Introducing PIN codes

As you may know, TONPAY accounts are directly tied to the Telegram ones. In other words, we are using Telegram in order to authenticate users. This is convenient because you don't need to provide any additional information to use our services. However, this creates a single point of failure in terms of security. If your Telegram account gets compromised (e.g., taken over by a hacker), your TONPAY account gets compromised, too, including all the assets you store inside the wallet. In a couple of cases, hackers were able to steal TON coins from several of our users due to their poor security practices. To mitigate this, we quickly released a post regarding the Telegram account security best practices (and we still recommend you use them). Today, we are going a step further by implementing additional security measures that you can use to safeguard your wallet, even in cases where your Telegram account is getting compromised.

We've introduced a security subsystem that provides additional authentication factors for critical functionality (like funds transfer). Right now, you can set yourself up with the four-digit PIN code (a similar practice to banks). Then, when performing some critical operations, the system will ask you to provide the correct PIN code and will refuse to complete the operation in case the wrong PIN code is provided. This measure will help you protect your assets even when your Telegram account gets stolen.

We've even implemented additional checks to ensure you use a safe PIN code. So, for example, PIN codes like these: 1234, 3333, 5678, and so on, will not be accepted by our system. This ensures that the intruder won't be able to guess your PIN code easily.

Also, when asking for the PIN code, the system will only give you three attempts and then will lock for five minutes. After another three tries, it will be locked for an hour. After yet another three attempts, it will lock for a day and then will allow you only three tries per day. This will greatly slow down the attempts to guess the PIN code, giving you valuable time to secure your Telegram account.

In the future, we plan to implement more security features like one-time passwords (OTP) and account recovery codes, but for now, we highly recommend configuring a PIN code for all our users. However, make sure not to forget the PIN code. Otherwise, you will lock your account (and all your assets) without the ability to unlock it!

What should you do to protect your account?

1. Secure your Telegram account using our guide.

2. Set yourself up with the PIN code.

How to set up a PIN code?

Here's what you should do to set up a PIN code for your TONPAY account:

1. Open the TONPAY BOT in Telegram.

2. Press the menu button and select "Settings".

3. Click on the "Settings" button in the appeared message, the mini app window should open.

4. Click on the "Set up" button near the "PIN code" label.

5. Invent a safe four-digit PIN code and enter it. Make sure that the PIN code is hard to guess. The system won't allow you to use simple unsafe PIN codes.

6. Enter the same PIN code again to confirm the selection.

7. Congratulations! The PIN code is now set. Don't forget it! And make sure not to write it down in easily accessible locations.