On June 5th and 6th, me and my marketing team colleagues attended the Singapore Smart Nation Innovation / Innovfest Unbound event, setting up booth and pitch to promote our FiiiPOS and FiiiPay. We received a lot very useful feedback and comment about our product. The most frequently asked question is related to security which I would like to explain more in this post.
HTTPS
Firstly, the most common way to secure a communication channel is to use encryption. Our POS terminal and digital wallet communicate with our payment gateway API using SSL. It is to prevent user data from being leaked when users or merchants are connecting their devices to a public WiFi. You do not know there may be someone who is also connecting to the same WiFi network implanted some sniffing script to the router to monitor the network traffic. If the communication is not encrypted, the hacker can see the data flow between your POS terminal or digital wallet.
Therefore, we strongly encourage our merchant who is using our FiiiPOS terminal not to connect to a public free WiFi hotspot, but putting up a SIM card into the POS terminal to use own network instead.
DNSSEC
All our public domain are protected with Domain Name System Security Extension (DNSSEC). It is a mechanism to prevent hackers from hijacking the DNS and faking the response data to the user, which is known as man-in-the-middle attacks.
Firewall & DMZ
FiiiPay and FiiiPOS servers are secured with perimeter network (known as Demilitarized Zone - DMZ). All the servers are protected with firewall rules that locked down most of the network port access. The common default ports are being changed to random port to prevent hackers from using brute force attack to guess remote access password.
The web and API servers are separated from the database servers where by the public access servers sit in the DMZ but the database server sit in the trusted zone or local area network which restricted to be accessed by the dedicated servers and IP addresses only.
The Vault
With the firewall setup above, all our cryptocurrency nodes are being protected and the nodes access are being restricted. We call it the vault as it can only be accessed by the approved staffs. The servers password are changed frequently and it is strongly type password. The cryptocurrency private key are backed up regularly.
Full Disk Encryption
All the servers storage such as hard disks and solid state disks are all fully encrypted. The servers are setup in a remote data center managed by the service provider. The servers contain the very valuable cryptocurrency private keys. In order to prevent the system engineer in the data center access to the server disks, the disks are fully encrypted. So that, it could prevent the system engineer from trying to unplug the disk and put it into another server or computer to attempt to obtain the private key.
Mobile Application Digital Signature
All the FiiiPay and FiiiPOS application are digitally signed and published to the application store. FiiiPOS application can only be installed to the POS terminal. Hacker cannot install any malware, script, key logger or applet to the POS terminal physically or remotely. So the chances of Spectre and Meltdown exploit is very low and near impossible.
Two Factor Authentication (2FA)
FiiiPay & FiiiPOS provide optional feature for the users and merchants to enable which is the two factor authentication. By default, SMS authentication is enabled. When user or merchant attempt to withdraw cryptocurrency out from the digital wallet, they need to provide the OTP from the received SMS.
We also provide optional Google Authenticator and email authentication option for 2FA in order to reduce the risk of user crypto being stolen by the hacker who has cracked the user password and gained access to the user account.
Artificial Intelligent
FiiiFinance will be equipped with machine learning capability to review all the crypto withdrawal request submitted by the FiiiPay and FiiiPOS users. It collect all the withdrawal timestamp, IP address, geolocation, device ID, operating system, withdrawal amount, crypto type, etc data. Based on the user app usage behavior, pattern and the withdrawal request history, it can raise alert to the finance team and put the withdrawal transaction on hold for human review when it detect unusual activity for a particular account. This security measurement can ensure the lower risk of the crypto to be stolen by the hacker who has gained access to a FiiiPay/FiiiPOS user account.
Payment Code Algorithm
The QR code, Bluetooth and NFC payment mechanism actually rely on HMAC (hash-based message authentication code) to generate the unique OTP which is impossible forge and brute force attack. The generated payment code is always unique to different account at different time and it will be valid for a short period of time.
Summary
Our system architecture are setup in enterprise standard. Our customer digital asset and data are the utmost important, hence we are very serious and invest heavily on system and network security. Cyber security is always the hot topic in blockchain world as we occasionally read the news about X exchange platform had been hacked and lost X million of USD worth of cryptocurrency. We ensure this tragedy will not happen in our platform.
