Security Setup / DONE

Attention: Our team is not responsible for any losses incurred as a result of hacking. Therefore, we strongly recommend using cold wallets and avoiding storing all your funds with an exchange service to prevent significant losses.

Security Recommendations

  1. Do not install third-party software on your device (from which you access the admin panel), even if it is from an app store. The application must have a good reputation.

  2. Use IP access restrictions for accessing the admin panel. If you have a dynamic IP, set up your personal VPN with a stable IP.

  3. Check the reputation of service providers! Never send funds first to providers who are unfamiliar to you. Using a guarantee service (only trusted guarantor services) is better. Also, feel free to ask us for advice or assistance with transactions — this is free.

  4. An individual admin account should be created for each administrator/operator.

  5. Specific roles should be created for operators and administrators (if there are several), so that operators have limited access to the functions of the admin panel.

  6. Enable 2FA security for admin panel access.

  7. Follow the instructions outlined in the Server Security Setup section.

  8. Regularly update your software to promptly receive our security updates.

  9. Do not use a password for admin access that you use for other services, and do not store your password with third-party services that you cannot fully trust with sensitive data (for example, we consider 1Password to be a secure service for storing your passwords, but we cannot guarantee the safety of third-party services).

  10. Do not execute code in the developer console without sufficient knowledge of what you are doing—this could expose your authentication data to fraudsters.

  11. Do not install third-party browser plugins.

  12. Do not install third-party scripts into the exchanger-admin-web repository.

  13. Do not open ports for MongoDB, Redis, SSH, FTP, or API for external access. It is better to use an SSH tunnel to access service data.

  14. Additionally, for SSH, use UFW or similar rules to restrict server access only from your IP.

  15. Do not share your admin panel login details with third parties. Our support team will never contact you asking for login details.

  16. Only set up automatic payouts for payment directions you are confident in.

Security Recommendations from BestChange

Access Security

  1. 2FA for website control panel login.

  2. Additional protection for site file access besides a password, such as 2FA or access via office VPN.

  3. Admin panel access restricted to specific IP addresses, browsers, or devices.

  4. Access rights differentiation for different employees.

  5. No direct access to accounts and/or wallets containing the exchange office reserves via the admin panel.

  6. Login notifications for admin panel access.

  7. Notifications for key actions performed by operators or administrators.

  8. Monitoring of root directory activity, with alerts for file uploads or changes.

  9. Recording the history of key actions performed by operators, administrators, root directory activity, file uploads, or changes.

  10. Paid antivirus software installed on all devices, with up-to-date databases and modules.

  11. Files received from users are uploaded and viewed on devices not connected to the exchange office workflows. If it’s necessary to accept files other than raster images, this is done using the appropriate hosting services.

Work Process Security

  1. Transmission of payment details should only be carried out through the official website of the exchange office.

  2. A valid client email address is a mandatory part of the required information.

  3. Changing payment details upon the client’s request should only be done via the email address specified in the client’s application (with a mandatory check of the email header to verify the authenticity of the sender’s address) or by creating a new application.

  4. The exchange office's website does not display messenger account names; instead, clickable buttons are provided.

  5. Links to exchange bots are either absent or hidden for users arriving from monitoring services.

  6. Cryptocurrency payments are accepted through unique addresses (at least within the same work shift).

  7. Acceptance of funds via banking occurs after account verification, or banking details for accepting funds include a phone number linked to the bank card from which the client is making the transfer. Before processing the application, the ownership of the number to the bank card is verified, and confirmation of the transaction is requested through the number.

  8. In the absence of round-the-clock support, block the export of the rate file from the exchange office’s control panel to monitoring during non-working hours.

  9. When working with cryptocurrencies, ensure that no undesirable transaction history is present in the transactions sent to clients [mandatory].

  10. Organize AML checks on transactions and place relevant information on the exchange office’s website on the exchange pages. Also, transmit the corresponding tags to the monitoring service and update the terms of use for the exchange office's website accordingly.

Staff Verification

  1. Signing agreements that establish the level of responsibility for employees.

  2. Conducting regular tests using a polygraph..

Last updated