Community Crypto, Trading, Investing, and Technology Auto Trade: API Key vs. Security

This topic contains 6 replies, has 4 voices, and was last updated by admin 5 days, 20 hours ago.

  • Author
    Posts
  • #5208
    Helpful
    Up
    4
    Down
    Not Helpful
    Avatar
    funky13
    Participant

        In the past some platforms storing API-Keys were hacked and crypto money was stolen from those accounts. Is there no saver way than storing API-Keys directly in your platform? I really like to test auto trading, but I’m concerned about the security.

      • #5213
        Helpful
        Up
        4
        Down
        Not Helpful
        Justin
        Justin
        Participant

            This is a fantastic question and something we should provide more explicit guidance on. Let me get together with some of our smarter folks to provide details on how data is protect at rest and in transit. That’s on our side.

            But there is solid security inherent in the Coinbase API permissions. This is part of why we chose Coinbase.

            For reference: https://docs.pro.coinbase.com/#api-key-permissions

            Permissions are broken down as follows:

            1. View – Allows a key read permissions. This includes all GET endpoints.

            2. Transfer – Allows a key to transfer currency on behalf of an account, including deposits and withdraws. Enable with caution – API key transfers WILL BYPASS two-factor authentication.

            3. Trade – Allows a key to enter orders, as well as retrieve trade data. This includes POST /orders and several GET endpoints.

            We only require you turn on “View” and “Trade” (1 and 3). These do not facilitate transfers out of Coinbase.

            “Transfer” (2) introduces the most risk. You should not have that turned on for our API.

            Some other steps to take:
            – Ensure you have 2FA on for Coinbase Pro
            – Ensure you have 2FA on for Crypto-ML: https://crypto-ml.com/two-factor-authentication/

          • #5217
            Helpful
            Up
            3
            Down
            Not Helpful
            Avatar
            funky13
            Participant

                Thanks Justin, you gave some important notes. I’m curious about the facts on your side. In my opinion also a 2FA security on crypto-ml whould help to give some more protection. I’m wondering if there might be a way to store credentials and API-Key locally on the computer instead directly in the platform. That would also give more protection but I’m not sure if that is feasible.

                • #5247
                  Helpful
                  Up
                  2
                  Down
                  Not Helpful
                  Justin
                  Justin
                  Participant

                      Hello @funky13, just to follow-up here, I have a couple of additional items I can share:

                      1. We are contracted with a 3rd party that performs monthly vulnerability assessment and penetration tests. This has been in place as long as Auto Trade has been live and will continue. We also are required to provide these reports to some of the service providers we use. This helps keep our security in check.

                      2. Regarding 2FA, we have had that option available since September of 2018 here: https://crypto-ml.com/two-factor-authentication/

                      3. Regarding storing the API keys locally, it is the consensus that our approach is much more secure (not that anything will ever be perfect). We do store this data on a secure web service (separate from other data) that has very explicit access controls.

                      With all of that said, security is a big deal and we will continuously review and employee best practices.

                      But above all–if you have API credentials on our platform–please:

                      – Enable 2FA
                      – Ensure that API does *not* have Transfer capabilities

                      • #5279
                        Helpful
                        Up
                        1
                        Down
                        Not Helpful
                        Avatar
                        funky13
                        Participant

                            Thank you Justin for the extensive answers. It seems that crypto-ml cares about their user and security. I activated 2FA now and I will also give auto trade a try soon.

                      • #5293
                        Helpful
                        Up
                        1
                        Down
                        Not Helpful
                        Avatar
                        wahnker
                        Participant

                            FWIW, I use another trading bot that allows you to whitelist 4 IP addresses used by their servers. This does take some effort but IMO is worth it for the extra peace-of-mind.

                            • #5295
                              Helpful
                              Up
                              0
                              Down
                              Not Helpful
                              admin
                              admin
                              Keymaster

                                  Yes, this is a good feature supported by some exchanges.

                                  One of our security features is that we have a dynamic IP address. This prevents a lot of issues but makes so you cannot whitelist one IP address of ours. There is some give and take with this setup but in general it is considered more secure to have changing IP.

                              You must be logged in to reply to this topic.