An update regarding a few of our customer’s account getting compromised

2nd June 2017: While this is not the first time we are hearing from a customer whose Unocoin’s account got hacked for various reasons, we have seen this number to be a bit high this week (9 of them have reported so far as compared to 3-4 per month). Among these, some of the customers have provided an update over the phone while some have walked into our Bangalore office. After collecting the facts explained by these customers, we have understood quite a few facts and a series of events that is happening on their account before their account getting compromised. Most of the cases have sounded genuine to us. We have taken this opportunity to share what we know about such compromise so that you are informed as well. The facts we were able to acquire are:

1. None of the customers who had 2-factor authentications has got affected. All the ones are the customers who had OTP coming to their mobile phone or/and emails.
2. All the customers except one are on Android devices.
3. Either the customer had the same password for their email id and Unocoin account, or have had the Forgot Password email and the password reset confirmation email received in their email inbox.
4. For most of the customers, the forgot password and sending of bitcoin out have happened just within the first half an hour of receiving of some bitcoin into their account.

Based on our understanding of the same, the sequence of operation starts with the compromised mobile phone or email id which usually is due to the clicking of malicious links, running malicious scripts or installing malicious apps. The hackers are able to monitor the email inbox to see when there is bitcoin deposit. This is when the users are ending up getting the Forgot password link to their email inbox and getting the confirmation email that the password got changed successfully. In some cases, these two emails were found in the trash folder. The apps on mobile phones are so smart that the notification it sent you when an email arrived also disappears if you open that particular email over your computer – hence the user could miss this notification unless he is staring at his phone when the forgot password email arrived. OTP is getting acquired through the email inbox itself if such option is enabled by the user or through an app that can read an SMS. The story is a bit different for each customer but overall this is the outline. If we get to know more info, we would update this post.

As a part of our due diligence, we have taken the following steps so far

1. Just after first 3 reports, we have stopped sending the OTP through email by default but the customer has to log in and enable this in their settings at their own risk. Enabling this also means that there is a single point of failure which is their email inbox (they can get the link to reset their password and OTPs are always getting delivered to their email inbox).
2. We have made sure that the compromise is not from our services or from our server.
3. We had reduced the automatic approval limit so that we can call our customers to confirm their action before manually processing the BTC withdrawals.
4. We have forcefully logged out all the mobile app users.
5. We have reset the credentials and API keys for our SMS gateway which handles the OTPs delivery to customers. Now, this gateway also masks the OTPs in their viewable and downloadable reports.

And we will be taking the following steps going forward.

1. Increase the frequency in educating our customers regarding the security measures they should be taking to keep their accounts secure.
2. Considering the hardware based authentication preferably through UbiKey for the customers who would want to opt for it.
3. We will be adding an extra OTP requirement whenever the customer buys bitcoin directly to a bitcoin address. The customer would need an OTP to log in anyway but this is one another OTP we would ask for as this operation also include sending of bitcoin from your wallet that you just purchased.

Presently we have more than 6000 account verifications pending as we do this manually and take KYC seriously and have about 3500 tickets pending due to 3X the activity of user base since the third week of May. While we have hired and still hiring new hands, the orientation and training take time before they can get on the field to help the customers. Hence, this has given rise to increased number of calls to our toll-free number which have kept the customer care very busy and this has led to lot of our customers not able to reach us either through tickets or through customer care. We look forward to being clearing the backlog and getting back on track to serve you in about two weeks.

To reiterate, there has not been any security breach in Unocoin management, services or servers. This is similar to someone’s Gmail id getting hacked and not the Gmail servers getting hacked. We request you to take suitable measures as outlined in our Security page to secure your account. We look forward to growing stronger with your patience and support.

Update on 14th June 2017: There are no new similar reports so far. We are aware that not each of our customers follows the best security practices but we continue to push our efforts to educate them and remind them of what are the Do’s and Don’ts. Some of the customers who faced the issue have contacted us asking if there is any way of reversing the transactions or if there would be any refunds. As the bitcoin transactions are irreversible, there is not much we can do about it. There will not be any kind of refunds as we do not have that bitcoin with us. However, we were able to stop some of the authorised transactions when we reduced the automatic approval limit and contacted the customer for re-confirmation. These are already (or will be) cancelled and those bitcoin will get back to their Unocoin wallet. We will also be adding the Block account feature on web, mobile and through a link on password reset emails to the customer which could come handy in this kind of situations.