If you are a cyber security expert or ethical hacker, please drop me a message by connecting to me at LinkedIn. We are planning for a hackathon event for our product to look for security exploit.
iOS - AppStore
Android - PlayStore
If you are interested in our multi-cryptocurrency POS machine - FiiiPOS, please drop me an email at sylvester.lee@fiiipay.com
If you are interested in our project, please visit our website at https://fiii.io
Facebook - https://www.facebook.com/fiiipay/
Telegram - https://t.me/fiiicoin
HTTPS
Firstly, the most common way to secure a communication channel is to use encryption. Our POS terminal and digital wallet communicate with our payment gateway API using SSL. It is to prevent user data from being leaked when users or merchants are connecting their devices to a public WiFi. You do not know there may be someone who is also connecting to the same WiFi network implanted some sniffing script to the router to monitor the network traffic. If the communication is not encrypted, the hacker can see the data flow between your POS terminal or digital wallet.
Image via contextis.com
Therefore, we strongly encourage our merchant who is using our FiiiPOS terminal not to connect to a public free WiFi hotspot, but putting up a SIM card into the POS terminal to use own network instead.
DNSSEC
All our public domain are protected with Domain Name System Security Extension (DNSSEC). It is a mechanism to prevent hackers from hijacking the DNS and faking the response data to the user, which is known as man-in-the-middle attacks.
Image credit to Michael Earls
Firewall & DMZ
FiiiPay and FiiiPOS servers are secured with perimeter network (known as Demilitarized Zone - DMZ). All the servers are protected with firewall rules that locked down most of the network port access. The common default ports are being changed to random port to prevent hackers from using brute force attack to guess remote access password.
The web and API servers are separated from the database servers where by the public access servers sit in the DMZ but the database server sit in the trusted zone or local area network which restricted to be accessed by the dedicated servers and IP addresses only.
The Vault
With the firewall setup above, all our cryptocurrency nodes are being protected and the nodes access are being restricted. We call it the vault as it can only be accessed by the approved staffs. The servers password are changed frequently and it is strongly type password. The cryptocurrency private key are backed up regularly.
Full Disk Encryption
All the servers storage such as hard disks and solid state disks are all fully encrypted. The servers are setup in a remote data center managed by the service provider. The servers contain the very valuable cryptocurrency private keys. In order to prevent the system engineer in the data center access to the server disks, the disks are fully encrypted. So that, it could prevent the system engineer from trying to unplug the disk and put it into another server or computer to attempt to obtain the private key.
Mobile Application Digital Signature
All the FiiiPay and FiiiPOS application are digitally signed and published to the application store. FiiiPOS application can only be installed to the POS terminal. Hacker cannot install any malware, script, key logger or applet to the POS terminal physically or remotely. So the chances of Spectre and Meltdown exploit is very low and near impossible.
Two Factor Authentication (2FA)
FiiiPay & FiiiPOS provide optional feature for the users and merchants to enable which is the two factor authentication. By default, SMS authentication is enabled. When user or merchant attempt to withdraw cryptocurrency out from the digital wallet, they need to provide the OTP from the received SMS.
We also provide optional Google Authenticator and email authentication option for 2FA in order to reduce the risk of user crypto being stolen by the hacker who has cracked the user password and gained access to the user account.
Artificial Intelligent
FiiiFinance will be equipped with machine learning capability to review all the crypto withdrawal request submitted by the FiiiPay and FiiiPOS users. It collect all the withdrawal timestamp, IP address, geolocation, device ID, operating system, withdrawal amount, crypto type, etc data. Based on the user app usage behavior, pattern and the withdrawal request history, it can raise alert to the finance team and put the withdrawal transaction on hold for human review when it detect unusual activity for a particular account. This security measurement can ensure the lower risk of the crypto to be stolen by the hacker who has gained access to a FiiiPay/FiiiPOS user account.
Payment Code Algorithm
The QR code, Bluetooth and NFC payment mechanism actually rely on HMAC (hash-based message authentication code) to generate the unique OTP which is impossible forge and brute force attack. The generated payment code is always unique to different account at different time and it will be valid for a short period of time.
Summary
Our system architecture are setup in enterprise standard. Our customer digital asset and data are the utmost important, hence we are very serious and invest heavily on system and network security. Cyber security is always the hot topic in blockchain world as we occasionally read the news about X exchange platform had been hacked and lost X million of USD worth of cryptocurrency. We ensure this tragedy will not happen in our platform.
If you are a cyber security expert or ethical hacker, please drop me a message by connecting to me at LinkedIn. We are planning for a hackathon event for our product to look for security exploit.
iOS - AppStore
Android - PlayStore
If you are interested in our multi-cryptocurrency POS machine - FiiiPOS, please drop me an email at sylvester.lee@fiiipay.com
If you are interested in our project, please visit our website at https://fiii.io
Facebook - https://www.facebook.com/fiiipay/
Telegram - https://t.me/fiiicoin