When the time has come to open a new bank account, you change your sport jacket on a bow tie, take your passport with you, and go to the nearest bank office. Everyone knows that a bank employee will likely ask you to submit a personal data sheet and provide a document that proves your identity. And take a picture of you to identify you as an ID document and account holder. Hence, the bow tie. 🤵
Then, when you need to withdraw your money or change your lost card, a bank officer will ask your document to verify your identity and compare the document with the picture of those in their database. This is a basic security measure that helps to prevent bad actors (and anyone else except you) from using your account.
We at CEX.IO put the security of your funds and personal data in the first place. When you request the deactivation of 2FA on your account we ask you to provide some information about your identity and account activity. Something that only a real account owner can know.
Additionally, we ask you to provide a photo of your ID and a selfie with this document. This helps us make sure that the request comes from the true account holder. Because after the 2FA option is switched off, your account becomes more vulnerable.
In this blog post, we’ll explain more why we ask for all the verification information before deactivating the 2FA option. And, how you can better protect your account and personal data.
Guarding the security of your account
You, in a dark room, with a blanket over your head and your computer – the solid way to protect your personal information? Not really! Not with CEX.IO, anyway.
We can’t be more serious when it comes to the security of your funds. Once you create an account on CEX.IO, your credentials and every piece of information you provide are encrypted with an SSL certificate. And your funds are protected with our enhanced security measures.
Your account at CEX.IO is like a safe deposit box. But it’s your duty to keep the keys from your box in a secure place.
When you need to withdraw funds or change some of your personal data (password, email, etc), we ask you to use your special personal key from the account — your 2FA code. But what if your key is broken or lost? We can help you get a new one after you confirm that you are a real account owner.
Let’s come back to reality. If you lost access to the phone number or device with 2FA codes, you can ask to disable the 2FA option on your CEX.IO account. So you can log in with your email and password and enable 2FA with another phone or gadget.
Switching off the 2FA method on your account leaves your funds and data without an extra layer of security. Thus, we need to carefully verify every request on the deactivation of the 2FA method. This is necessary to make sure that scammers are not trying to access your account by requesting a 2FA change.
First of all, we check personal information about the account owner, details about their operations with CEX.IO. Additionally, we ask for a photo of the identity document and a selfie with it.
Why are ID confirmation photos necessary?
During the crypto hype in late 2020 — early 2021 we’ve recorded a lot of tries to reset the 2FA option requested by frauds. Our strict internal security requirements helped us prevent unauthorized activities on CEX.IO customers’ accounts. For the millionth time, this situation proved that the photo requirements make it difficult for scammers to fake your identity. And here is why:
- We compare the photos with the ones used for verification. So we know exactly what the account owner looks like.
- Scammers can get your email, password, and some personal info via phishing sites. Falsifying your photos is much more difficult.
- Fraud can use your social network profile photo. A note with the date and with the reason of request (eg. 2FA disable) helps to ensure that the image is current and made by the requester.
We’ve gathered some information on how scammers may get your account credentials and personal info. It will help you to identify a scam trying to obtain your personal info and reset your password and 2FA (because they will happily reset it for you).
“Scammer joined the chat”
With the growing interest in the crypto industry, more and more people want to join the CEX.IO platform. We have noticed that in the growing number of newly created accounts and our social media followers. However, a wave of scams and imitators trying to exploit our users didn’t take long to see.
Scammers are hunting on the innocent newcomers who will believe their sweet promises. Mostly, they try to reach you in direct messages on social networks (Telegram, Facebook). This way they can be invisible to our admins, who can immediately ban and report them to the authorized parties. Once you respond to a scammer message, a smishing game begins.
Phishing? 🎣 — Yep…Smishing 🙃
Imagine you’ve got an email from CEX.I0 (take a close look at spelling 🧐) with a “Password recovery request” in a subject line. You will probably open it immediately, even if you didn’t request this action on your account. Being scared that someone got into your account you’ll try to fix the situation as fast as possible. And any link or button in this email is saying to you: “No time to think, click me”. Sounds familiar?
