Trusting Craider with your API — is it safe?

Craider
7 min readSep 27, 2018

--

We at Craider know how hard it can be to trust people on the internet. We are all traders and we have been around the block a few times — scams, untrustworthy ICO’s, attempts to get your wallet keys — we’ve seen it all. In fact, this is one of the reasons we created the Craider bot for ourselves first, because we wanted a safe place for us and our friends to trade without risking losing our funds or being scammed. As we started getting more feedback from friends and family on how useful the Craider bot is, we decided to make it accessible for other traders looking to trade their digital assets, safely, and conveniently, in one place. We believe that this service is the right of every trader, and that’s why we do not ask any money for this. The Craider bot is free, and will be forever free, to manage your portfolio of digital assets.

However it’s quite different if you heard about our bot from another person — it might seem unsafe to give out your API keys on a free Telegram bot just because someone says so. So this post is to clear up what information the Craider bot can see, will use, and more importantly, what it cannot see and do. This article is a fairly long read, but please for your own safety, take the time to read and understand it.

Overview: what is an API?

API, or Application Programming Interface, is a way for people to access the services of a company without logging in to the software or platform they want to use. Simply said, you can access a service without leaving the software environment you are in right now — whether it be a programming interface, website, or in the case of Craider, the Telegram bot.

Craider bot uses API’s of the exchanges Binance, Poloniex, Kraken and Coinbase Pro. This allows you to make use of the features of the Craider bot: your portfolio overview, directly trading and setting btc signals, for all of these exchanges directly in Telegram.

In order to make APIs secure, they must be created by you in the exchange itself, so that the exchange knows that you personally made the APIs, and have proven it by the security measures that the exchange uses (2-factor verification, Google Authenticator, email confirmation, etc).

This is the first layer of security within how Craider works: only the person with access to the wallet, including the added security measures of the exchange, can create the API key.

Secondly, when you create the API you can set specific rights for the API. This means that you tell the exchange which actions are and are not allowed by using the API. Some of these actions are: READ, SELL, BUY (or TRADE), and TRANSFER (sometimes “withdraw”).

READ:Means that you can “read” your wallet/exchange information (ex.: how much crypto do I have?)
SELL, BUY (or TRADE):Means that you can execute trades through the API for this specific wallet on this specific exchange (ex.: Sell all of my BTC on Binance!)
TRANSFER/WITHDRAW:
Means that you can transfer the crypto or digital assets in your wallet on that exchange to any other wallet. (ex.: Send all of my BTC from Poloniex to Binance!)

DO NOT GIVE THIS RIGHT AS IT IS VERY UNSAFE. The Craider bot does not need this right for it’s features! Always uncheck this box when setting up an API. In some exchanges, you will need to do an extra verification or step to add this right to the API you created, to ensure you do not allow this right by accident, or use whitelisted IPs for transfers only so no one else but a specific IP can use this right.

Thirdly, API’s consist of two parts: an API key, which is something like a “phone number” that is uniquely assigned to your account, which you can use to “call” the exchange, and a secret key. The secret key is normally only shown ONCE and is uniquely assigned to the API key. If you lose it, you need to go through the whole process of making an API key again.
Both the key and the secret are randomly generated, but unique, so no one will have the same key and secret combination that you have. The secret key is a confirmation that the person using the “phone number” to “call” the exchange wallet is actually you.
Coinbase takes this a step further, because they require not only an API key and a secret, but also a passphrase additionally.

Very broadly it works like this:

You: Hello exchange wallet, I am calling from this phone number (API Key)
Exchange: thank you for calling me! What’s the API secret so I know that it is really you?
You: My API secret is xxxx
Exchange: thank you, I verified that you are allowed access to this wallet. What do you want to know?
You: Please tell me how much crypto I have
Exchange: okay, you have [overview]
You: Please send all my BTC to another wallet
Exchange: I’m sorry but you cannot do that because you did not give the TRANSFER right to this phone number (API Key).

Source: https://knowyourmeme.com/photos/610586-keep-calm-and-carry-on

So in short, you will first have to pass all the security measures to create the API on the exchange (security layer 1), set the rights for the API on what it can and cannot do (security layer 2) and then when actually using the API to “call” the exchange, you will need to provide the API secret (security layer 3). API’s in themselves are extremely secure when set up properly, the security risk is on the human side — simply put do not share your APIs unnecessarily!

So why should I share my keys with the Craider bot?

In order for the features to work on the Craider bot, we use the API keys that you provide to “call” the information from the exchange wallet. This is how we can show you an overview of all your crypto in your wallets for example. This is a classic example of the READ rights of an API.

We use the BUY, SELL or TRADE rights to make it possible for you to trade in Telegram with just a few taps of a button instead of logging into your exchange.

We do not use the TRANSFER rights at all, we do not need it! If you want to move your digital assets from one wallet to another, please login to the exchange and do it safely instead of over third-party apps.

The Craider bot cannot see, access or store any other personal information that is on the exchange wallet, including your real name, address, bank account, or other personal info.
Any personal information that we do receive through our website, platform or Telegram bot is completely covered by our Privacy Policy, which is compliant with European GDPR laws, as our company is based in Switzerland. This means you can always ask us to delete any data we have on you (please send an email to info@craider.com if you would like to do so).

This sounds too good to be true — so it must be a scam.

The golden rule of the internet — if it sounds too good to be true, it must be a scam. Why is Craider offering all these things for FREE when others ask money for it? We have outlined our thinking on why this should be free in our company vision, which you can read in depth here. The short version of it is that we want to make digital asset trading accessible to everyone easily and conveniently, just like we wanted to make it for ourselves when we made the bot. Besides that, the features that are on the Craider bot will not be our “money maker”. We will offer automated trading, arbitrage, OTC and e-commerce trading in the future, that you can use for a small fee. Think of it as free to play games on your mobile phone — you can play the game for free, if you want extras you can choose to pay if you want.

If you have any questions regarding the safety of the API keys, or the Craider bot, please reach out to us on our Telegram channel or send us an email. We look forward to your questions and feedback.

Stay safe, and happy trading!

This post was written by Seetha Val, VP of Business Intelligence and Growth at Craider. For a full view of Craider’s product offering, please visit our website or join our Telegram chat.

Craider is a digital assets platform consisting of a mobile messenger bot, a web based portal and a multi-functional exchange, all powered by data driven analytics. Craider’s aim is to streamline the flow of funds between platform users, traditional financial markets and the emerging digital asset economy.

--

--