1. Network Security

1.1 TLS/SSL Communication

Ensure communication security through the introduction of next generation encryption systems and the highest strength encryption technology.
You can confirm that a website carries out encrypted communication by checking that:
the URL displays an image of a key
the URL displays "https://" rather than "http://"
You can clearly see the presence of an encrypted communication by clicking on the key symbol.

  • Adoption of Go Daddy SSL server certificates
  • Adoption of SHA-2 (SHA-256)
  • Adoption of SSL for internal communications
1.2 Protection of the internal environment by firewall

A firewall refers to the software and hardware used to protect networks and computers against attacks and unauthorized access from outside the network. The basic function of the firewall is to prevent unauthorized external access. When you use a firewall, you can limit the communication with the services running on the servers. For example, access to an organization's internal file sharing service can be limited to users inside the organization. By limiting access from the Internet, you can prevent unauthorized access to those services.

  • Filtering function: Check the packet to be passed, allow only the packets that are permitted in advance to pass, and block all other packets.
  • Address conversion function (NAT): This is a function that rewrites the packet source and destination address. The presence of the internal client can be hidden from the server of the other party to the communication. Since it is not accessible from the outside, the security of the internal host is strengthened.
  • Remote control, monitoring function: This is a feature which allows firewalls to be set or logs to be checked from another computer.
1.3 Constant monitoring of unauthorized access and load balancing through Web Application Firewall

The log function records unauthorized HTTP communications detected through the inspection function and WAF activity. Generally, WAF logs are recorded in a file or database. There are two types of logs: The record of unauthorized HTTP communications and their handling, and the record of WAF activity and error information. From this record, it is possible to check the detection and number of handling events for unauthorized HTTP communications, and eliminate the effort involved in updating detection patterns.

2. Authentication and Access Control

Each user in iMove has a unique account with a verified email address, and protected with a password, which are validated against password policies and stored securely using a strong hashing algorithm with unique salt for every password.

3. Two-step Authentication

Two-step authentication function can be set by e-mail address through Google Authenticator, an authentication application. For normal services, you can only login using an authenticated ID and password. However, when connected to the internet, this service can be accessed from anywhere. This is because such security may be breached when ID and password pairs are stolen, or a malicious third party obtains the ID and runs a brute force or dictionary attack to forcibly login. This is why, in addition to the original ID and password, another set of numbers known as an authentication code is entered. Thus, strengthening the security. Reason being, the authentication code changes over time, as well as whenever a login occurs. Even if a malicious third party steals the ID and password, obtaining access will be more difficult.

4. Using Encryption to Secure Sensitive Data

From the moment you enter your account and password, all your important information will be encrypted, including personal info, card info and so on. Even if your gateway is not secure, your account and transactions will be secure.

5. Data Center Security

Our servers reside in secure cages under 24/7 surveillance by armed guards and video monitors. Physical access and code deployment are strictly controlled. Nothing ships without intensive review.

6. Penetration Testing

We have an expert team dedicated to testing our own systems via every imaginable attack vector. Additionally, we run a bug bounty program to leverage the expertise of the broader security research community.

7. System Integrity Protection

iMove uses operating systems based and custom integrity check services in order to ensure the integrity of all critical files and system objects. A quick response to any potential unauthorized changes to the system helps assure that our customers are using authentic iMove application services.

8. Application Security Process

An in-depth Application Security Life Cycle process is fully integrated into iMove’s Software Development Life Cycle (SDLC), including:
Defined in-house security requirements and policies, and well-known security best practices applied in every stage of the lifecycle.
Security review of architectures, design of features, and solutions.
Iterative manual and automated (using static code analyzers) source code review for security weaknesses, vulnerabilities, and code quality, and providing of sufficient advice and guidance to the development team.
Regular manual assessment and dynamic scanning of pre-production environment.
Security trainings conducted for IT teams according to their respective job roles.

9. System Patch Update

Regular Updates and Patch Management to effectively circumvent the version with zero-day attack.

10. 24-hour Monitoring

24 hours automatic detection and manual detection, to protect our website can run normally.

11. Storage of Cryptocurrencies

To protect our customers’ funds, 95% of all deposits are stored in offline, air-gapped, geographically distributed cold wallet which is protected by several physical locks as well as a robust 24-hour surveillance system. We keep full reserves so that you can always withdraw immediately on demand.

12. Multi-Signature

Multi-sig is the latest in Bitcoin security measures designed to ensure that your Bitcoin transactions are safe. Unlike a typical Bitcoin address, multi-sig Bitcoin addresses require two or more separate signatures to send Bitcoin. The number of signatures required is represented as a proportion of the total number of possible signatures - for example, 2 out of 3 means that 2 signatures are required out of 3 possible signatures before Bitcoin can be sent.

Multisig allows for extremely secure wallets, as even if a private key is leaked or hacked, unless all keys required have been compromised, no coins can be released from the wallet. It is extraordinarily difficult for an attacker to penetrate 2 or more highly secure platforms within a short period of time.

Storing one of the required addresses in a location that is not connected to the internet provides an even further level of protection and security.