Account security

We, as part of B2BinPay, provide KYC and AML built-in security and notification systems. However, it is your responsibility to take steps to protect your accounts.

We recommend that you use the two-factor authentication. This means that login process will additionally require a unique one-time 2FA verification code. To view options and enable 2FA, refer to How to enable 2FA.

You can grant or restrict access to your wallet to other people: for example, to the members of your team or company employees.

To get information about granting access to a new user, refer to How to grant access to your wallet; for more information about restricting access to your wallet, refer to How to restrict access to your wallet.

Access to the wallet is granted in accordance with the user roles. All users of the B2BinPay system should be assigned certain roles, and the first registered user is automatically assigned the Owner and Admin roles when creating a new wallet. The user with the Owner role cannot be assigned other roles.

You can manage users access rights for a selected wallet in the Access list section after the wallet has been created. A user added to the wallet from the Access list section is assigned the Read only role by default.

To see the list of all your wallets and users who have access to them, manage rights for the users, view users logs or delete a user, navigate to the Access list section.

Important

Be very careful while granting access to your wallets and make sure the person you are granting access to is reliable.

Be aware that restricting access to a wallet is a safe but not the ultimate way to protect your account. That is why we strongly recommend that you follow all the instructions from the Account security section. We also recommend that you carefully read the Managing account section of our How-to articles and make sure that all users who have access to your wallets with any role assigned, have strong passwords and 2FA enabled.

The user with the Admin or Owner role has an API access. API credentials are sent to the owner’s email after registration in B2BinPay. For more details on configuring access to API, refer to How to manage API access.

To get more information about keeping your account safe, refer to Methods to protect your account.

Methods to protect your account

Make sure everyone in your team follows these general security guidelines:

  1. Use strong passwords that consists of a combination of uppercase and lowercase letters, numbers and special symbols. We recommend that you use password managers. Refer to How to change your password for more information.

  2. Never give your password to anyone.

  3. Enable 2FA.

Important

We strongly recommend that you enable 2FA, since it provides better protection for your account. 2FA is a uniquely generated code that you should enter after entering your login and password. The code can be used only once and should be entered before it expires.

You can use either your email or Google Authenticator for receiving 2FA verification codes. We recommend the latter as it is more reliable, and it will be more difficult for attackers to gain access to your device than to your email. However, remember that if you lose your device or forget the secret code, you will lose the access to your account. To restore the access, you will have to address your account and provide all the necessary documents to verify your identity. Refer to How to enable 2FA for more information.

To get better protection for your account, do the following:

Regenerate API keys after the integration is successfully completed

API keys are sent to your email after registration in the system. If you share these keys with the developers, make sure to regenerate the keys after setup to reset the access. Refer to How to manage API access for more information.

Manage access rights carefully

Make sure that your users have access only to those wallets and operations that are necessary for completing their tasks. Use Withdrawals with approval option. Refer to How to grant access to your wallet for a description of user roles management.

Specify IP white list for API operations

Make sure to set the notification addresses for each wallet and white list of IP addresses. For more details about white list of IP addresses, refer to How to restrict access by IP.

Important

We strongly recommend that you manage access to your wallet and configure API access immediately after your wallet is created and before you deposit funds to your wallet.

We also recommend the following:

  • Specify white list of IP addresses not only for API operations, but also for accessing the system interface. You can specify separate IP addresses or subnet mask (for example, of your office). The specified IP addresses should be static, not dynamic! Refer to How to restrict access by IP for more information.

  • Enable notifications for each wallet to receive notifications about all operations with the wallet and find out about suspicious transactions as quickly as possible. Refer to the Wallet settings section of the Interface Guide for more information about notifications enabling.

What to do if you suspect your account has been hacked

  1. Change your password as soon as possible.

Password changing takes some time in the system. If you use Google Authenticator, switch it off and on to receive a new 2FA verification code.

  1. Reset access rights and IP white lists.

At least for a while, assign Read only or Withdrawals with approval role to all users who have access to wallets. Limit the list of IP addresses from which access to the system interfaces is allowed.

  1. Inform your account manager about suspicious operations or activity.