Here at MyVested we get asked “Are you secure?” “How are you secure?” all the time, this post is to tell everyone that we are and hopefully not make it too techy and confusing.
I’ll give a quick answer for those who don’t want to spend all day reading: Yes, we are secure. Our encryption has 128 ENTIRE BITS OF ENTROPY.
For those that didn’t spend years studying 1’s and 0’s, that means to crack the encryption on one of our web requests, you would need to guess 2128-1 different keys. (that’s if you were curious, good luck NSA!)
If you want a look into how we’ve designed some other stuff and mitigated common threats, read on! If you have something you’d like to know about, shoot us a message and I’ll add it to this post.
The information contained in this post is not by any means an all-inclusive list of security controls, it’s just a quick overview of common issues to help people feel at ease.
Spoiler: This post may not be accurate as you’re reading this, I promise it’s only changed for the better.
Common Security Threats
DDOS (Distributed Denial of Service) attacks are something that’s all too common with cloud applications, these happen when
a 12 year old gets bored a nice person with some pocket money decides to send lots and lots of request somewhere all at once. For the curious out there, an hour long DDOS of 1000 computers is available for around $30 in the deep dark corners of the web.
So what’s this do? Not a whole lot, it makes it very hard to load a page, that’ll show them!
On our side of the world, it doesn’t pose too much threat to us but we want to keep MyVested up as much as possible for our users, so we use CloudFlare DDOS protection (Check it out if you have issues with DDOS, it’s great!). It’s not hard to understand, they have servers that are much faster than those bad guys and they’ll detect them and handle it for us while letting our normal users in. Easy!
One of the biggest and most overlooked threats to a company is internal threats. The US Computer Emergency Response Team (Cert) reported that around 40% of IT security breaches are perpetrated by people inside the company.
To alleviate concerns around these issues there’s a few things we need to do.
The weakest point in any company is its staff (sorry guys).
We make sure all employees understand the threats that are out there and know how to deal with them. I know this isn’t exactly internal but when you think about it, knowing about what can go wrong and understanding the signs means we don’t just have security staff looking out for it, everyone is.
Defense in Depth
Defense in depth is a concept that says there should be no single point of failure, it should be layered. For example if a malicious actor gains access to our web server they shouldn’t be able to access anything else in our infrastructure. For a malicious user they wouldn’t just need to magically compromise our security, they would need to do it again and again to get any meaningful access. Our web application is behind an API layer with more layers behind that to even begin to access any data, keeping true to this concept.
This is also a general security concept but it applies extra for internal threats since they will usually reside somewhere inside on of the layers.
Backups hold an important place in security, they have more purpose beyond helping us get back up and running if something goes horribly wrong. If something is compromised it’s important to be able to restore critical resources to a point in time where you know it’s okay, if we manually try to fix our compromised system it would run the risk of it still having some kind of backdoor due to human error.
In the case of MyVested, we have many, many backups and would be able to restore our systems within moments of detecting a compromise.
Anyone should only have the access needed to do their job, anything else should not be allowed. It’s the most important rule in security and is the first thing most professionals will think of, here we have a majority of systems that can’t be accessed by anyone. In fact, I’ve personally had to deal with support requests recently that required application code changes just so we can accommodate our users. Not having access to things is great but do you know what’s even greater? Making the only person with access work HARD to be able to change anything. This isn’t true for everything of course, a balance of confidentiality, integrity and availability is important but when you’re dealing with banking info you can’t be too careful.
Man In The Middle Attacks
Man in the middle attacks are like the boogeyman these days, I always hear “I don’t use public WiFi because they’ll hack my Facebook” and that’s not unfounded. There’s a large variety of attacks that are enabled by being connected to the same network as someone else. When I was a bit younger, I used to mess with my brothers all the time. I would kick them off the network when they were downloading, I’ve even replaced every picture that loads with my lord and savior, Nick Cage by intercepting and changing their traffic.
Brotherly antics aside, the same concept could be used to direct a user to another site that looks like MyVested, sounds like MyVested and quacks like MyVested but isn’t MyVested, sending them your credentials when you log in.
To combat this there’s a few things that happen, first and foremost is SSL/TLS. All requests we send are encrypted with TLS 1.2 by default and we don’t support the older SSL versions to avoid protocol downgrade attacks. This means all requests and responses aren’t readable so someone that pops up and tries to read your username/password can’t, awesome!
HTTP Strict Transport Security
With this they can’t read messages to the site but there’s still a few work arounds for those baddies, they can use an invalid SSL certificate that they control or simply make you visit the page via HTTP without the magic S (HTTPS), leaving all your stuff visible. We’ve implemented HTTP Strict Transport Security (HSTS) to fix these issues. HSTS is a protocol that tells your browser it should only ever visit us over HTTPS and that it should only accept our certificate. If someone ever tries to redirect you to HTTP or use a different certificate, the browser will see and say “not on my watch!”.
Finally is 2FA, we encourage all our users to enable 2FA and we use it internally for everything we possibly can. If you have 2FA enabled and a user still manages to get your credentials, they still won’t be able to get into your account since they don’t have the code. If you use MyVested and don’t have 2FA enabled, you should head here (https://www.myvested.com/settings/profile#2fa) and enable it now.
We’ve done everything we can on our end to prevent people being able to exploit our users accounts but we still encourage users to avoid using our application on shared networks, use 2FA and watch out for imitators. Our only valid domain is https://www.myvested.com.
The final part of security is unknown vulnerabilities. Having worked as a penetration tester (i.e. hacker for hire) for some time before my role here, I’m more than aware that there’s more vulnerabilities floating around the internet then you can poke a stick at.
We have done several penetration tests and full code reviews on our application to make sure there’s no vulnerabilities present. On top of that the code is all made in-house so there’s no threats from third-party code (beyond Microsoft and their framework, of course).
I hope I’ve provided some piece of mind to those out there who are worried about their Bitcoin or other cryptocurrencies security. If you ever have any questions feel free to contact us at https://www.myvested.com/support!