Latest news about Bitcoin and all cryptocurrencies. Your daily crypto news habit.
APIâââThe buzz around the crypto town
API has become a buzz word after the advent of Cryptocurrency trading. If you are still wondering what it is, youâve come to the right place. Our team has taken some time to keep it in laymanâs terms. We may not promise to explain like all those videos/blog posts with fancy titles âExplain Blah blah like Iâm 5 years oldâ portray but we promise we will keep things simple and intuitive. Hereâs our take on the API.
Whatâs an API?
API stands for Application Programming Interface. Okay! great, what does it do? As the name suggests, it is an interface for applications to interact programmatically. In laymanâs terms, itâs a messaging system for two applications to interact.
How does it work?
So, an API is a combination of a couple of phrases which will be shared between the applications to make them interact securely. For instance, to view your information on Facebook, you need to log in. But, an external application can communicate with Facebook using secure phrases (if you provide them) and fetch the information allowed. This is a secure and legal way. Here you are allowing that application to communicate with Facebook to fetch your information by providing it with your secure phrases.
What are these phrases and how are they secure?
These phrases are either 2 or 3 depending on layers of security. They are generally called a key and secret. The additional 3rd phrase could be a passphrase. These are generally alphanumeric and contains 32â64 characters. They are keys for your account and generated using cryptographic algorithms. Security is ensured by the algorithm thatâs followed by the application to generate those. Read more technical details on this here.
These API keys are created with a certain level of permissions embedded along with them. Whoever is creating them had to mention the permission level an application can get by having these phrases. This will ensure the privacy and security of your data.
Security in the Cryptocurrency world
In our case, we are dealing with API keys created on cryptocurrency exchanges to be shared with third-party applications which provide services around crypto-holdings, their trading, portfolio management, rebalancing, etc.,
Each of such applications needs a various level of access. Primarily, there are 3 levels of access permissions provided on exchanges.
- Read or View Only permission
- Write or Trade permission
- Transfer of Funds permission
Read or View only access
Application using API keys with this permission can access your information but can only read it and present it on their platform, or use it to do some calculations or show it to you on a beautiful interface, etc., This access is the safest amongst all, because it is only a Read accessâââthough if this API detail falls into wrong hands, they can only see your information but cannot steal your funds or transfer.
Write or Trade access
This access is provided to applications that deal with automated trading, portfolio rebalancing, algorithmic trading, and third-party analyst firms which can execute trades on your behalf using their intelligence. This is much needed to achieve efficiency and embed analytical knowledge processed by a computer to make profits, itâs also important to keep in mind that these API details has the power to place trades on your behalf. In wrong hands, they could be devastating as hackers can place orders against their insane orders and steal away your digital assets. Read more on this kind of attacks.
Transfer access
This is kind of ultimate access, which has its own needs like arbitrage trading and other automated transfer of funds based on smart contracts and other algorithms. Here, in this case, a third party application would need a transfer of funds access along with trading access (not mandatory). Transfer of funds includes both deposit and withdrawal facility from userâs accounts. If the API details with such access get into bad hands, it could lead to permanent loss of funds as the hacker would withdraw your assets. A combination of trading and transfer access hack led to $40MM loss on Binance. More details about that here.
Given the above information, one should be careful about the access granted while creating an API key. One should evaluate the necessity of the API key and level of access that a third-party application needs and then select appropriate privileges.
A mistake in granting more privileges than needed would get you into unnecessary troubles.
Summary
Now, that you know very well about the API and its access mechanism, hackers can manipulate your data and steal your funds only if you grant them more power than needed. So, unless you know what you are doing and why you are granting the accessâââkeep away from APIÂ usage.
- If you are aware of an application needing your API access like a portfolio app or a tax calculation app to read your transactionsâââgrant Read-Only access and nothing more.
- If you are a sophisticated trader and have learned well about the algorithmic trading practices and other rebalancing strategiesâââthen you can use certain platforms and grant them trading access. There is still a chance of these platforms getting hacked and your keys being misused by hackers, so itâs your decision to take that risk depending on your trust of that platform and their security.
Always, ask questions and discuss with the team/support asking why certain privileges are necessary. Most of the times, applications will have an answer in their FAQÂ section.
This article has been first published here on BearTax blog, as educational content to make users aware of API usage and precautions around its usage.
Note: Tax tools like BearTax would only need to read your transaction history and calculate capital gains or losses based on those numbers. There is absolutely no necessity for such applications to have trade access or transfer access. Thus we ask you to grant READ or VIEW only access while creating an APIÂ key.
If you have liked the article, please clap for it.
Join our telegram group for more such content t.me/beartax.
Can someone steal your funds via your Exchange API? was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.
Disclaimer
The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.