Home Community Crypto, Trading, Investing, and Technology Auto Trade: API Key vs. Security

This topic contains 6 replies, has 4 voices, and was last updated by admin admin 1 month, 3 weeks ago.

  • Author
    Posts
  • #5208
    Avatar
    funky13
    Participant

    In the past some platforms storing API-Keys were hacked and crypto money was stolen from those accounts. Is there no saver way than storing API-Keys directly in your platform? I really like to test auto trading, but I’m concerned about the security.

  • #5213
    Justin
    Justin
    Moderator

    This is a fantastic question and something we should provide more explicit guidance on. Let me get together with some of our smarter folks to provide details on how data is protect at rest and in transit. That’s on our side.

    But there is solid security inherent in the Coinbase API permissions. This is part of why we chose Coinbase.

    For reference: https://docs.pro.coinbase.com/#api-key-permissions

    Permissions are broken down as follows:

    1. View – Allows a key read permissions. This includes all GET endpoints.

    2. Transfer – Allows a key to transfer currency on behalf of an account, including deposits and withdraws. Enable with caution – API key transfers WILL BYPASS two-factor authentication.

    3. Trade – Allows a key to enter orders, as well as retrieve trade data. This includes POST /orders and several GET endpoints.

    We only require you turn on “View” and “Trade” (1 and 3). These do not facilitate transfers out of Coinbase.

    “Transfer” (2) introduces the most risk. You should not have that turned on for our API.

    Some other steps to take:
    – Ensure you have 2FA on for Coinbase Pro
    – Ensure you have 2FA on for Crypto-ML: https://crypto-ml.com/two-factor-authentication/

  • #5217
    Avatar
    funky13
    Participant

    Thanks Justin, you gave some important notes. I’m curious about the facts on your side. In my opinion also a 2FA security on crypto-ml whould help to give some more protection. I’m wondering if there might be a way to store credentials and API-Key locally on the computer instead directly in the platform. That would also give more protection but I’m not sure if that is feasible.

    • #5247
      Justin
      Justin
      Moderator

      Hello @funky13, just to follow-up here, I have a couple of additional items I can share:

      1. We are contracted with a 3rd party that performs monthly vulnerability assessment and penetration tests. This has been in place as long as Auto Trade has been live and will continue. We also are required to provide these reports to some of the service providers we use. This helps keep our security in check.

      2. Regarding 2FA, we have had that option available since September of 2018 here: https://crypto-ml.com/two-factor-authentication/

      3. Regarding storing the API keys locally, it is the consensus that our approach is much more secure (not that anything will ever be perfect). We do store this data on a secure web service (separate from other data) that has very explicit access controls.

      With all of that said, security is a big deal and we will continuously review and employee best practices.

      But above all–if you have API credentials on our platform–please:

      – Enable 2FA
      – Ensure that API does *not* have Transfer capabilities

      • #5279
        Avatar
        funky13
        Participant

        Thank you Justin for the extensive answers. It seems that crypto-ml cares about their user and security. I activated 2FA now and I will also give auto trade a try soon.

  • #5293
    Avatar
    kw
    Participant

    FWIW, I use another trading bot that allows you to whitelist 4 IP addresses used by their servers. This does take some effort but IMO is worth it for the extra peace-of-mind.

    • #5295
      admin
      admin
      Keymaster

      Yes, this is a good feature supported by some exchanges.

      One of our security features is that we have a dynamic IP address. This prevents a lot of issues but makes so you cannot whitelist one IP address of ours. There is some give and take with this setup but in general it is considered more secure to have changing IP.

You must be logged in to reply to this topic.