These measures were designed to establish an aggressive approach toward significantly limiting the attack surface of our infrastructure by making it prohibitively difficult to compromise.
MTBIT Triple Layer Security protects our system omnipresently and thoroughly from the outer layers to the core, safe-keeping trader assets
- Our first layer of defense is Cloudflare’s Anti-DDoS Service. This helps prevent any disruption towards our system by outside elements. The solution with Cloudflare is also tailored according to our needs, with more vulnerabilities being discovered and quarantined.
- Our second layer of defense is Juniper Hardware Firewall Devices, designed to establish further control over the system’s accessibility. Like a standard computer with a processor, memory, and sophisticated software, these devices also employ powerful networking components and inspect all traversing traffic in the connection using a configurable rule set that grants or denies access accordingly.
- Our third layer of defense is MTBIT Guardian - Our specialized defense system. MTBIT Guardian was designed, tested and withstood OWASP Standard’s Top Ten Security Threats. Our immunity makes us an even more valuable asset to our institutional clients
INDIVIDUAL USER SECURITY
MTBIT provides a strong portfolio of user-determined security measures, and we encourage all users to review all the belowpersonal security, reduce the required number of confirmation for cryptocurrency deposits, and prioritize withdrawals through automatic processing.
Two-Factor Authentication (2FA)
We implemented the following mechanisms of 2FA:
- Google Authenticator on Android and iOS devices
- Physical Security Key using FIDO Universal 2nd Factor (U2F)
Enabling 2FA places a second level of security between an attacker and withdrawal confirmations, password changes, API key creation, and logins.
Keep Session Alive
When logged in and inactive, the browser will ping the platform every 10 minutes to keep the session alive. If disabled, the session will expire after 15 minutes of inactivity and the user’s account will be automatically logged out.
Send Email on Login
Receive an email each time someone logs into your account. The email will contain information about the IP of the authenticated user and a link to freeze your account if you suspect malicious activity.
Detect IP Address Change
If the IP address used to access a user’s account changes on any request, all open sessions will be immediately invalidated and the account will be automatically logged out. This prevents session hijacking.
IP Address Whitelist
Limit account access by IP address. Users can provide one or more IP addresses and/or specify an IP range. Anyone without access to the whitelisted IPs is denied use of the account.
Each login to a user’s account is saved and can be personally audited
API Key Permissions
Create API keys with advanced read/write permissions on a per-feature basis.
Email Encryption with OpenPGP
Pretty Good Privacy (PGP) is a data encryption and decryption program that provides cryptographic privacy and authentication for correspondence. It uses a variation of the public key system.
Monitor Withdrawals by IP
If a withdrawal is requested from a new IP address, the account holder will receive an email asking to review and verify the withdrawal. The period of distrust for IP changes is 24 hours.
Lock withdrawals for 24 hours when a new IP address is used
When a new IP address is used to log into a user’s account, all withdrawals will be locked for 24 hours and the user will receive an email notification with a link to freeze the account for activity review.
Custom Withdrawal Check
Add a secret phrase to the withdrawal confirmation image. When enabled, users will see a tamper-proof image that confirms the details of a withdraw and includes the secret phrase. This additional redundancy ensures your withdrawal details have not been compromised by malware or a man-in-the-middle attack.
Lock/Disable Withdrawal Addresses
Set a specific withdrawal address for each currency or disable withdrawals for a currency altogether. Changing or disabling the address lock requires confirmation by email and will begin an automated 5-day withdrawal hold on the account.