The Risks of Using Crypto Portfolio Trackers
There are lots of mobile apps and websites being developed in 2018 for tracking cryptocurrency portfolios on exchanges and wallets. Many people use these unaware of the potential risks.
In this guide we go through the risks of using Crypto Portfolio Trackers, and ways to minimise them.
Before we begin, for full disclosure, we're developing our own Crypto Portfolio Tracker here. So we're incentivised to defend these types of services. In this guide we try and stay as objective as possible, listing both pros and cons.
Our goal is to acknowledge common concerns/risks with these types of services, and give suggestions on how to decrease these risks and give you a safer experience on our own tracking system.
Different types of Crypto Portfolio Tracker
Well to start, when we refer to a 'cryptocurrency portfolio', we refer to all of the cryptocurrencies you hold. Some may be on coin wallets and some on exchanges; a 'portfolio' generally means the collection of all these coins, so a portfolio tracker is a system that keeps track of all your cryptocurrencies.
While researching this guide we came across an interesting post on Reddit here, where in theory by many people giving a tracking system lots of their holdings/trading data, it gives them an unfair insight into what other traders are doing - potentially allowing them to use this to their advantage. e.g. if they see someone deposit a large number of coins to an exchange account, they may forsee a large sell order. This is a valid risk. On most exchanges the order book and market history is publically available, but knowing when deposits have been made to exchanges is particularly risky for a large-scale tracking system with data on thousands of user exchange accounts.
There are many different ways to track a cryptocurrency portfolio, and a number of popular mobile apps and websites that offer these services - including us! Some different types of approaches, each with increasing risk and privacy/security concerns:
- Manual Entry: If you plan to buy and hold a coin for a long period of time, having a system where you can manually add how much of the coin you bought and at what price/time works well. This data would allow an app/website to work out your profit/loss. This has privacy risks where if you put in very large numbers and a malicious person see's them, they may be incentivised to try and steal your money.
- Wallet Tracking: If you plan to buy more coins over time, you may want to track a coin wallet rather than add things manually all the time. This means you'd give an app/website your public key, and using this they can work out when you deposit new money and take it into account when calculating profit/loss. This has privacy risks like manual entry above, as if you give your public key to someone malicious, they may try and work out who you are and steal it from you (except unlike above they can know for sure how much you have).
- Exchange Tracking: Similar to wallet tracking, but if you buy and sell coins often across several exchanges, you may want to give an app/website an API key for these exchanges so it can track your activity and generate profit/loss data. This has the highest risk, as it risks both your privacy like with manual entry & wallet tracking, but also has potential security risks if you give write or withdrawal access to an API key.
Generally speaking, as the convenience of these tracking systems goes up, the associated privacy and security risks also go up. Below we'll go through ways to minimise these risks.
Tips to improve your privacy
Of the above methods for tracking a crypto portfolio, manual entry seems to be the most popular currently for several reasons. Unlike wallet/exchange tracking, you don't actually have to use real numbers. This post on Steemit gives some great advice on how to make your portfolio less attractive to anyone malicious, where you can for example divide all your holdings by a factor of 10 or 100. So if you own 2 Bitcoin, you'd put in 0.2 in a tracker, or 0.02. By doing this for all coins, you still know how much you have (just multiply it by 10/100 in your head when reading it), and someone malicious would see a much smaller amount so be less tempted by it.
As well as this, although some tracking apps/websites offer trading from within their platforms, most are useful just for tracking. If you don't need to make any trades from this app/website, you don't need to pass their KYC checks (Know Your Customer). This means you don't need to give them your real name or age for example. You can put in a fake name/age if prompted to keep your identify private.
Risks of using API keys
This section will focus on exchange tracking systems via API keys, as we consider it the highest-risk method of tracking a crypto portfolio.
To begin, if you're not sure what an API key is, it's essentially an alternative way to get information on an exchange account. When you log in your enter a username and password, and potentially two-factor code if you have it enabled. Once logged in you can do things like deposit money, trade and check your balance.
