Bitcoin Forum
November 21, 2017, 06:11:24 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Keeping bitcoins secure in hot wallet/ prevent getting hacked  (Read 1115 times)
gravitate
Legendary
*
Offline Offline

Activity: 1372


View Profile
February 25, 2016, 08:20:42 AM
 #1

I am opening a bitcoin related site where you can buy bitcoins for Fiat.

I am thinking about using coinbase API to do this.

But how can I keep my assets secure? I mean if I allow my web app to use coinbase API to buy and send bitcoins (if thats even possible)

Then how do I prevent getting hacked?

Im a  noob to all this and paying someone to build the web app for me.

Any advice for security would be great really anything.

To peel or not to peel.
1511287884
Hero Member
*
Offline Offline

Posts: 1511287884

View Profile Personal Message (Offline)

Ignore
1511287884
Reply with quote  #2

1511287884
Report to moderator
Join ICO Now Coinlancer is Disrupting the Freelance marketplace!
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511287884
Hero Member
*
Offline Offline

Posts: 1511287884

View Profile Personal Message (Offline)

Ignore
1511287884
Reply with quote  #2

1511287884
Report to moderator
OmegaStarScream
Staff
Legendary
*
Offline Offline

Activity: 1106



View Profile
February 25, 2016, 08:31:43 AM
 #2

So It will be for buying/selling which means that you will store the bitcoins in the website , don't do what the other website does , you should give full control of private keys to users and you shouldn't store their passwords/seeds or anything related to their wallets in your database , only wallet.dat should be stored there (But it's useless since you don't have their passwords) , that way , If you get hacked ... they can't do much (they can always try to crack them) but if they are Physical servers guarded like Blockchain.info , there is nothing to worry about .

Emerge
Hero Member
*****
Offline Offline

Activity: 742



View Profile
February 25, 2016, 10:55:39 AM
 #3

So It will be for buying/selling which means that you will store the bitcoins in the website , don't do what the other website does , you should give full control of private keys to users and you shouldn't store their passwords/seeds or anything related to their wallets in your database , only wallet.dat should be stored there (But it's useless since you don't have their passwords) , that way , If you get hacked ... they can't do much (they can always try to crack them) but if they are Physical servers guarded like Blockchain.info , there is nothing to worry about .

I don't think gravitate will store any Bitcoins in the website since the Bitcoins ARE stored in COINBASE
as he said above..

OmegaStarScream
Staff
Legendary
*
Offline Offline

Activity: 1106



View Profile
February 25, 2016, 11:53:41 AM
 #4

So It will be for buying/selling which means that you will store the bitcoins in the website , don't do what the other website does , you should give full control of private keys to users and you shouldn't store their passwords/seeds or anything related to their wallets in your database , only wallet.dat should be stored there (But it's useless since you don't have their passwords) , that way , If you get hacked ... they can't do much (they can always try to crack them) but if they are Physical servers guarded like Blockchain.info , there is nothing to worry about .

I don't think gravitate will store any Bitcoins in the website since the Bitcoins ARE stored in COINBASE
as he said above..

He said buying and send using Coinbase ,that doesn't mean It should be stored in Coinbase , does it ?
If it's the case then why worrying about getting hacked since all the Bitcoin are stored at Coinbase . If they gets hacked ,he get hacked otherwise nothing happens to the coins .

gravitate
Legendary
*
Offline Offline

Activity: 1372


View Profile
February 25, 2016, 12:00:35 PM
 #5

So It will be for buying/selling which means that you will store the bitcoins in the website , don't do what the other website does , you should give full control of private keys to users and you shouldn't store their passwords/seeds or anything related to their wallets in your database , only wallet.dat should be stored there (But it's useless since you don't have their passwords) , that way , If you get hacked ... they can't do much (they can always try to crack them) but if they are Physical servers guarded like Blockchain.info , there is nothing to worry about .

I don't think gravitate will store any Bitcoins in the website since the Bitcoins ARE stored in COINBASE
as he said above..

He said buying and send using Coinbase ,that doesn't mean It should be stored in Coinbase , does it ?
If it's the case then why worrying about getting hacked since all the Bitcoin are stored at Coinbase . If they gets hacked ,he get hacked otherwise nothing happens to the coins .

I will be using API of coinbase.. Is there anything to prevent someone hacking my web app and using the API to withdraw bitcoins? Or is it safer to use hot/ cold wallets on my web app and use coinbase to buy as and when?

I hope I make sense

To peel or not to peel.
Emerge
Hero Member
*****
Offline Offline

Activity: 742



View Profile
February 25, 2016, 12:07:30 PM
 #6

So It will be for buying/selling which means that you will store the bitcoins in the website , don't do what the other website does , you should give full control of private keys to users and you shouldn't store their passwords/seeds or anything related to their wallets in your database , only wallet.dat should be stored there (But it's useless since you don't have their passwords) , that way , If you get hacked ... they can't do much (they can always try to crack them) but if they are Physical servers guarded like Blockchain.info , there is nothing to worry about .

