TaxBit Security Review - Industry Leading Security

Security is at the forefront of every decision we make.

Jeff Cartwright, Tax Compliance

Jeff Cartwright
Director of Compliance

Across nearly every industry data breaches have increased at an alarming rate. Most breaches are fairly benign and may only involve usernames and email addresses, but many might include sensitive information such as social security numbers or credit card information. Security underlies every decision we make at TaxBit.

We have found that cryptocurrency traders care more about security than the general population and we share that ethos. Although security has vastly improved overall in the industry over the past few years, proper security controls can’t be taken for granted and users should take a keen interest in best-practices.

Early Learning Experiences On Why Security Controls Matter

In 2013 Mt. Gox was the leading cryptocurrency exchange with over 70% of the world’s Bitcoin being exchanged on that platform. Mt. Gox was first struck in 2011, when a hacker was able to get into the exchange founder’s account and artificially dropped the price of Bitcoin from around $17 to about $.01, allowing for 2,000 BTC to be bought and transferred out of the exchange before the attack was noticed and resolved.

To put the nail in the coffin, a few years later it was discovered that Mt. Gox had inadequate internal security controls that resulted in an additional 850,000 Bitcoins being stolen worth an estimated $460 million at the time.

Enterprise Security Matters

Perhaps the most concerning thing about the Mt. Gox hack is how preventable it was through proper security controls. There’s a famous saying attributed to bank robber Willie Sutton, who replied to a reporter's inquiry as to why he robbed banks by saying "because that's where the money is." Similarly, hackers are more likely to attack companies with valuable data.

One of the most valuable lessons learned from Mt Gox is that proper security controls are fundamental to be trusted and thrive as a business. Following the Mt. Gox hack, jaded users felt that people who leave assets on an exchange that subsequently got hacked deserve it in some way. The thought was that exchanges couldn’t be trusted as custodians of assets, and that if you didn’t control the private keys, it wasn’t your bitcoin.

Fast forward to today, reputable exchanges have taken countless preventative measures and controls to ensure similar breaches don’t happen on their platform. These controls include:

  • Holding assets in cold storage
  • Carrying insurance policies
  • Limiting administrative level controls and requiring multi-person authentications for large or non-ordinary transactions
  • Strict change management policies
  • Rigorous third party auditing; and
  • Bug bounty programs

Exchanges that have implemented rigorous controls have gained the trust of the community and have ensured that the impacts of a security breach are limited. Although security breaches are never fully preventable, the consequences from a breach can be mitigated to manageable levels. Cryptocurrency traders are beginning to once again trust exchanges, so long as they have a track record of exceptional security.

TaxBit Is A Leader In Fin-Tech Security

TaxBit has invested heavily in data security and is focused on not simply meeting data privacy requirements, but exceeding them.

First, TaxBit only collects information that is necessary to provide our services. One of the core principles of GDPR is “data minimization.” This means that companies should only collect information that is necessary to provide services and not needlessly collect information without a proper purpose.

TaxBit only collects the minimal information needed to perform our services. To this end, the only required information to create a TaxBit account is an email address, password, and “read only” transactional information.

We intentionally will not collect a social security number, address, phone number, or store your credit card number (we rely on a trusted third party service for payment information, so it’s not stored on our system). This ensures that no sensitive information or other personally identifiable information can be stolen.

Secondly, TaxBit has internal controls to protect user information. This includes encrypting customer data, a formal change management policy, storing data in an immutable auditable ledger, background checks on all employees, as well as other security best practices. Importantly, TaxBit only requires “read only” API tokens which ensures that we never have custody of funds.

Third, we invest in the best employees. Our security team comes from various backgrounds and have deep experience handling sensitive data. Our Data Security and Compliance teams have led compliance efforts for some of the most data sensitive industries including reputable cryptocurrency exchanges, Facebook’s Calibra wallet, implemented security measures for billion dollar payment processing platforms, and have secured millions of sensitive HIPAA records.

TaxBit is a security-first company. We refrain from collecting unnecessary sensitive data and we use the best security practices for the data we do collect. To disappoint the infamous bank robber Willie Sutton, our vault doesn’t hold money and the building is well-armed.