Security within change

Over 100 000+ users have placed trust in us. Maintaining that trust and improving the security both in the app and behind the app is a continual focus area for Change. We have dedicated teams at Change to ensure the end to end security of your account and assets.

Change card product is following Payment Card Industry Data Security Standard and compliance to it has been audited by independent auditors; in addition, Change’s information security management is following the ISO27001 security framework.

Security of your Change account

There are three main components that have direct impact on the security of your account:

The way we verify our customers
‍
All our customers need to verify their identity during onboarding. We’ve partnered with Veriff and Onfido to ensure our customers are who they claim to be. We make efforts to know our clients and have clear procedures in place to confirm their identity also throughout our business relationship with them.

The way you log into
the app

Setting up password and a passcode (or using biometrics) is mandatory in Change app. We recommend you to set up a long and unique password for your account and enable the second factor authentication (2FA) - a feature we’ve built for you in Change app so that you could protect your account.

The way we monitor our systems

We monitor the transactions and evaluate their risk on the go to avoid servicing fraudulent activities. We monitor how our product is being used to identify potential suspicious behaviours as early as possible. All Change card users must bind their device and the usage of a new device initiates a device verification flow.

Security of your assets with change

Customer assets are kept separately from Change’s own assets. Change is using third party service platforms to support liquidity management procedures. All service providers undergo periodic due diligence.

We have partnered with industry leaders across the board, enabling us to offer our clients a comprehensive and seamless user experience without compromising on security. Read more about this from our Report on Transparency which you can find in our blog.

Let's talk security

1. Recognise phishing attacks and fake info

Phishing happens when adversaries play on common emotions such as fear, sense of urgency or helpfulness. Their purpose is to deceive people into giving up valuable information (e.g stealing user credentials) or funds. Phishing could happen through emails, social media messages, SMS messages or websites that look and feel legitimate, but aren’t.
a. Always take your time before actioning on something that triggers a strong emotion - it might be a phishing message.
b. Hover on the links for a link preview before clicking them. Official communication about Change only comes from the domainchangeinvest.com
c. Help us make the experience safer for yourself and others by sharing the suspicious content you find in relation to Change with us: in some cases we’re able to take legal action against the scammers. Let us know via support@changeinvest.com

2. Use 2FA wherever possible

In today’s world long and unique passwords are simply not enough to protect the user accounts. Always set up 2FA wherever possible. We’ve built the 2FA feature for you also in Change app. As a rule of thumb, we recommend setting up 2FA for any apps where you’re managing your assets, and for your associated e-mail accounts. With 2FA set up, even if somebody gets access to your password, they won't be able to access your account without knowing the valid 2FA code.

3. Never share your passwords, pins nor 2FA tokens

As a responsible service provider, we’d never ask you for such information and if somebody does, then this classifies as a very shady activity. Let us know about such cases via support@changeinvest.com

4. Never send funds to anyone claiming to be Change’s employee

Even if they’re reaching out to you personally in Telegram or in any other social media platform. We’d never ask you for this. Report such activities to us via support@changeinvest.com

1. License and compliance

We are a regulated investment firm and virtual currency service provider and fully compliant with all the relevant regulations in Estonia and in the EU.

Licensed by the Estonian Financial Unit, xChange AS is authorised to provide virtual currency services (licence number FVT000072). License information: https://mtr.ttja.ee/taotluse_tulemus/540587.

CFD trading service is provided on a cross-border basis by Change Securities B.V. (Chamber of Commerce no 50755854, previously Optieclub.nl B.V.) authorised and regulated by the Dutch Authority for the Financial Markets (AFM). License information: https://www.afm.nl/en/sector/registers/vergunningenregisters/beleggingsondernemingen/details?id=7090F7AE-BBDB-E111-9A85-005056BE6692

Getchange Account and Visa Card is issued by UAB “Finansinės paslaugos „Contis” who holds the electronic money institution license no 53, dated 2019-07-23, issued by the Bank of Lithuania. License information: https://www.lb.lt/en/sfi-financial-market-participants/uab-finansines-paslaugos-contis

2. Security and personal data protection

Change app and our infrastructure has formally received the PCI DSS compliance certificate. This means our security is on par with one of the world's most demanding security standards.

We have designated Data Protection Officer who is responsible of making sure we process personal data lawfully and according to the best industry standards.

3. Well capitalised and transparent

Change is one of the most regulated and compliant crypto providers in Europe. We have undergone a financial audit this year and have been named as an example of a responsible crypto provider by the Estonian Financial authorities on multiple occasions.

We have been continuously publishing our financial results even though we are not a publicly traded company. Driving growth in our industry in a responsible, safe and secure manner is paramount to our team and always has been.

We are proactively monitoring the risks and exposures and making adjustments to the procedures used to ensure the safety of funds on a continual basis. This is why we are using technology provided by industry leaders BitGo and Ledger to custody assets.

Moving forward, we’ll be also releasing our Proof of Reserves information.

4. World's most secure custody solution

We are safeguarding your digital assets with the world’s most secure and compliant custody solution provided by BitGo. Since 2013, they have been the market leader in delivering institutional grade security solutions for blockchain-based services.

If something should still go wrong, for example third-party hacks, theft or loss of private keys, insider theft of dishonest acts by BitGo employees or executives, your assets are covered with a $100 million insurance policy.
https://www.bitgo.com/services/custody

5. Funds segregation

Our strong partnership with LHV Bank and EU financial institutions keep your funds safe and segregated at all times.

6. Strong AML measures

Our perfect track record matches our zero tolerance policy for illicit activity. Our compliance and support teams work tirelessly to prevent such things as terrorist financing, child pornography, and sanction evasions.

We comply thoroughly with internal, regulatory and partner-based guidelines with each case and every customer.

7. There for you

Our team is highly active and responsive. From Telegram to live chat, emails and much more, we want to hear from you - mad, sad or glad.

8. Fraud and crime detection software

We use sophisticated technology in the crypto-sector to detect and prevent fraud. State-of-the-art software helps raise customer awareness on particular cryptoasset transactions, counter-parties, and their reputations to aid in protecting customer funds.

9. Member of Industry Associations

A hub for startups and local fintechs, Finance Estonia has aided in supporting the Estonian economy by increasing business opportunities through the enhancement of financial sector development and innovation since 2011.

To learn more please visit http://financeestonia.eu/about-us/

Bug bounty

Our Bug Bounty rewards system alongside the updated terms and conditions are ‘under construction’ as we speak. You’re still welcome to report any vulnerabilities by emailing us at bugbounty@changeinvest.com. However, we can’t guarantee any rewards while we’re reviewing the programme.The Hall of Fame below lists the contributors who’ve reported a finding of P4 or higher. Thank you! You’re a true inspiration for our Security team.

Hall of Fame

Contributor

‍Trannum Rai

Finding severity

Time

March 2023

Security within change

buy Bitcoin today