Categoryapi

CoinsForOffice is an Add-in for MS Excel, OpenOffice and LibreOffice Calc

CoinsForOffice Add-in on your laptop

Do you already use a private spreadsheet to manage your crypto coins portfolio?

CoinsForOffice is a free and premium add-in for MS Excel, OpenOffice and LibreOffice Calc.

We have built our add-in using Java and C#. Moreover, we are using both RESTful and WebSocket protocols to achieve the best performance.

Real-time prices: Binance, Bitfinex, Gemini, GDAX…

Install CoinsForOffice on your private Windows, OS X or Linux machine and the add-in will deliver real-time prices directly into cells in your spreadsheet.

Since you can compare current prices from multiple exchanges you will be able to make more profitable decisions for your portfolio.

See the full list of supported exchanges.

Editions: Basic, Advanced, Professional & Institutional

Basic edition is free and suited for smaller portfolios.

Advanced, Professional and Institutional editions offer additional features for day-traders and fund managers.

Enable and configure read-only API keys in your exchange account(s) to get automated updates for positions and trades.

Professional and Institutional edition users can send orders to exchanges directly from their spreadsheets.

Downloads

Use the this comparison: features & prices to select an edition and subscribe to notifications about upcoming releases.

Subscribe to monthly email about crypto exchanges, data feeds, APIs for automated bots, algos and trading tools:

API Key+secret vs. Name+password: Which is More Secure?

Bitcoin hacker

Background

At least 40 top crypto exchanges provide API access to their trading systems. For these exchanges, users can choose to access their accounts in two ways:

Manually login to the exchange website with their username+password each time they want to access their account.

Or, users can configure their account to permit access from external applications using a set of 2 values specific to their account and defined by the exchange for use with the exchange API: a.k.a. API key+secret.

On March 8th 2018, we’ve learned that Binance was able to thwart a phishing+API attack by an unidentified individual or group.

According to reports, the attacker(s) phished out regular user credentials (name+password); then created API keys in those cracked accounts (key+secret); and finally attempted to use these API keys to execute their attack.

Binance did not detect compromised accounts nor the unauthorized creation or API keys. Instead, Binance detected unusual trading activity in their market for the target coin and then Binance suspend all withdrawals until they were able to neutralize the attack.

The crux of the attack was that real users GAVE AWAY their own usernames & passwords to a site running on a very similar domain name. Their credentials were later used by the attackers to manually login into accounts and configure them to be accessible via Binance’s API.

API Key+secret Is More Secure

Theoretically speaking, this attack would have been more unlikely if the uses were accessing their accounts exclusively via the API key+secret protocol:

  • API keys are used with an endpoint domain which is almost always hardcoded in the client application. Therefore, API domain is much less susceptible to domain-name phishing attacks than the exchange website “home” domain. Moreover, users might type the web domain name and end up on a phishing site by their own error or click on a malicious link in a spam email.
  • Even if the API endpoint is compromised, the attacker can not use the API information to hijack the actual user account on the exchange server. API based communication uses the key-secret to sign the message cryptographically but the key-secret value is never sent in the message in any form. Therefore, the attacker inspecting the messages between the user and the exchanges is not able to reconstruct the key-secret it would need to generate “impostor” messages to make bad trades or transfer assets. On the other hand, username+password communication protocols do send the password value itself which can be copied and stored by the attacker in the middle for later malicious use.
  • Assuming that exchanges’ own iOS and Android apps use API key+secret protocols, is it safe to say that they are more secure than accessing the accounts via exchanges’ websites.

Subscribe to monthly email about crypto exchanges, data feeds, APIs for automated bots, algos and trading tools: