Steer clear of social engineering and phishing
We never initiate contact with our users with requests for information about your account. You should avoid responding to unsolicited direct messages and emails. Always be vigilant. If you think a scammer has messaged you, ask in the Liquid Telegram channel.
Keep private info to yourself
Always keep your account login details private. Do not share your password or private keys. Reach out to our customer support if you need help in logging in.
Be careful when performing transactions
Always be careful when transferring money or tokens. Liquid will never ask for your information to perform a transaction on your behalf.
Exercise basic web safety rules
Our website is protected with SSL/TLS to provide an additional layer to security and data integrity. We test our website for vulnerabilities on a daily basis. Please check that you are visiting https://www.liquid.com.Email spoofing is commonly used by scammers to make it look like phishing attempts are coming from a trustworthy source. You should only be receiving emails from [email protected], [email protected] and [email protected] Always exercise caution and pay close attention to email domains to avoid interacting with suspicious senders, especially any asking for your private information.
Use 2-factor authentication
All Liquid users are required to set up 2-factor authentication to access the platform. We strongly recommend Google Authenticator and that you do not deactivate your 2FA.
We are here to help
Always exercise caution at emails or accounts that may look suspicious. If you ever need help with your account or want to get in touch, our Liquid Customer Support Champions are available 24/7 to assist via https://help.liquid.com.
2FA is mandatory for all accounts and required to complete all significant actions on Liquid, such as resetting password, registering a new withdrawal blockchain address and withdrawing crypto.
Strict password reset
We require having access to both 2FA and your registered email to reset your password.
When changes like a password reset are made, the user won’t be able to change their email address for at least 3 days. Similarly, if a password is reset or an email is changed, 2FA cannot be disabled for a period of time. We will always send you an email to verify your intent.During a cooling period, no withdrawals can take place for three days after an account setting has been changed. This is an additional step to prevent any hackers from withdrawing funds.
If an account setting is changed, we halt withdrawals for a period to ensure funds are protected.
Approval queue for changes to account settings
At least two Liquid staff need to be involved to approve any changes to account settings related to password, email address or 2FA, adding an extra layer of security.
All computers and mobile devices connected to the Internet have an IP address. We will send an email to confirm any new IP address you use to access Liquid. This feature ensures that no-one can access your Liquid account outside the whitelisted addresses.
We are customer-centric and we keep your information safe. At Liquid, we do our due diligence in ensuring that our accounts are verified and detect malicious attempts early to prevent illegal trading activity on our platform.
Liquid uses 100% cold storage for all customer assets. We utilize hardware security modules (HSMs) that have achieved a rating of FIPS PUB140-2 Level 3 or higher. All cold private keys are generated, stored and managed by HSM for the lifetime of the keys.
We have robust verification policies on Liquid. Users must provide official ID documents and proof of address to fully access our exchange.
Our customers can only trade from pre-funded accounts. We also use multisignature technology (multisig) for transferring funds out of cold storage. Multisig is a type of address where the private key is divided into multiple parts, requiring multiple private keys for transactions and eliminating single points of failure. All fund transfers require coordination from multiple employees.
We utilize a 24/7 Security Operations Center to employ the latest techniques and tools to stop attacks before they reach our website.
For DDoS countermeasures, we use unmetered DDoS mitigation to maintain performance and availability of Liquid.Liquid has four stages of mitigating a DDoS attack:Detection - We distinguish an attack from a high volume of normal traffic using IP reputation, common attack patterns, and previous data to assist in proper detection of a distributed attack.Response - We respond to an incoming identified threat by intelligently dropping malicious bot traffic and absorbing the rest of the traffic.Routing - By intelligently routing traffic, we will break the remaining traffic into manageable chunks preventing denial-of-service.Adaptation - We constantly analyze traffic for patterns such as repeating offending IP blocks, attacks coming from certain countries, or specific protocols being used improperly.
Web application firewall
For countermeasures against illegal invasion, data falsification and vulnerability countermeasures, we use a Web Application Firewall (WAF). Our security engineers constantly monitor the Internet for new vulnerabilities. When we find threats, we automatically apply WAF rules to protect our Internet properties.
We have also implemented DNS Security to prevent hijacking or spoofing of customer communications. This further secures the traffic from our servers to the customers’ browser and email inbox.
We conduct precautionary security measures such as regular risk analyses and application vulnerability assessments to ensure data protection. In addition, we conduct annual penetration testing from a highly reputable pentesting firm, Cobalt Strike.We stay updated on security measures and constantly look to improve our security.
All of our company computers have endpoint protection mechanisms and reside behind enterprise firewalls. We are up to date on all software, constantly monitoring for threats and utilizing a least-privileged and role-based-access approach for all connectivity.
Access rights procedures
We conduct periodic reviews of access rights to detect and eliminate unnecessary account access. All staff have to undergo stringent request procedures to determine the source or purpose of the access. This adds an additional layer of internal control to protect data integrity of the exchange.
API key security
We utilise Hawk authentication protocol, which implements hash message authentication code (HMAC) signing based on the API key provided, thereby enhancing our security.
To prevent unauthorized requests to our internal network, our servers are protected with multiple security mechanisms to ensure a safe trading environment at Liquid.
Backups and monitoring
Liquid uses snapshots and off hours backup for datastores to shielded instances within our cloud provider.Our applications produce full audit logging for all activity and this information is analyzed via our SIEM and our SOC while being archived separately from our datastore.All internal and customer actions produce a full audit trail, are reviewed 24/7 and have passed successful regulatory audit.
We implement a protocol for handling security events and product issues, which includes escalation procedures, quick remediation and post mortem of incidents. All employees are dutifully notified before informing our customers via our communication channels such as Twitter and Telegram.