Picture: ISTOCK
Picture: ISTOCK

Cryptocurrency platform Luno, which is backed by Naspers and Rand Merchant Investment Holdings, insists that its platform is secure after some users claimed to have been robbed of their digital coins.

While there had been a proliferation of phishing attacks aimed at Luno’s users, the platform itself "has never been compromised or hacked", Marius Reitz, the exchange’s country manager for SA, told Business Day on Monday.

The company considered security its "number one priority" and was continually investing in that area, he said.

Phishing refers to the use of fake websites, text messages or e-mails to trick people into sharing their passwords and giving criminals access to their accounts. One recent fraudulent e-mail asked Luno users to update their details to avoid having their accounts deactivated.

But a Johannesburg-based fund manager who spoke on condition of anonymity said he had looked into several instances of Luno clients losing their bitcoin holdings, and in some cases it appeared as though losses were not because of phishing. This comes as numerous users claim to have had their wallets "emptied".

Reitz, meanwhile, said Luno had "a lot of safeguards in place to help our customers not compromise their own personal and financial details".

Phishing attacks

The increase in the volume of phishing attacks was due to the activities of hacks at other, poorly secured organisations in SA and elsewhere, where scammers had got hold of the details of unwitting people.

In SA, for instance, scammers had obtained the contact details of millions of people by hacking the databases of the deeds office, ViewFines and Ster-Kinekor.

"While the increase in phishing attacks and scams is alarming, we want to make it clear that these phishing attacks are not limited to Luno or other cryptocurrency businesses, and that being phished does not mean the company linked to the phishing e-mail or SMS has been hacked," Reitz said.

Where losses were the result of phishing, responsibility for the fraud "must remain with the individual – not the company that the scammer pretended to represent by assuming a false corporate identity".

"In essence, this is no different to a consumer receiving a call from a stranger claiming to represent one’s trusted bank and obtaining personal security information under false pretences…. In both cases, a scammer exploits a temporary lapse in judgment."

Luno stored clients’ funds using "multisignature security" with independent partners, Reitz said. Private keys, which users need to access their cryptocurrencies, are held across different bank vaults around the world, meaning "it is impossible for a single individual or group to steal them".

And to allow instant withdrawals, Luno maintains a multisignature "hot wallet" and splits the key between Luno and security provider BitGo – a hacker would have to break into both systems to get a user’s key.

Reitz said high-profile attacks on bitcoin platforms were not made because exchanges were "inherently unsafe", but were rather due to their own poor security.

In June, South Korean cryptocurrency exchange Coinrail was hacked, leading to a sharp drop in the price of bitcoin.

Coinrail said at the time the "cyber intrusion" had resulted in the loss of about 30% of the coins traded on its exchange.

Reitz said Luno had "extensively" informed its customers about the potential risks associated with cryptocurrencies and how they should protect their personal information.

"We are committed to full transparency and have invested significantly in educating people about the safety best practice that applies to the broader range of financial services products, not just when dealing with cryptocurrencies."

hedleyn@businesslive.co.za