of the customers have provided an update over the phone while some have walked into our Bangalore office. After collecting the facts explained by these customers, we have understood quite a few facts and a series of events that is happening on their account before their account getting compromised. Most of the cases have sounded genuine to us. We have taken this opportunity to share what we know about such compromise so that you are informed as well. The facts we were able to acquire are:
- None of the customers who had 2-factor authentications has got affected. All the ones are the customers who had OTP coming to their mobile phone or/and emails.
- All the customers except one are on Android devices.
- Either the customer had the same password for their email id and Unocoin account, or have had the Forgot Password email and the password reset confirmation email received in their email inbox.
- For most of the customers, the forgot password and sending of bitcoin out have happened just within the first half an hour of receiving of some bitcoin into their account.
Based on our understanding of the same, the sequence of operation starts with the compromised mobile phone or email id which usually is due to the clicking of malicious links, running malicious scripts or installing malicious apps. The hackers are able to monitor the email inbox to see when there is bitcoin deposit. This is when the users are ending up getting the Forgot password link to their email inbox and getting the confirmation email that the password got changed successfully. In some cases, these two emails were found in the trash folder. The apps on mobile phones are so smart that the notification it sent you when an email arrived also disappears if you open that particular email over your computer – hence the user could miss this notification unless he is staring at his phone when the forgot password email arrived. OTP is getting acquired through the email inbox itself if such option is enabled by the user or through an app that can read an SMS. The story is a bit different for each customer but overall this is the outline. If we get to know more info, we would update this post.
As a part of our due diligence, we have taken the following steps so far
- Just after first 3 reports, we have stopped sending the OTP through email by default but the customer has to log in and enable this in their settings at their own risk. Enabling this also means that there is a single point of failure which is their email inbox (they can get the link to reset their password and OTPs are always getting delivered to their email inbox).
- We have made sure that the compromise is not from our services or from our server.
- We had reduced the automatic approval limit so that we can call our customers to confirm their action before manually processing the BTC withdrawals.
- We have forcefully logged out all the mobile app users.
- We have reset the credentials and API keys for our SMS gateway which handles the OTPs delivery to customers. Now, this gateway also masks the OTPs in their viewable and downloadable reports.
And we will be taking the following steps going forward.
- Increase the frequency in educating our customers regarding the security measures they should be taking to keep their accounts secure.
- Considering the hardware based authentication preferably through UbiKey for the customers who would want to opt for it.
- We will be adding an extra OTP requirement whenever the customer buys bitcoin directly to a bitcoin address. The customer would need an OTP to log in anyway but this is one another OTP we would ask for as this operation also include sending of bitcoin from your wallet that you just purchased.
Presently we have more than 6000 account verifications pending as we do this manually and take KYC seriously and have about 3500 tickets pending due to 3X the activity of user base since the third week of May. While we have hired and still hiring new hands, the orientation and training take time before they can get on the field to help the customers. Hence, this has given rise to increased number of calls to our toll-free number which have kept the customer care very busy and this has led to lot of our customers not able to reach us either through tickets or through customer care. We look forward to being clearing the backlog and getting back on track to serve you in about two weeks.
To reiterate, there has not been any security breach in Unocoin management, services or servers. This is similar to someone’s Gmail id getting hacked and not the Gmail servers getting hacked. We request you to take suitable measures as outlined in our Security page to secure your account. We look forward to growing stronger with your patience and support.
Update on 14th June 2017: There are no new similar reports so far. We are aware that not each of our customers follows the best security practices but we continue to push our efforts to educate them and remind them of what are the Do’s and Don’ts. Some of the customers who faced the issue have contacted us asking if there is any way of reversing the transactions or if there would be any refunds. As the bitcoin transactions are irreversible, there is not much we can do about it. There will not be any kind of refunds as we do not have that bitcoin with us. However, we were able to stop some of the authorised transactions when we reduced the automatic approval limit and contacted the customer for re-confirmation. These are already (or will be) cancelled and those bitcoin will get back to their Unocoin wallet. We will also be adding the Block account feature on web, mobile and through a link on password reset emails to the customer which could come handy in this kind of situations.
Bangalore, India – April 25, 2017: Unocoin, India’s leading Bitcoin and Blockchain Company, takes a step closer towards a frictionless experience in buying Bitcoin for Indians. Unocoin has partnered with PayU Biz, a leading payment gateway, to facilitate Unocoin users in buying Bitcoin using the net banking feature. Set to simplify the entire process of buying Bitcoin, the feature is live on Unocoin.
“With an increasing interest in Bitcoin, this integration will enable Unocoin customer to buy Bitcoin even on a weekend while the manual payment processing is not functional,” says Sathvik Vishwananth, CEO and Co-Founder, Unocoin.
To buy Bitcoin using Net Banking, Unocoin users will have to head onto “Buy Bitcoin” tab and choose ‘Netbanking’ as the mode of payment along with the required details and confirm the order. On successfully completing the transaction, the user is credited with their Bitcoin immediately into their Unocoin Wallet. The entire transaction is facilitated by the PayUBiz payment gateway, India’s leading payment gateway with PCI-DSS compliance, ensuring complete security of the transactions.
Unocoin had recently launched its mobile app on iOS and Android, which is a full featured mobile bitcoin app. The app offers 24/7 access to real-time bitcoin market prices and instantaneous trading transactions. In another development, Unocoin had previously opened up its API for public to build businesses over its services and had conducted “Cryptothon” – a 24 hour Bitcoin – Blockchain Hackathon.
Today afternoon, we sent you an email regarding a service interruption due to DNS resolution issues. It just has been a mere service interruption and there has not been any data or funds compromise. If you were expecting any BTC deposits to you account which is not credited to your Unocoin wallet, it will be happening by Friday afternoon. Now the accounts are accessible and the services are fully restored. Thanks for your patience.