Article Summary
This article explains how to keep your River account secure, including avoiding scams, two-factor authentication, and monitoring activity.
At River, security is our highest priority. We have strong security measures to protect your account, but we also recommend that you take simple steps to help keep your River account and funds safe.
- Think before you trust
- Layer your security
- Click and browse responsibly
- Keep tabs on your accounts
- How do I disclose a security vulnerability?
Think before you trust
Most bitcoin theft happens through scams, not hacks. River will never ask for sensitive information via social media or messaging apps. If someone claims to be from River, first verify by contacting Client Services.
For information on common bitcoin scams and how to avoid them, please read this River Learn article. Investment scams often promise big payouts, quick money, or guaranteed returns. Be wary of any offer claiming high rewards with little or no risk to you. If it sounds too good to be true, it probably is.
To avoid investment scams:
- Be alert for high-pressure tactics that may encourage you to act quickly
- Be cautious of any unsolicited offers from people you do not know or trust, especially over the internet
- Remain vigilant against internet scams and phishing attempts, which are increasingly common online
If someone approaches you and you're unsure whether to trust them, pause and ask yourself the following questions:
- How well do I really know this person?
- Did we meet online or in person?
- Have I verified their identity?
- What might their intentions be?
Review the table below for common investment scam typologies:
| Social engineering fraud | The act of deception used by criminals in order to manipulate individuals to disclose private information. Common methods utilize social media accounts but attempts are also made through telephone calls or in person. |
| Romance Scams | The act of a criminal utilizing a false identity in order to gain trust in an attempt to manipulate and exploit the victim through an illegitimate romantic or intimate relationship. |
| Elder Fraud or Senior Scams | The act of committing a crime by targeting elderly individuals in an attempt to appropriate their money, personal property, or valuables for personal gain. |
For purposes of this advisory and consistent with other U.S. government agencies' use of the term, an older adult is considered an individual 60 years of age or older. See Federal Trade Commission (FTC) Report, "Protecting Older Consumers, 2020-2021."
If you think you have been the victim of an elder scam, the Department of Justice's National Elder Fraud Hotline is available to you at 833-FRAUD-11 or 833-372-8311 for support, resources, and assistance with reporting suspected fraud to the appropriate government agencies. See Advisory on Elder Financial Exploitation.
Layer your security
Enhance your account security by combining strong password practices with River's built-in security features.
- Never share your password with anyone.
- Use a different password for every account you own. Reusing passwords across websites is one of the leading causes of account breaches.
- Use a password manager to generate and store strong, unique passwords, like 1Password, Lastpass, and Bitwarden.
- Choose a password that is as long as possible. In general, longer passwords are more secure. Use your password manager to generate one with at least 20 characters, with a mix of letters, numbers, and symbols.
- If not using a password manager, we recommend using a passphrase of at least 5 random words. These are extremely difficult to guess and easier to remember than passwords made up of random symbols and characters. A passphrase is also an excellent choice for your password manager's master password, which you'll need to memorize.
Time-based One-time Passwords
River recommends enabling two-factor authentication (2FA) on all your accounts, and whenever possible, avoid SMS-based methods. A more secure alternative is an authenticator app that uses TOTP (time-based one-time passwords). These apps generate unique, time-sensitive codes that change every few seconds, making old codes immediately invalid. Even if someone obtains your username and password, they can't access your account without the current TOTP code. For instructions on how to set up TOTP on your River account, please see this Help Center article.
ForceField
ForceField is an additional layer of security on your River account that protects your bitcoin in the event of:
- Device theft or loss
- Stolen login credentials
- Scams and phishing attacks
ForceField protects your bitcoin without disrupting how you use River. With ForceField, you can set a limit to control how much bitcoin can leave your account each week. For more information on ForceField, please see this Help Center article. For instructions on how to set up ForceField, please see this Help Center article.
Click and browse responsibly
Always exercise caution when communicating online. Avoid clicking links, downloading files, or saving attachments from suspicious emails. Only install software and applications from trusted sources, and ensure the website address begins with "https" to confirm a secure connection.
Keep tabs on your accounts
Following these tips reduces your risk, but monitoring your accounts is essential. Regularly check bank, cryptocurrency, and other financial accounts, and watch your email for confirmation messages. Fraud can happen quickly if you're not alert.
River allows you to track your log in activity within your "Profile & Settings." River also sends email notifications when any of the following actions occur:
- Changing email address or password
- Depositing or withdrawing cash
- Buying or selling bitcoin
- Sending or receiving bitcoin
- Logging in on a new device
- Deactivating ForceField
- Adding a new bank account
If you receive any of these notifications and you did not authorize that action, then you should report the unusual activity immediately by contact Client Services.
How do I disclose a security vulnerability?
At River, we consider the security of our systems a top priority. But no matter how much effort we put into system security, we recognize that there may still be vulnerabilities present.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our customers and our systems by doing the following:
- Email your findings to security@river.com
- Encrypt your findings using our PGP key below to prevent this critical information from falling into the wrong hands
- Provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible
- Do not take advantage of the vulnerability or problem you have discovered
- Do not reveal the vulnerability nor its details to third parties