Has a security audit been performed? If yes, what was the scope of the audit? Is an Executive Summary of the audit report available for review?
Yes. Each of our third-party vendors (Circle for transactions, Trulioo for KYC and fraud, Legal counsel for bonding, Auth0 for user management, fraud, and malicious attack) and our internal development staff regularly perform extensive security and stress testing. An executive summary report has not been compiled, but can be upon request.
Our transactions vendor, Circle, uses an information security program based on industry-standard security controls consistent with standards such as the NIST Cybersecurity Framework and ISO 27002. Circle’s security controls are specified by detailed security policies and standards that inform procedures across the organization including procedures for technology management, customer information handling, software development, privacy, and many more. The security program’s key controls include periodic risk assessments, employee background checks, standard network and system security controls such as firewalls, intrusion detection, system hardening, and antivirus, the integration of security best practices into our dev/ops and ci/cd pipeline workflows, vulnerability management integrated into the ci/cd pipeline, mature identity and access management, strong cryptography, and incident response capabilities. Additionally, Circle’s Security Operations Center performs continuous monitoring of the environment and leads response and investigation activities. The security program is further supported by management control testing including but not limited to peer code reviews, access control reviews, firewall reviews, network and application penetration testing, and vulnerability testing.
Overall control design and operating effectiveness is assured via numerous audits and assessments annually. Within the past year, Circle has conducted an IT Controls Audit, a SOC 1, type II audit, a PCI Assessment, multiple third-party penetration tests, and had its IT general controls tested as part of its annual financial audit. Regulatory exams associated with our money transmitter licenses also frequently test these same controls. Circle is PCI Certified as a Level 1 Service Provider.
Business continuity management, vendor risk management, and privacy controls round out Circle’s technology risk management posture. These risk management disciplines are fully integrated at Circle with secure information handling and privacy law requirements equally informing how our staff handle data and interact with customers, a vendor risk management program that extends security, compliance, privacy, and business continuity requirements to the third parties upon which our business relies, and incident response capabilities that equally address operational, security, privacy, compliance, business continuity, and pandemic events.
Trulioo, an industry leader in KYC procedures and AML preventions, has clients ranging from Goldman Sachs and Citibank to American Express. They utilize over 1,000 data sources and multi-layer identification methods in order to ensure users are who they say they are. A report of their security protocols can be made available upon request.
All Customers who reach any of the purchase/sale thresholds will go through Trulioo’s GlobalGateway services and related parties (e.g., authorized representatives) against the following sanctions lists screening for money laundering, terrorism, financial fraud, arms proliferation, drug trafficking, banned blockchain wallet addresses, etc:
- Office of Foreign Assets Control (“OFAC”) Specially Designated Nationals (“SDN”) list
- OFAC non-SDN lists
- European Union (“EU”) sanctions lists
- United Nations (“UN”) sanctions lists
- UK Her Majesty’s Treasury (“HMT”) sanctions lists
- 900+ other sources
Trulioo also provides advanced screening for Adverse Media exposure and Politically Exposed Persons. A report is issued for users who are flagged for these reasons, evaluated by our Compliance Officer, and recommendations are made based on our Risk Matrix. The advanced screening is matched against the following sources and specs:
- Real-time global coverage in 190 countries, 6 languages
- Increased coverage from 126+ sanctions, watchlists, PEPs and adverse media
- Seamless integration during customer onboarding via API or web portal
- Over 5 million media articles analyzed for criminal activities and updated hourly
- Filtering capabilities include country and year of birth.
Auth0 is the industry standard in multi-factor identification and user management. Their clients include Providence, Siemens, Pfizer, Blue Cross Blue Shield, Polaris, and other Fortune 500 companies. In order to secure user management and protect malicious actors, we utilize the premier features Auth0 provides.
Rare Goods utilizes Bot detection that mitigates scripted attacks by detecting when a request is likely to be coming from a bot. These types of attacks are sometimes called credential stuffing attacks or list validation attacks. We have protection against certain attacks that adds very little friction to legitimate users. When such an attack is detected, it displays a CAPTCHA step in the login experience to eliminate bot and scripted traffic.
Users who attempt to log in or create accounts from IPs that are determined to have a high likelihood of being part of a credential stuffing attack will see a CAPTCHA step. These users are prevented from creating an account and the IP is blocked.
Suspicious IP Throttling
Suspicious IP throttling blocks traffic from any IP address that rapidly attempts too many logins or signups. This helps protect our platform from high-velocity attacks that target multiple accounts.
When our system detects a high number of consecutive signup attempts or failed login attempts from an IP address, it suspends further attempts from that IP address. In addition to this, when an IP address exceeds the limit, an automated email is sent to administrators notifying them of the account in question.
Too many login attempts from accounts suspected of throttling (we can adjust login attempt counts) result in the blocking of the IP address.
Brute Force Protection
Brute-force protection safeguards against a single IP address attacking/attempting to hack a single user account. When the same IP address tries and fails multiple times to log in as the same user:
- An email is sent to the affected user.
- Our system blocks the suspicious IP address from logging in as that user.
If an IP address is blocked due to brute-force protection, it remains blocked until one of these events occurs:
- The affected user selects the unblock link in the email notification. (We can turn this function on or off.)
- The affected user changes their password.
- An administrator removes the block.
Breached Password Detection
Our system uses a third-party vendor to track large security breaches that are happening on major third-party sites to help secure our users and platform. When a trigger occurs, we can notify and/or block accounts from logging in if we suspect their credentials were part of a published security breach. Though the breach may not have happened to the Rare Goods account, we still notify the user based on the data available.
If we suspect a password has been compromised, we will send the user an email requesting that they change their password immediately.
In the event of a targeted or ongoing attack, traffic can be blocked from thousands of IP addresses at a time. Our system will send a single email to all platform administrators every hour that traffic is blocked, regardless of the number of IPs involved in the attack.