The Bitfinex Security team is continually improving our end-to-end security measures, improving auditing processes, and reducing the attack surface of our infrastructure.
The security of your account is determined by two factors:
- Platform security measures;
- Individual user account security measures.
Platform security measures
Platform security are measures implemented by the Bitfinex platform to protect funds and other sensitive information from malicious actors.
Cold Wallet
A cold wallet, also known as an offline wallet, is a wallet that is not linked to the internet and so has a much lower risk of being compromised.
Our cold storage holds about 99.5% of user funds in an offline, multisignature wallet, which requires the approval of all transactions via three of five hardware security modules (HSMs) held by internationally scattered management team members.
In the unlikely event, that one of the management members is compromised and forced to log into the platform, a single HSM would not be enough to initiate the transfer of funds.
Acquiring a sufficient number of these devices to enable cold storage access is nearly impossible.
Hot Wallet
A hot wallet is a virtual currency wallet that is accessible through the internet and facilitates cryptocurrency transactions.
Our hot wallet keeps only the amounts required to complete withdrawals in the queue, which is around 0.5% of total funds. To replenish the hot wallet, a transfer from the cold wallet to the hot wallet must be initiated by four of the seven HSMs.
Data Structure
Bitfinex migrated to a new data server and our expanded security team performed a comprehensive audit of our entire stack, including a deep analysis of all source code and dependencies.
DDoS Protection
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt regular traffic to a targeted server, service, or network by flooding the target or its surrounding infrastructure with Internet traffic.
On Bitfinex, DDoS prevention includes the following:
- Intelligent load balancing and failover routing among servers to increase performance;
- Real-time malicious traffic detection blocks malicious server requests;
- Automatic inline mitigation measures decrease latency and increase uptime;
- Leading privacy and performance through encrypted connections with HTTPS TLS 1.3.
Standard Procedure
Penetration testing is performed on a regular basis to ensure that our systems remain secure against an infinite number of attack scenarios.
- Always up-to-date Linux systems to host the platform;
- Daily Automatic Encrypted Database Backups to multiple off-site locations
- Encrypted user password storage
Bitfinex's security team continues to audit protocol implementation at all levels of the platform in order to maintain a fundamentally hostile environment for an incursion. In addition, the security team conducts routine external security audits.
System and Organisation Controls 2 Type 1 Compliance
Bitfinex has completed the System Organisation Control (SOC) 2 Audit Type 1, the first phase of the highest level of security compliance an organisation can demonstrate. The executed audit declares that Bitfinex's information security practices, policies, procedures and operations meet the following SOC 2 Trust Service Principles: security, availability and confidentiality.
For more information, please see our dedicated article: Bitfinex has completed the SOC 2 Type 1 Compliance.
Individual user account security measures
Bitfinex offers a robust suite of user-defined security measures. The following actions can be taken to protect your account.
Note: Your account is only as secure as the safeguards you implement.
Fulfilling some of these measures does not just significantly increase personal security, but also reduce the number of confirmations required for cryptocurrency deposits, and prioritize withdrawals via automatic processing. We encourage you to review our Greenlane Conditions. You can access your Security page here.
Two-Factor Authentication (2FA)
Enabling the Two-Factor Authentication (2FA) is required before you will be able to operate your account.
You can implement the following mechanisms of the 2FA:
- Google Authenticator (on Android and iOS devices)
- Physical Security Key using FIDO Universal 2nd Factor (U2F)
Enabling the 2FA adds a layer of protection between an attacker and withdrawal confirmations, password changes, API key creation, and logins.
When you create your account, it is mandatory for you to enable Two-Factor Authentication (2FA). If you skip this step during your account setup, you will still be required to enable the 2FA in order to access your Bitfinex account features.
Important: Twilio's SMS 2FA service, which was formerly available, is no longer supported on Bitfinex. If you have access to your SMS 2FA you can disable it by going to your Security page and start using the other two forms of the Two-Factor Authentication we support for your account's security. If you need to reset your 2FA, follow the steps in the article How to reset a 2FA at Bitfinex.
Keep Session Alive
When logged in and inactive, the browser will ping the platform every 10 minutes to maintain the session. If this option is deactivated, the session will terminate after 30 minutes of inactivity and the user's account will be logged out automatically.
This prevents the session from being hijacked.
Send Email on Login
Each time there is a sign in into your account, you'll receive an email notification. The email will include the authenticated user's IP address and a link to suspend your account if you suspect nefarious behaviour.
Detect IP Address Change
If the IP address used to access your account changes on any request, all existing sessions will be immediately invalidated, and the account will be logged out automatically.
This prevents the hijacking of the session.
IP Address Whitelist
Restriction of account access based on IP address. You can whitelist a single or several IP addresses, as well as an IP range. Anyone who does not have access to the whitelisted IP addresses is refused access to the account.
Login History
Each login to your account is kept and can be manually examined.
To view the login history, go to Manage Account > Report and then pick Login from the right side menu.
API Key Permissions
On a per-feature basis, create API keys with advanced read/write permissions.
Email Encryption with OpenPGP
Pretty Good Privacy (PGP) is a data encryption and decryption application that provides cryptographic privacy and correspondence authentication. It employs a variant of the public key system.
Enabling this option will encrypt all outgoing Bitfinex admin emails for your account using your public key.
Monitor Withdrawals by IP
If a withdrawal is requested from a new IP address, Greenlane account holders will receive an email requesting that the withdrawal be reviewed and verified.
Note: The suspicion period for IP changes is 24 hours.
If your account is not Greenlane, you will be receiving email confirmations on any withdrawal request. You can learn more about Greenlane here.
Lock withdrawals for 24 hours when a new IP address is used
When a new IP address is used to log into an account, all withdrawals are restricted for 24 hours if you enable this feature you will be notified through email with a link to freeze the account for activity review.
Custom Withdrawal Check
By default, a tamper-proof image will be displayed when making a withdrawal request. But by adding a custom message you can enhance the withdrawal confirmation image with a secret phrase. When activated, you will see a tamper-proof picture that contains the secret phrase and validates the specifics of a withdrawal.
This additional layer of protection ensures that your withdrawal information is not compromised as a result of malware or a man-in-the-middle attack.
Lock/Disable Withdrawal Addresses
Create one or more unique withdrawal address(es) for each currency or disable withdrawals entirely for a currency. Changing or disabling the address lock needs email confirmation and initiates an automated five-day withdrawal hold on the account.
Suspicious activity detection
Suspicious activity detection is both automated by our security infrastructure and manually reviewed by our security team. This process involves the user’s participation by reviewing activities such as password resets, 2FA removal requests, geolocation, and user hardware/software specifics.
Our security team monitors activity patterns and recognizes deviations that could significantly change the status of account balances for a user, such as withdrawal requests for entire accounts, requests to change usernames, associated email addresses, and withdrawal addresses.
These methods are not meant to impose restrictions on account activity; rather, they are intended to serve as additional safeguards while users interact with the Bitfinex platform.
Important: You can also review Bitfinex Security Policy for further information.
If you have any questions regarding your account security feel free to contact Bitfinex Support for assistance.
