๐Ÿ›ก Secure. Reliable. Built for trade.
Account security

How we keep your account safe.

Account security is non-negotiable. Here's how we authenticate users, protect transactions, and respond to incidents.

Authentication overview

TRADICOMM uses your phone number as the primary authentication identifier. This is deliberate: phone numbers are the trusted identity anchor for mobile users worldwide, and carrier-verified SMS delivery provides a strong second factor without requiring a password manager or authenticator app.

On first sign-in and for security-sensitive actions, we verify your identity via SMS one-time password (OTP). Once you have established a trusted device, you may enable biometric authentication (Face ID, Touch ID, or Android Biometric) as a fast step-up for repeat sign-in.

When we send SMS OTPs

Regulator note

TRADICOMM uses SMS exclusively for security-critical authentication actions listed below. We never include promotional or marketing content in SMS messages.

  1. Account registration

    Confirms you own the phone number you are registering with before the account is created.

  2. Login verification

    Confirms it is really you signing in โ€” especially on a new device or after a period of inactivity.

  3. Password / PIN reset

    Confirms you control the registered phone number before any credentials are reset.

  4. Sensitive account changes

    Required when changing your registered phone number, email address, linked payout account, or core business details.

  5. Payment / payout authorization

    Confirms you authorized a high-value transaction or a new payout destination before funds move.

  6. Suspicious-activity confirmation

    If our fraud-detection engine flags an unusual sign-in attempt, we ask you to confirm via OTP before granting access.

How OTPs work technically

Generation
Server-side, using a cryptographically secure random number generator (CSPRNG). Codes are never derived from predictable inputs.
Format
6-digit numeric codes.
Validity window
5 minutes from time of issue. Expired codes are automatically invalidated.
Verification
Constant-time comparison on the server, defending against timing-based side-channel attacks.
Rate limiting
Maximum 3 OTP requests per 15-minute window. 60-second cooldown between consecutive requests. Maximum 5 verification attempts per code โ€” code is invalidated on the 5th failed attempt.
Storage
OTPs are never stored in plaintext. Only a one-way hash is stored server-side. The hash is deleted immediately on successful verification.
Delivery
SMS delivered via licensed Nigerian telecommunications partners (including Termii Inc.), bound by contractual data processing agreements.
Content policy
OTP messages contain only the code and a brief context line (e.g., 'Your TRADICOMM verification code is: 123456'). No marketing content. No links.

Beyond SMS โ€” additional security layers

End-to-end encryption

User-to-user chat messages are encrypted using Signal Protocol or equivalent. We cannot read message content. Only metadata (timestamps, delivery state) is visible to us.

TLS 1.3

All communication between the TRADICOMM client and our servers is encrypted in transit using TLS 1.3.

Encryption at rest

Sensitive fields (payment details, KYC data, authentication credentials) are encrypted at rest in our infrastructure.

Fraud-detection scoring

Every login and transaction is scored by our fraud-detection system. Anomalies trigger additional verification or account-safety measures.

Device fingerprinting

Trusted devices are tracked so that sign-in from an unrecognized device always triggers fresh OTP verification.

Biometric step-up

For high-value actions on trusted devices, Face ID / Touch ID / Android Biometric provides a fast, phishing-resistant second factor.

What you can do to stay secure

  • Use a phone number that you actively control and keep private.
  • Enable biometric step-up if your device supports it โ€” it's faster and phishing-resistant.
  • Never share your OTP with anyone. TRADICOMM staff will NEVER ask you for your OTP code.
  • If you receive an OTP you did not request, treat your account as potentially compromised and contact us immediately.
  • Report suspicious account activity to security@tradicomm.com as soon as you notice it.

Reporting a security issue

If you discover a security vulnerability in the TRADICOMM platform, website, or mobile application, please disclose it responsibly. We prefer PGP-encrypted email where possible.

Email: security@tradicomm.com โ€” PGP key available on request.

We respond to critical reports within 24 hours and operate a coordinated disclosure policy: we ask that you give us reasonable time to investigate and remediate before publishing details publicly.