At Coconut the security of our customers’ personal data is a top priority for our team and for our banking partner. We strive to take a secure by design approach so that security thinking is at the heart of everything we do.
We are happy to provide detailed information on our security measures so that customers feel well informed and confident in Coconut’s approach to security. If you have questions, comments or suggestions about security we’d love to hear from you at [email protected].
Cloud native: Like many modern services we are cloud native. This means that we do not rely on or manage physical servers on our premises but instead use cloud computing services provided by the leading cloud infrastructure vendor – Amazon Web Services (AWS) to run our service. This frees us from a great deal of operational overhead that allows us to focus on building features and services for our customers. For those interested in AWS security, we encourage you to find out more.
Strong security standards: Our servers only support the latest, most secure security standards and disable those that are old or vulnerable to attack
Authorised access: We only allow access to parts of our platform from known internet addresses and identity providers thereby reducing our attack surface significantly
Smart intrusion detection: We leverage AWS’ advanced intrusion detection service to monitor unauthorised attempts to access our infrastructure
Anti DDoS: we use CloudFlare to help defend our platform against distributed denial of service (DDos) attacks
The Coconut app features a number of security measures:
3-factor login: login requires 3 pieces of information; mobile number, a private code a follow up one-time code sent via an SMS – this means login requires something you have as well as something you know making login harder to attack
Time-limited login: a login provides access for a time limited period that we hope is not disruptive, but we do require login from time to time which helps as a backstop to ensure the app is being used by the customer
Anti-brute force login: it is not possible for an attacker to continually try to login; doing so will lock the attacker out
SSL pinning: we ensure that our app only communicates with our servers preventing so-called “man in the middle” attacks, such as which may be possible if your phone connects to an untrusted WiFi network
Database encryption: data within the app is stored in an encrypted database
Device restriction: customers may login to multiple devices but only by authorising them through proof of identity
Data encryption: we take every opportunity to encrypt your data, whether that be within our cloud database (also using rotating encryption keys), within the app database or when data is exchanged over the internet between the App and our servers
Password hashing: we use bcrypt to hash passwords securely meaning they are never stored in plain text form in our database
Other things to know
Security testing: We regularly engage 3rd party security companies to conduct security testing on our platform to help us stay ahead of the latest thinking in security
Data backups: We regularly backup customer data allowing us to restore our service in the event of any system failure