- August 7, 2019 at 5:05 am #5208
- August 7, 2019 at 2:16 pm #5213
This is a fantastic question and something we should provide more explicit guidance on. Let me get together with some of our smarter folks to provide details on how data is protect at rest and in transit. That’s on our side.
But there is solid security inherent in the Coinbase API permissions. This is part of why we chose Coinbase.
For reference: https://docs.pro.coinbase.com/#api-key-permissions
Permissions are broken down as follows:
1. View – Allows a key read permissions. This includes all GET endpoints.
2. Transfer – Allows a key to transfer currency on behalf of an account, including deposits and withdraws. Enable with caution – API key transfers WILL BYPASS two-factor authentication.
3. Trade – Allows a key to enter orders, as well as retrieve trade data. This includes POST /orders and several GET endpoints.
We only require you turn on “View” and “Trade” (1 and 3). These do not facilitate transfers out of Coinbase.
“Transfer” (2) introduces the most risk. You should not have that turned on for our API.
Some other steps to take:
– Ensure you have 2FA on for Coinbase Pro
– Ensure you have 2FA on for Crypto-ML: https://crypto-ml.com/two-factor-authentication/
- August 9, 2019 at 3:54 am #5217
Thanks Justin, you gave some important notes. I’m curious about the facts on your side. In my opinion also a 2FA security on crypto-ml whould help to give some more protection. I’m wondering if there might be a way to store credentials and API-Key locally on the computer instead directly in the platform. That would also give more protection but I’m not sure if that is feasible.
- August 14, 2019 at 12:05 pm #5247
Hello @funky13, just to follow-up here, I have a couple of additional items I can share:
1. We are contracted with a 3rd party that performs monthly vulnerability assessment and penetration tests. This has been in place as long as Auto Trade has been live and will continue. We also are required to provide these reports to some of the service providers we use. This helps keep our security in check.
2. Regarding 2FA, we have had that option available since September of 2018 here: https://crypto-ml.com/two-factor-authentication/
3. Regarding storing the API keys locally, it is the consensus that our approach is much more secure (not that anything will ever be perfect). We do store this data on a secure web service (separate from other data) that has very explicit access controls.
With all of that said, security is a big deal and we will continuously review and employee best practices.
But above all–if you have API credentials on our platform–please:
– Enable 2FA
– Ensure that API does *not* have Transfer capabilities
- August 16, 2019 at 6:34 am #5279
- August 19, 2019 at 5:53 pm #5293
FWIW, I use another trading bot that allows you to whitelist 4 IP addresses used by their servers. This does take some effort but IMO is worth it for the extra peace-of-mind.
- August 19, 2019 at 8:46 pm #5295
Yes, this is a good feature supported by some exchanges.
One of our security features is that we have a dynamic IP address. This prevents a lot of issues but makes so you cannot whitelist one IP address of ours. There is some give and take with this setup but in general it is considered more secure to have changing IP.
You must be logged in to reply to this topic.