Knowledge base

← All articles

Security best practices

A trading account is a juicy target. These are the steps we actually recommend — not a generic compliance list.

Use a unique password

The email address you use for TMIYC is almost certainly the same one you use for your exchange account. If either leaks from an unrelated breach, you want the attacker to hit a wall at password #1. Use a password manager (1Password, Bitwarden) and a password that's only in TMIYC.

Enable 2FA immediately

Settings → Security → Enable 2FA. TOTP only (not SMS — SIM-swap is a real and common attack). Supported apps: Google Authenticator, Aegis, Raivo, 1Password, Bitwarden.

Save the ten recovery codes offline. Print them, or copy them into your password manager's "secure note" field. You will regret not doing this.

Whitelist IPs on exchange keys

Every API key you give to TMIYC should be IP-locked to our executor host (95.85.237.203). Exchange dashboards bury this option a few clicks deep, but it reduces the blast radius of a leaked key to zero — the key won't authenticate from anywhere else.

Never enable withdrawal permissions

Our live executor refuses to start against a key with withdraw rights. This is deliberate: even if an attacker compromises our own infrastructure, they can't pull your balance off Bybit or Binance. Keep it that way.

Review sessions regularly

Settings → Security → Active sessions. We list the last 20 with device class, user agent, IP hash, and last-seen timestamp. If you see a session you don't recognise, click Revoke and change your password.

Turn on login alerts

Settings → Security → Login alerts. You'll get a Telegram or email ping whenever a new device class (desktop / mobile / tablet) signs in. The false-positive rate is low because you rarely switch device classes.

Don't click odd links in DMs

There are no "TMIYC support" accounts in Telegram outside the ones linked on our official domain. Anyone DMing you first claiming to be us is lying. We will never ask for your password, your 2FA secret, or your recovery codes.

Keep a paper trail

The tmiyc-api logs every login, every session mint, every key rotation. If something feels off, open a support ticket and ask us to pull your audit log — we can walk you through it.