The first thing you should look to do when setting up your Ethfinex account is ensure that you have proper security measures put in place. Securing your Ethfinex account does not require much effort and a couple of clicks can go a long way in making sure your account remains protected.
1. Enable 2 factor authentication
First thing to do is make sure that you sign up using a password that is unique to your Ethfinex account, and complement it by enabling two-factor authentication. We recommend for users to use Google 2FA or U2F and a password manager to assist with this. Storing a physical copy of your 2FA backup key will allow you to reset your 2FA in the event that you lose access to your phone. Take care when storing digital copies of back up keys, if you choose to do so.
These two simple security measures alone can go a long way in securing your funds and should act as the foundation for any further security configurations.
2. Whitelist withdrawal addresses
Limit withdrawals to a single whitelisted address per currency and disable withdrawals for some currencies altogether. For example, if you only trade/hold Bitcoin, whitelist your external Bitcoin address and disable withdrawals for all other addresses. This will prevent malicious actors from withdrawing your funds (to an address that isn’t yours), should your account be compromised.
When whitelisting withdrawal address, please note that you must whitelist or disable withdrawals for all currencies for the security feature to have an effect. For example, if you leave ETH withdrawals open, someone would simply need to exchange all your funds to ETH to bypass restrictions. We only allow a single whitelisted address per currency.
3. Whitelist IP addresses
Specify one or more IP addresses that will be whitelisted. When this feature is enabled, only connections from the whitelisted addresses will be able to access the account and all connections from non-whitelisted addresses will be refused. You can provide one or more IP addresses and/or specify an IP range.
Important: You can lock yourself out of your account if you are not careful. Please be sure you are on a static IP address (most users are not) and that you fully understand this feature. If you have a dynamic IP address or need to access the account using multiple devices/locations, we would advise against this feature.
4. Lock withdrawals for new IP addresses
Temporarily disable withdrawals whenever a new IP address is detected. When a previously unused IP address is used, withdrawals will be disabled for 24 hours. If you have a dynamic IP address you should not enable this option as it will result in a new withdrawal hold being put in place every time a new IP address is used to access the account.
5. Set up a withdrawal confirmation phrase
Add a secret confirmation phrase to the withdrawal confirmation image to ensure that your withdrawal details have not been tampered with or compromised by malware, malicious actors or man-in-the-middle attacks.
6. Disable ‘Keep Session Alive’
‘Keep Session Alive’ is a feature put in place to allow traders to remain logged in during long trading sessions. Whilst acting as a helpful feature if you maintain control of device it can bring with it unnecessary risk when using a public or shared computer. Disabling this feature will ensure that you are logged out after 30 minutes of inactivity.
In addition to the steps above, we highly recommend for users to store all funds that are not needed for trading or funding in an offline wallet, to which you posses full control of the private key. Avoid accessing Ethfinex on a rooted (i.e. jailbroken) device or public wifi. Lastly, protect your computer. Make sure that your software is up to date and routinely use antivirus and malware protection to scan your devices.
When using cryptocurrency related services, it is imperative that you take certain precautionary measures. Type in domains yourself (as opposed to clicking links) or bookmark trusted sites. Do not disclose sensitive account information to anyone (including Ethfinex staff) and do not open attachments from suspicious sources.