⚡️⚡️The Binance hack and the OneExBit solution for your API key security ⚡️⚡️ ⚡️⚡️ ⚡️⚡️ ⚡️⚡️

If you’ve been following crypto news, then you probably know that Binance has been hacked and that the hackers made it off with $40 million. What is really worrying is not simply the fact that such a major exchange was hacked but that API trading keys were used to do it. Exchange users are led to believe that since their API keys cannot be used to withdraw funds, nobody can steal their money, but it is not so.

In the case of Binance, hackers used phishing to steal 2FA credentials and API keys, after which they used a simple but clever strategy to bypass the limitation on withdrawal. They took possession of the trading bots belonging to the users whose keys they stole and programmed those bots to first exchange all their assets for BTC and then start buying a specific coin (Viacoin). This created some hype, and then, when its price grew 70 times in a matter of minutes, they sold everything. It was a classic pump-and-dump.

🔐This scheme became possible because users often do not take proper care of their API keys and enter them on phishing sites that imitate the real exchange terminal. However, there is also a second part to this issue: hackers are able to use stolen keys on any other machine exactly because they are stored online somewhere.

🔒We have realized that it’s a serious issue when we first started working on the OneExBit trading terminal. Any such terminal requires API keys to work: in order to integrate an exchange account into the terminal, a user needs to copy the keys provided by the specific exchange. If the keys become permanently attached to the terminal user’s account, then they can be used on any other computer by a hacker.

🔒The solution we chose was elegant and simple: we do not store our users’ API keys in our system. At all, ever. All the API keys you use to integrate your exchange accounts into the OneExBit terminal are stored exclusively on your local machine. Even if a hacker gets hold of your login credentials or even manages to bypass the 2FA, they will not get access to any of your exchange accounts and funds, because they would need to physically enter your API keys on their machine. It’s that simple.

Of course, this also means that you will need to re-enter all your keys if you change your computer. But we believe that it’s a small price to pay for the high level of security that OneExBit offers.

In our upcoming posts, we will explore other issues faced by exchange terminal users and look at how OneExBit resolves these issues.
Stay tuned 🙌