Security: Best Practices - Bitfinex blog
post-template-default,single,single-post,postid-63,single-format-standard,bridge-core-3.0.6,et_bloom,qode-page-transition-enabled,ajax_fade,page_not_loaded,,qode-title-hidden,qode_grid_1300,footer_responsive_adv,qode-content-sidebar-responsive,qode-child-theme-ver-1.0.0,qode-theme-ver-29.3,qode-theme-bridge,qode_header_in_grid,cookies-set,cookies-accepted,wpb-js-composer js-comp-ver-6.10.0,vc_responsive

Security: Best Practices

In light of recent events, and in response to questions from our users, we wanted to convey some information to the community regarding our security protocols. Generally, we want to remind our users that we are paranoid about security, and have the industry leading standards in place to protect all of our cryptocurrency assets. Specifically, we do the following:

Multisig cold wallets to hold crypto-currencies
We have been using multisig addresses for cold storage since the beginning of December 2014. The vast majority of customer bitcoins are stored in the cold wallets. We do not store more than 0.5% of our assets on hot wallets. Our hot wallets are not accessible from the front-end servers.

Always up-to-date linux systems to host the platform
Our server network is protected by always using up-to-date software and the best possible practices.

Advanced account protection
We offer several options to secure user accounts: Email, OTP authentication and SMS/Voice authentication to validate logins and withdrawals. We have also developed tools to detect unusual account activity that have successfully protected users who have had their accounts compromised in the past.

Trade-only exchanges API keys
API keys are encrypted and not stored in our code or database. These keys provides only the right to get balances and buy and sell bitcoins. Withdrawal are handled on the website through our withdrawal box (which is isolated from the rest of our server network).

Automatic backup of the database once a day
Once a day, the database of the platform is backed up, encrypted and compressed as an archive. The passwords of users it contains are hashed and cannot be stolen. As soon as a new backup is ready (database, log files,…), it is sent to others servers in several physical locations.

Secure storage of customer KYC documents
Once documents are uploaded during the verification process, they are stored separately and are not accessible from the web servers.

Security monitored and audited
Our platform’s security is regularly tested, monitored and audited by third party security experts to detect and prevent any intrusions.

We are committed to making sure that any funds that are entrusted to us are kept safe. While, it is impossible to be 100% secure, we believe that a strong security plan should place an emphasis on minimizing the effect of any attack, which is precisely what we have endeavored to do with the above security protocols.