I don't think gravitate will store any Bitcoins in the website since the Bitcoins ARE stored in COINBASE
as he said above..

He said buying and send using Coinbase ,that doesn't mean It should be stored in Coinbase , does it ?
If it's the case then why worrying about getting hacked since all the Bitcoin are stored at Coinbase . If they gets hacked ,he get hacked otherwise nothing happens to the coins .

I will be using API of coinbase.. Is there anything to prevent someone hacking my web app and using the API to withdraw bitcoins? Or is it safer to use hot/ cold wallets on my web app and use coinbase to buy as and when?

I hope I make sense


It depends on how you use the API, if you show your details too much in your use of the API, then it will be seen and may be used against you

gravitate
Legendary
*
Offline Offline

Activity: 1372


View Profile
February 25, 2016, 12:11:25 PM
 #7

Are there any consultants who would help with this? I dont mid paying a small fee I just want them to do a frame work for my DEV to work to. My DEV is outstanding just not enough block chain tech experience as I would have liked

To peel or not to peel.
OmegaStarScream
Staff
Legendary
*
Offline Offline

Activity: 1106



View Profile
February 25, 2016, 12:15:20 PM
 #8

So It will be for buying/selling which means that you will store the bitcoins in the website , don't do what the other website does , you should give full control of private keys to users and you shouldn't store their passwords/seeds or anything related to their wallets in your database , only wallet.dat should be stored there (But it's useless since you don't have their passwords) , that way , If you get hacked ... they can't do much (they can always try to crack them) but if they are Physical servers guarded like Blockchain.info , there is nothing to worry about .

I don't think gravitate will store any Bitcoins in the website since the Bitcoins ARE stored in COINBASE
as he said above..

He said buying and send using Coinbase ,that doesn't mean It should be stored in Coinbase , does it ?
If it's the case then why worrying about getting hacked since all the Bitcoin are stored at Coinbase . If they gets hacked ,he get hacked otherwise nothing happens to the coins .

I will be using API of coinbase.. Is there anything to prevent someone hacking my web app and using the API to withdraw bitcoins? Or is it safer to use hot/ cold wallets on my web app and use coinbase to buy as and when?

I hope I make sense


I'm not getting something ,when you said people will buy Bitcoins for fiat , that bitcoin will go directly to their personal wallets (Electrum , Bitcoin Core etc ....) or their wallets in your website ? If it's the second one then read the post above .
Now if It goes directly to their wallets , users won't be really affected by the hack but you will if you don't take the needed security measures .
If you are looking for professional developers , I'd suggest looking at oDesk or Freelancer.com .

gravitate
Legendary
*
Offline Offline

Activity: 1372


View Profile
February 25, 2016, 12:37:09 PM
 #9

They will be stored on the web site

To peel or not to peel.
gravitate
Legendary
*
Offline Offline

Activity: 1372


View Profile
February 25, 2016, 12:37:43 PM
 #10

They will be stored on the web site


Until they withdraw. So they will have a wallet online with us.

To peel or not to peel.
Emerge
Hero Member
*****
Offline Offline

Activity: 742



View Profile
February 25, 2016, 12:43:01 PM
 #11

They will be stored on the web site


Until they withdraw. So they will have a wallet online with us.

Not really, the Bitcoins are still stored at CoinBase. Meaning as long as the end user doesn't see your API Key, your authentication details, then you're safe.

gravitate
Legendary
*
Offline Offline

Activity: 1372


View Profile
February 25, 2016, 12:48:20 PM
 #12

They will be stored on the web site


Until they withdraw. So they will have a wallet online with us.

Not really, the Bitcoins are still stored at CoinBase. Meaning as long as the end user doesn't see your API Key, your authentication details, then you're safe.

Users will come on our site and create a wallet. They then buy bitcoins from us and pay FIAT. We then buy from coinbase and fund their site wallet with BTC. Then they can withdraw the bitcoin to where ever they wish. Or is there a better way to do it?

To peel or not to peel.
Emerge
Hero Member
*****
Offline Offline

Activity: 742



View Profile
February 25, 2016, 01:24:55 PM
 #13

They will be stored on the web site


Until they withdraw. So they will have a wallet online with us.

Not really, the Bitcoins are still stored at CoinBase. Meaning as long as the end user doesn't see your API Key, your authentication details, then you're safe.

Users will come on our site and create a wallet. They then buy bitcoins from us and pay FIAT. We then buy from coinbase and fund their site wallet with BTC. Then they can withdraw the bitcoin to where ever they wish. Or is there a better way to do it?

