Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • Use TOTP as a 2FA tool (e.g. Google Authenticator or FreeOTP)

  • Enforce the password policies established above.

  • Update and use the latest browser version to avoid known browser vulnerabilities.

  • Enforce the password policies established above.

  • Example Google Policy. Notice that policy prohibits using SMS or phone calls that are vulnerable to SIM swap attacks.

    • Image Added

Secure your Funds

  • Keep the majority of your coins in a Cold Wallet (e.g. a Trezor wallet that is not connected to the Internet, or in an Exchange’s “vault” which requires special permissions & delays to access.

  • Setup limits on your Hot Wallet. Set withdrawal thresholds on the Hot Wallet.

    • When a request is sent to your wallet to transfer more than $2000 USD to a single address?

    • Something is wrong and your Hot Wallet should shut down until the action is reviewed.

    • e.g. see Bitgo’s Hot Wallet features.

  • Keep your Hot Wallet’s balance as low as possible and refill it from your Cold Wallet multiple times per day -or- have a second Warm Wallet for manual refills (by a known person from a dedicated IP address).

    • This is a task your ATM business should never automate (or make easy).

    • Keep only an amount in your Hot Wallet that you are comfortable losing.

  • Use the CAS Hot Wallet balance notifications to be notified when:

  • Generate Exchange/Hot Wallet API keys for your production server only.

    • Don’t store them anywhere else.

    • Don’t even put them on a test server - otherwise they may be discovered by an attacker and used.

  • Delete or disable any Exchange/Hot Wallet API keys when they are no longer in use.

  • Whitelist only your CAS server IP in your Hot Wallet settings (where supported).

    • You don’t want anyone else to be sending commands to your Hot Wallet.