At Coconut the security of our customers’ money and personal data is a top priority for our team and for our banking partner. We strive to take a secure by design approach so that security thinking is at the heart of everything we do.

We are happy to provide detailed information on our security measures so that customers feel well informed and confident in Coconut’s approach to security. If you have questions, comments or suggestions about security we’d love to hear from you at [email protected].
 

Account, card and funds security

  • Your money: Coconut are not a bank and as such we do not use your money for investment or any other activity. Your money is safe and secure and managed in a ring-fenced account at Barclays by our regulated banking partner Prepay Technologies
  • Limits: Your account and card have limits that prevent certain kinds and sizes of transactions occurring
  • Card information: We do not store your card’s full number and nothing of your secure code and PIN on our servers
  • Lost or stolen cards: if your card is ever lost or stolen you can block its usage via either the App or Coconut’s 24 hour interactive phone support, and optionally order a replacement
  • Viewing your PIN: accessing your PIN requires using the secure code on your card and requesting your PIN is performed directly between your phone and our Banking Partner so that it does not pass through our servers
     

Infrastructure security

  • Cloud native: Like many modern services we are cloud native. This means that we do not rely on or manage physical servers on our premises but instead use cloud computing services provided by the leading cloud infrastructure vendor – Amazon Web Services (AWS) to run our service. This frees us from a great deal of operational overhead that allows us to focus on building features and services for our customers. For those interested in AWS security we encourage readers to find out more
  • Strong security standards: Our servers only support the latest, most secure security standards and disable those that are old or vulnerable to attack
  • Authorised access: We only allow access to parts of our platform from known internet addresses and identity providers thereby reducing our attack surface significantly
  • Smart intrusion detection: We leverage AWS’ advanced intrusion detection service to monitor unauthorised attempts to access our infrastructure
  • Anti DDoS: we use CloudFlare to help defend our platform against distributed denial of service (DDos) attacks
     

App security

The Coconut app features a number of security measures:

  • 3-factor login: login requires 3 pieces of information; mobile number, a private code a follow up one-time code sent via an SMS – this means login requires something you have as well as something you know making login harder to attack
  • Time-limited login: a login provides access for a time limited period that we hope is not disruptive, but we do require login from time to time which helps as a backstop to ensure the app is being used by the customer
  • Anti-brute force login: it is not possible for an attacker to continually try to login; doing so will lock the attacker out
  • SSL pinning: we ensure that our app only communicates with our servers preventing so-called “man in the middle” attacks, such as which may be possible if your phone connects to an untrusted WiFi network
  • Database encryption: data within the app is stored in an encrypted database
  • Device restriction: customers may login to multiple devices but only by authorising them through proof of identity
     

Data security

  • Data encryption: we take every opportunity to encrypt your data, whether that be within our cloud database (also using rotating encryption keys), within the app database or when data is exchanged over the internet between the App and our servers
  • Password hashing: we use bcrypt to hash passwords securely meaning they are never stored in plain text form in our database
     

Other things to know

  • Notifications: We let you know via push messages and sometimes by email when your card is used to spend money, or when money is paid in, so that you are informed of activity on your account
  • Security testing: We regularly engage 3rd party security companies to conduct  security testing on our platform to help us stay ahead of the latest thinking in security
  • Data backups: We regularly backup customer data allowing us to restore our service in the event of any system failure
  • GDPR: Coconut comply with the General Data Protection Regulation 2018 which governs how we collect and process your personal data. More information be found in our Privacy Policy
Did this answer your question?