Is it safe to connect your crypto account to a portfolio tracker? 

As crypto-owner, it can be a little bit scary to connect your wallet or exchange accounts to a third party, such as a crypto account aggregator. Few Waltio users have shared this concern with us about being hacked or getting their coins stolen! Let’s clarify how Waltio has been developed from scratch to protect your identity, coin and wallet information.

How does a crypto portfolio tracker (also known as account aggregator) collect data about your exchange or wallet accounts?

Most exchanges have created an API (Application Program Interface) to allow machine to machine communication. More technically, an API is a set of endpoints exposed over the HTTP (HyperText Transfer Protocol) protocol used to collect information or to request to execute some actions. Is it safe? Yes, because the HTTP protocol is exactly the same that you use when you open your favourite browser and login to an exchange website.

When we connect to an exchange, we don’t use the simple HTTP protocol, we use an extension of it called HTTPS (HTTP Secure). If you are using HTTP, all your data navigate in clear mode on the network. By using HTTPS, your data are encrypted using the certificate provided by each exchange. Again, it’s the same security level compared to a connection through a browser.

Whether you are dealing with your cryptocurrencies or other things, you always need to need to makesure you are browsing a website using HTTPS instead of HTTP.

But how does it collect only my data?

When a connection is made to an API, it needs to be authenticated. It’s for this reason that Waltio is asking you to provide an API key. Using your key, the exchange will know that we are connected using your own profile.

How can I be sure that an aggregator don’t execute actions that I don’t want?

When you generate an API Key in each exchange, you can specify which permissions you want to assign to this specific key. In general, exchanges provides 3 different sorts of access: Reading, Trading and Withdraw.
At Waltio, we only ask you to grant “read only” permissions. It means that we can only access to your balance, your past transactions or your orders. But in any case, we can place a new order or request a withdrawal. For this reason, we encourage you to be very careful when you assign permissions to a key.

Whenever you use app using API feature, make sure you don’t have the withdrawal right to the newly generated API Key. Providing withdrawal access to third party system simply black-hat hackers work.

You’ll find all required permissions for all supported exchanges on this page:

Configuration – Waltio
This page explains how to configure your Waltio account.
doc.waltio.co

What about wallets?

When you synchronise a wallet in Waltio, you’ll notice that we only ask you to provide the address of your wallet. Most of the blockchain networks are public. By providing a wallet address, we can simply connect to the network and retrieve your balance and your past transactions.

Does Waltio implement HTTPS as well?

Yes. And if we go a bit deeper on this topic, HTTPS is good, but you need to look at the encryption algorithm used in the certificate to be sure that it’s safe. Let’s start from the beginning and understand how do we get an HTTPS certificate. It’s possible to implement a self-signed certificate, but it’s obviously not safe at all. The best way is to get a certificate from a certificate authority (CA). Waltio’s CA is GoDaddy (you can verify our certificate just by clicking on the lock icon next to the URL in your browser). GoDaddy is providing us a strong certified certificate that will be used to encrypt all messages transported over the network. You can see our security HTTPS overall rating “A” here: https://www.ssllabs.com/ssltest/analyze.html?d=tax.waltio.co&s=54.227.215.155

How does Waltio manage user authentication?

For security reasons, we delegate the user authentication to another company called Auth0. This company is in charge of checking your identity and store safely critical identity data. Waltio is never aware of your password, the only information that we have is your email address that we use as username in our application. So in any case, Waltio can use your email address and password to try to gain access to your exchange account (because we don’t know your password ).

How does Waltio protect the access to my information?

When you successfully login to Waltio (using Auth0), you are granted a token. Waltio uses the OAuth2 authentication mechanism. This token, provided by Auth0, is then sent to our services to be able to get the data stored on our side (and display it in our application). Using again Auth0, all of our services are protected. It means that your token will be verified first with Auth0 before sending back any information. Because your token includes basic identify information such as your email address, we only returns information belonging to your specific Waltio account.

Is it possible that Waltio’s server will be hacked?

Of course, never say never. But all your data is hosted in AWS, and it ensures that your information are protected and backup properly. On top of that, AWS is responsible of keeping this service running all the time (so you won’t be surprised with a database connection error in our application). We use AWS VPC (Virtual Private Cloud). Data storage is isolated in a private network, and we configured it to forbid public access to our data storage. So the only way to access this data is to use the services that are protected with Auth0 as explained above.

What if AWS servers or data centers got hacked?

Again, never say never. But to be sure that your data is extremely safe, we encrypt at rest your account data. What does it mean? When data are saved in a server, they are usually stored in some binary files in clear mode on the filesystem.

A smart and experienced hacker might be able to hack through AWS to get these files and collect some valuable information. For this reason, we encrypt your data at rest. All your information are encrypted before being written on the server.

So, even AWS engineers who have access to all servers can’t read your data because they are encrypted. It’s another way again to protect your data.

What are the next steps?

What else Waltio can do ?

As explained, Waltio has been developed from scratch to ensure the security of your information, but we won’t stop here. In our TO DO list:

* We already have in our roadmap to enable Two Factor Authentication (2FA) in Auth0.

* We are testing the solution provided by some exchanges to limit API calls only from our servers. It means that even if hacker get hold of your API keys and secrets, they could be use only from our Waltio servers.

What should I do to keep my cryptocurrencies safe ?

But we can’t do that alone, we need your help. Be sure to follow as much as possible these guidelines:

– Never interact with cryptocurrency-related sites without HTTPS protocol (if there is no locker on the left part of the URL, leave the web site).

– Use Multifactor authentication in all exchanges (2FA)

– Bookmark your main trading website and visit it only by clicking this bookmark to avoid phishing website

– Do not use the same password for all exchanges or wallets

– Use a different email address for your exchanges than your regular one

– Don’t save all your usernames and passwords in a file on your hard drive

Here are additional tips to keep your crypto safe made by Consensys.

Thanks for reading 🙂 If you have any question, feel free to reach out to us or comment.