You can just send Bitcoins directly to their wallet so you'll save time, but there's always the danger of charge-backs.

gravitate
Legendary
*
Offline Offline

Activity: 1372


View Profile
February 25, 2016, 01:49:40 PM
 #14

They will be stored on the web site


Until they withdraw. So they will have a wallet online with us.

Not really, the Bitcoins are still stored at CoinBase. Meaning as long as the end user doesn't see your API Key, your authentication details, then you're safe.

Users will come on our site and create a wallet. They then buy bitcoins from us and pay FIAT. We then buy from coinbase and fund their site wallet with BTC. Then they can withdraw the bitcoin to where ever they wish. Or is there a better way to do it?

You can just send Bitcoins directly to their wallet so you'll save time, but there's always the danger of charge-backs.

Yup thats why Im gonna do bank transfer.

To peel or not to peel.
Mitchell
Moderator
Legendary
*
Offline Offline

Activity: 1624


Verified awesomeness ✔


View Profile WWW
February 25, 2016, 01:57:41 PM
 #15

Quote
I will be using API of coinbase.. Is there anything to prevent someone hacking my web app
If your web app gets hacked, you are fucked. To access the Coinbase API you will have to store something on your webserver so that the web app can proof that it has access to your account and is allowed to do transactions/buy bitcoins/etc. As soon as someone gains access to your web app, they can steal that information and use it to do API calls themselves. You could obfuscate the code, but that doesn't make it harder, just more time consuming.




I would highly recommend you to not create an exchange website if you have no idea how to keep it secure. Letting someone else program it is also quite a gamble if you don't have programming experience. Who's to say that they don't include a little loophole so they can rob you later on.

EDIT: Yes, I know this is a pretty negative reaction, but I'm trying to get you to understand the risks of using an API for money related services. For faucets it's usually okay as they don't hold a lot of money, but an exchange service is a different story. I would probably setup a Bitcoin full node and use that to do Bitcoin transactions (either using customers Bitcoins or my own).

Anyway, I don't know enough about this subject to give a good opinion, so I'll shut up now.


▄██████████████████
███████████████████
███████████████████
█████████████████
███████████████
████████████████
████████████████
█████████████████
███████████████████
████████████████████
█████████████████████
▀████████████████████
Bazista®
██ █  ██ ██
██   ██  ██
██  ██   ██
██ ██  █ ██
██ █  ██ ██
██   ██  ██
██  ██   ██
██ ██  █ ██
██ █  ██ ██
██   ██  ██
██  ██   ██
██ ██  █ ██

██ █  ██ ██
██   ██  ██
██  ██   ██
██ ██  █ ██
██ █  ██ ██
██   ██  ██
██  ██   ██
██ ██  █ ██
██ █  ██ ██
██   ██  ██
██  ██   ██
██ ██  █ ██
|||
gravitate
Legendary
*
Offline Offline

Activity: 1372


View Profile
February 25, 2016, 02:14:49 PM
 #16

Quote
I will be using API of coinbase.. Is there anything to prevent someone hacking my web app
If your web app gets hacked, you are fucked. To access the Coinbase API you will have to store something on your webserver so that the web app can proof that it has access to your account and is allowed to do transactions/buy bitcoins/etc. As soon as someone gains access to your web app, they can steal that information and use it to do API calls themselves. You could obfuscate the code, but that doesn't make it harder, just more time consuming.




I would highly recommend you to not create an exchange website if you have no idea how to keep it secure. Letting someone else program it is also quite a gamble if you don't have programming experience. Who's to say that they don't include a little loophole so they can rob you later on.

EDIT: Yes, I know this is a pretty negative reaction, but I'm trying to get you to understand the risks of using an API for money related services. For faucets it's usually okay as they don't hold a lot of money, but an exchange service is a different story. I would probably setup a Bitcoin full node and use that to do Bitcoin transactions (either using customers Bitcoins or my own).

Anyway, I don't know enough about this subject to give a good opinion, so I'll shut up now.

Hey YEs I understand the risks. After the answers I am going to make it much more simplified like www.bittylicious.com

I know little bits of CODE. Also I would have someone look through the site to check for this kind of loop hole.

Thanks for the advice Smiley

To peel or not to peel.
gravitate
Legendary
*
Offline Offline

Activity: 1372


View Profile
February 25, 2016, 03:35:35 PM
 #17

Actually I have decided to make it a live process so I hold all the bitcoins and I receive payments.

For now. then I might automate it in the future. I will automate it with multibit so when an order comes in I just check my account balance and send the bitcoins... I can create a bot to do this for my mac I guess?

If I created a Bot to check my bank account and send bitcoins based on this and an order do you think this holds a risk also?


I want to sell ETH too as I am hooked on it with all the price fluctuation Smiley

To peel or not to peel.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!