That is how most phishing schemes work. Even when reading the story above, most people didn’t notice the misspelling of CEX.IO (there is a zero (0) instead of the letter (O)). Once you click on a link or button in that hypothetical email, it would direct you to a phishing site. The one that looks like a trusted web page. However, in most cases, it’s just a copy or imitation of the well-known platforms. Once you open it and fill in your account credentials, a scammer will know it and will definitely use it to access your funds. More about phishing emails and how to recognize them you can read in this blog post.
If phishing is about sending fake emails, smishing is when a scammer uses text messages with the same purpose — make you click on a malicious link. In other words, smishing is when the same scammer who sent you an email from CEX.I0 with a fake link is reaching you on Telegram (or any other social network DMs). Here is a possible scenario of the conversation. 👇
“How can we help you?”
When asking for help, remember these golden rules:
- CEX.IO representatives don’t provide support through the social media pages.
We can check on the status of your issue by request with the team in exceptional cases, but we will never ask for personal details, including login credentials. And never DM you first.
There is no CEX.IO support or CEX.IO Help Center page on Facebook, Twitter, Telegram, LinkedIn, and any other social media. If you find any, those are scammers.
- No one, even support team representatives need to know your password, login passcode for mobile app, 2FA code, withdrawal pin code, or CVV/CSV of your bank card. In the live chat, we can ask you to provide your name, email address, user ID — this is enough to identify your account at CEX.IO.
Customers who don’t follow these rules become an attractive target for scammers. They’ll spam your inbox with polite offers of prompt assistance with any issue you faced. However, they are not able and even not going to help you. They are all sweet talkers. The only good skill they have is the ability to convince you to give them your personal data (like those needed for 2FA change) and steal your money. So better never answer such messages at all.
By the way, we collected more tips on how to spot scammers and the main rules of the CEX.IO support team in this post.
“We need user ID for further investigation”
Scammers are trying to copy the style of support service representatives in conversations. How would you feel if someone wrote to you “Give me your passport data”? You probably wouldn’t trust this person as it sounds weird. Let’s compare with this one: “Please, provide me your user ID and date of the last transaction so I could check it on our database system”? It sounds more professional, more convincing, and doesn’t seem suspicious. And information the hypothetical scammer just asked you will be very helpful for them to request 2FA disable on your account. Always be at the lookout!
When a scammer talks politely, many people think they are talking to official company representatives and willingly provide personal information. But not now that you know their tricks and won’t believe the charming words, do you?
If they sound so similar, how then to differentiate a scammer from a real support agent? Easy, follow the golden rules. Everyone who reaches you in direct messages on social media is NOT from the CEX.IO support team.
“Kindly contact the online support by following the link”
Our Telegram community members know that CEX.IO does not provide support there as stated in the warning message. So, when contacting you in DMs, a scammer will offer to resolve your issue via an online support service (live chat/ticketing system).
As a rule, CEX.IO recommends using the live chat and ticketing system when you need assistance with your account. So, such messages look convincing. But! We’ll never write you first in social networks DMs. Many people who ignored tons of warning messages in our Telegram community have got into the trap and followed the scammer’s links. Did they receive any assistance? Don’t think so.
CEX.IO impersonators on social networks don’t want to help you, they just want your money.
Fast moving market situation, an increasing number of requests to the support center, an urgent issue that requires an immediate solution, and a bit of polite language — this is a recipe on how to get sweet confident data about your account. And then, access your funds by switching off the 2FA method.
Spreading the word about scammers’ schemes can assist in the security of everyone’s funds. We’re here to keep you away from cyber scams and help to better protect your crypto funds. However, we can not follow every step to prevent you from falling into scammers’ traps. Keep your head upon your shoulders and:
- Pay attention to what information you share on social networks. Avoid talking about the details of your trades, investments, or crypto portfolio anywhere
- Don’t hesitate to double-check your talker. There are no CEX.IO support pages on social networks.
- Carefully examine links you follow. Any typo in the URL can be a red flag of a phishing site.
- Never disclose sensitive account information in social networks.