When you are trading – or investing money in cryptocurrencies -, there is sometimes a lot of money in game, so you need to get some precaution to limit inherent risk.
The most critical data in my opinion when an autonomous bot is running in production are :
- Exchange ID: login or id + password
- Email or mobile phone use as recovery
- Exchange API private/secret key
- Web Browser stored password
- Any wallet file (backup file) and relative passphrase
- Login & password of the unit where the bot is running (VPS or your computer)
- Clipboard content
Exchange ID: login or id + password
Do not use the same password on all exchanges
Never use the same password as your email account.
To be really out of any danger, use different email & password when accessing each exchanges.
You need to activate any 2FA option that exchange may provide ( SMS, Google Authenticator, Email).
It is always better to activate any possible security option by default.
Some exchange provide a service called “withdrawal address white-listing”, (you specify a list of withdrawal address manually and only address in this list are allowed to be use to withdraw funds, any other address will be not allowed. This is very useful to limit the impact of the attack in case your id have been pawnd.
Email or mobile phone use as recovery
If your mobile phone or email may be use as a recovery option, consider that any hack or phishing attempt on this could end by your funds being stolen.
Be very cautions, never click on any suspicious email, never create any account on other website using your email and your exact email password.
Be aware about what is a SIM swap attack
Because for both mobile and email hacked you have to react very quickly and consequence are generally desastrous.
Exchange API private/secret key
Api key are used to interact with the exchange from you program, it s generally a couple of pseudo-random char you got.
This kind of informations is really criticals because they may allow to make trade, to know what you hodl, and potentially to make withdrawal.
So everywhere your store them in clear is a critical place.
Never store them outside the execution’s unit: your VPS or your computer.
Never activate withdrawal right on any specific KEY until you will really need to use withdrawal from API.
Best method will always be to withdraw manually !
If you have the constrain to allow withdraw on some api key (the only reason in my opinion is because you are using arbitrage bot and need to withdraw & deposit automatically ). You have to use the withdrawal white-list and remember to delete any key as soon as they are no more use.
Web Browser stored password
You web browser sometime store information login and password and may be a vulnerability point.
Most of actual website use social media and ads tracking system which may compromise that you are friendly with crypto, which finaly will end up with showing you lots of ads relative to crypto.
And a lot study show that some ads may be use as phishing or hacking attempt.
I honestly invite you to install and use Brave browser which have a ads (and tracking took) blocker integrated
Any wallet file (backup file) and relative passphrase
If you don’t hodl most of your fund in the exchange, you got a wallet storage, it could be hot or cold wallet, but for both of them there is some critical data.
The “word mnemonic phrase” is use to recover your wallet in case you lost access to your physical or software wallet.
So never write this down anywhere else than on paper, and never never! share this with anyone, this word mnemonic phrase allow anyone to recover your funds. Consider this like your home & safe key.
If you use hot wallet (software wallet) you will have a wallet.dat file somewhere on your hardrive, this file if it is not encrypted is literally the wallet file. If someone stole this file he got access to your funds, and you lost access to your funds.
You have to encrypt this file with a password called passphrase. So to get access to your wallet you will need the wallet.dat file + the passphrase.
You need to backup this wallet.dat file at least at two other different place (usb key, external hardrive,etc…) because if you lost access to this file and have not your “word mnemonic phrase” you literally have lost your funds.
Those information are very critical, if you are the target of a specific attack combining a malware who stole the wallet.dat and a keylogger who stole the passphrase you may also lost your funds …
Login & password of the unit where the bot is running (VPS or your computer)
If you are running the bot on your local computer, avoid using Windows, prefer linux, consider that the session user & password are also critical data, always use a password, and a solid one. Never share your password.
Access to the session will allow people to install malware (keyloger), it give access to a potential wallet.dat file – if you use hot storage – and will give access to the api key & secret.
In case you run the bot in a remote computer like a VPS, both VPS IP, login and password are critical because they will give access to api & secret key.
Clipboard content
The clipboard may be the target of a clipboard hijack malware. This attack is use to stole fund by changing address in your clipboard.
Assuming you are using an exchange or a local wallet to send funds somewhere. You have to copy the recipient address.
When you copy this address the malware detect – in the clipboard – that it seem to be an crypto-currency address and change this address with the attacker address.
When you paste the address in the wallet or in the exchange webpage, if you did not notice that the address is different than which one you copy previously. You will confirm the transacction and the funds you sent will been stolen (given to the thief)
Best method is to at least double check (best is to triple check) when you paste an address in a recipient field, that this address is complete and is corresponding with the one you copy before.
I am actually working on a security tool to help people to not be victim ( and to detect if they are a potential victim) of a clipboard hijack malware.
Sorry for this long reading, but now you know which data are critical and why it is !