Security

Home  /  Security

Security At Mushino

At Mushino, we don't just prioritize security. We breathe it. It's an integral part of our company culture. All employees must pass a criminal background check before joining Mushino. After joining us, they are required to fully encrypt their hard drives, utilize high-entropy passwords and enable U2F-based 2FA for every service or device that supports it. Screen locking is mandatory. To take things even further, all updates to the Mushino API, website and mobile apps must be cryptographically signed by at least three senior level executives before they can be deployed to production.

Storage Of Funds

100 percent of customer funds are stored in geographically distributed multisignature cold wallets. The private keys to these cold wallets are geographically distributed across multiple highly secure bank vaults.

An attacker would have to break into multiple of these vaults, in multiple different parts of the world, simultaneously, to gain access to the funds stored on Mushino. A single compromised bank vault or server would have zero impact on the funds stored on Mushino.

Deposit Addresses

An external service constantly audits all of the generated deposit addresses, ensuring that they have been generated by the correct public key. In the case that the public key and the address don't match, the entire system is shut down immediately.

Customer Data

Customer data is encrypted both at rest (using AES256 encryption) and in transit (using TLS 1.2). Encryption keys are generated with a FIPS-140-2 Level 3-compliant HSM and rotated daily. All passwords are cryptographically hashed using Bcrypt with a cost factor of 12. All electronic communication between employees is PGP-encrypted.

DDOS Protection

Mushino utilizes rate-limiting, concurrent connection limits, active whitelists and blacklists to counter Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. The Mushino environment is hosted on Google Cloud Platform ("GCP"). Google has a proven track record for physical security and internal controls.

Client-side Security

The mushino.com website received an A+ rating in the Mozilla Observatory Test. Only four other cryptocurrency exchanges have ever achieved an A+ rating. Verify the rating yourself here. Feel free to run the test on some of our competitors as well - you might be shocked how poorly some of them perform.

Service Detail

Security Summary

  • 100 percent of customer funds in cold storage
  • Keys distributed across multiple highly bank vaults
  • External auditing of deposit addresses
  • All customer data encrypted both at rest and in transit
  • Encryption keys generated with a FIPS-140-2 Level 3-compliant HSM and rotated daily
  • All passwords cryptographically hashed using Bcrypt with a cost factor of 12.
  • DDOS Protection
  • A+ website security rating on Mozilla Observatory