Over 100 000+ users have placed trust in us. Maintaining that trust and improving the security both in the app and behind the app is a continual focus area for Change. We have dedicated teams at Change to  ensure the end to end security of your account and assets. Change card product is following Payment Card Industry Data Security Standard and compliance to it has been audited by independent auditors; in addition, Change’s information security management is following the ISO27001 security framework.
Security of your Change account
There are three main components that have direct impact on the security of your account:
1. The way we verify our customers. All our customers need to verify their identity during onboarding. We’ve partnered with Veriff and Onfido to ensure our customers are who they claim to be. We make efforts to know our clients and have clear procedures in place to confirm their identity also throughout our business relationship with them. For example, all Change card users must bind their device and the usage of a new device initiates a device verification flow.
‍
2. The way you log into the app.  Setting up password and a passcode (or using biometrics instead of the passcode) is mandatory in Change app. However, these days, using simply a password and username to log into your accounts, is not enough. We recommend you to set up a long and unique password for your account and also enable the second factor authentication (2FA) - a feature we’ve built for you in Change app. With 2FA set up, even if somebody gets access to your password, they won't be able to access your account. Our strong recommendation is that you also set up 2FA for the email address with your email service provider.
‍
3. The way we monitor our systems. We monitor the transactions and evaluate their risk on the go, we run the know-your-customer procedures to avoid servicing fraudulent activities, and we monitor how our product is being used to identify potential suspicious behaviours as early as possible.
Security of your assets with Change
Customer assets are kept separately from Change’s own assets. Change is using third party service platforms to support liquidity management procedures. All service providers undergo periodic due diligence. We have partnered with industry leaders across the board, enabling us to offer our clients a comprehensive and seamless user experience without compromising on security. Read more about this from our Report on Transparency which you can find in our blog.
Tips on Security
1. Recognise phishing attacks and fake info. Phishing happens when adversaries play on common emotions such as fear, sense of urgency or helpfulness. Their purpose is to deceive people into giving up valuable information (e.g stealing user credentials) or funds. Phishing could happen through emails, social media messages, SMS messages or websites that look and feel legitimate, but aren’t.
‍
a. Remember to always take your time before actioning on something that triggers a strong emotion - it might be a phishing message.
b. Remember to hover on the links for a link preview before clicking them. Link preview is often the simplest way to detect shady looking content. Official communication about Change only comes from the domain “changeinvest [dot] com”. Learn how to identify suspicious content by taking this quiz powered by Google.
c. Help us make the experience safer for yourself and others by sharing the suspicious content you find in relation to Change with us: in some cases we’re able to take legal action against the scammers. Let us know via [email protected]
‍
2. Use 2FA wherever possible. In today’s world long and unique passwords are simply not enough to protect the user accounts. Always set up 2FA wherever possible. We’ve built the 2FA feature for you also in Change app. As a rule of thumb, we recommend setting up 2FA for any apps where you’re managing your assets, and for your associated e-mail accounts.
3. Never share your passwords, pins nor 2FA tokens. As a responsible service provider, we’d never ask you for such information and if somebody does, then this classifies as a very shady activity. Let us know about such cases via [email protected]
‍
4. Never send funds to anyone claiming to be Change’s employee, even if they’re reaching out to you personally in Telegram or in any other social media platform. We’d never ask you for this. Report such activities to us via [email protected]
Let’s speak security!