An API key is similar where you have a 'key' and a 'secret'; the key is similar to your exchange username/email address, and the 'secret' is similar to your password. Keep in mind some websites/exchanges allow full access with just a 'key', so this should be considered as private/risky as the secret.
We do mean this, an API key secret should be considered as private as a password - never share this with anyone, never show it publically. On most exchanges, the combination of an API key/secret actually bypasses two-factor authentication and/or email verification, so it's even more dangerous than giving someone your password. Most exchanges will only show your secret when you first create the API key, then hide it when viewing it later on to protect your security.
Just to emphasize the risk here, see this post on what can happen if someone malicious gets access to an API key with trade & withdrawal permissions. In just a few seconds/minutes, someone very determined would potentially be able to withdraw your entire balance. See another example here where a Reddit user found someone's API key online.
There are ways to reduce this risk though. On most large exchanges you can generate more than one API key, and limit the permission each key has. For example you can limit it to just reading your balance, or just trading, or allow it full deposit/withdrawal access.
If you plan to hold coins long-term, and want to keep track of their value, the safest option is to move them to a wallet and keep track of the balance of that wallet. Regardless of how secure an exchange may seem, it's always higher risk because you don't have control of the private key associated with each coin on that exchange. In the future we'll support tracking wallets on our own portfolio tracker.
Different Types of API key & associated risks
Read-access API key
Potential risk: Could allow someone to view your balance. On some exchanges this may give access to personally-identifiable information like an account id, username, deposit addresses, etc. In a worst-case scenario this could lead to things like phisching attacks and brute-force login attempts. If this is leaked it could lead to a loss of funds if you have poor security practices, but with good security practices this risk is low.
For most crypto portfolio trackers, read-access will be sufficient.
Trade-access API key
Potential risk: Typically all risks associated with a read-access API key. This also introduces a new risk, where if someone malicious gets a trade-access API key, they could buy an over-priced coin and sell it when its price goes down. After just a few of these types of trade your balance could be decreased by 95% or more. This has a medium-risk of a total loss of funds, as if this is leaked you'd have a short amount of time to disable the API key before all your funds are gone. Be very careful if this API key has access to margin-trading, as the risk for this is even higher.
Deposit/Withdrawal-access API key
Risk: High risk
Potential risk: Typically all risks associated with a read-access API key. This also introduces the moset serious risk on an exchange account, where if someone malicious gets this API key, they can withdraw your entire balance in a matter of seconds/minutes. Sometimes this type of API key is needed for arbitrage tradings bots, but be very careful with this. On many exchanges this bypasses both two-factor authentication and email verification.
DISCLAIMER: This site cannot substitute for professional investment or financial advice, or independent factual verification. This guide is provided for general informational purposes only. Anything Crypto is UK-based and not regulated by the FCA (Financial Conduct Authority). The group of individuals writing these guides are cryptocurrency enthusiasts and investors, not financial advisors. The ideas presented are our analysis, learning & opinions on a range of cryptocurrency topics. Trading or mining any form of cryptocurrency is very high risk, so never invest money you can't afford to lose - you should be prepared to sustain a total loss of all invested money.
This website is monetised through affiliate links. Where used, we will disclose this and make no attempt to hide it. We don't endorse any affiliate services we use - and will not be liable for any damage, expense or other loss you may suffer from using any of these. Don't rush into anything, do your own research. As we write new content, we will update this disclaimer to encompass it.
March 17th, 2018
Hot to Store Two-Factor & Bitcoin Private Keys Safely
March 16th, 2018
Best Bitcoin Affiliate Programs 2017
Written by the Anything Crypto team
We first discovered Bitcoin in late 2016, and wanted to get everyone around us involved. But no one seemed to know what it was! We made this website to try and fix this, to get everyone up-to-speed!
Never invest money you can't afford to lose.
All information on this website is for general informational purposes only, it is not intended to provide legal or financial advice. We encourage you to consult your own legal & financial advisors before making any cryptocurrency-related purchase.