The Threat Landscape
Understanding what you’re protecting against helps you prioritize:
Account compromise: Attacker gains access to your exchange account through stolen passwords, phishing, or session hijacking. They withdraw your funds.
SIM swap attack: Attacker convinces your mobile carrier to transfer your phone number to their SIM card. They then reset your account passwords and disable SMS 2FA.
Phishing: Fake emails, websites, or messages trick you into entering your credentials on a fraudulent site, or into approving a malicious transaction.
Malware: Keyloggers, clipboard hijackers, or browser extensions steal credentials or replace copied wallet addresses with attacker addresses.
Social engineering: Attackers impersonate exchange support staff, cryptocurrency projects, or other trusted parties to manipulate you into revealing information or sending funds.
The most common attack vector is not sophisticated technical hacking — it’s exploiting user behavior: weak passwords, SMS 2FA, phishing links, or credentials reused from breached websites.
Step 1: Enable Two-Factor Authentication (The Right Kind)
Two-factor authentication (2FA) adds a second layer of verification beyond your password. But not all 2FA is equal.
TOTP Authentication Apps (Recommended)
Time-based One-Time Password (TOTP) apps generate 6-digit codes that change every 30 seconds. These codes are generated locally on your device and never transmitted over the network, making them resistant to interception.
Recommended apps:
How to enable on most exchanges:
- Go to Account > Security > Two-Factor Authentication
- Select “Authenticator App” (not SMS)
- Scan the QR code with your authenticator app
- Enter the 6-digit code to verify setup
The backup key is crucial. If you lose your phone, the backup key lets you restore your 2FA codes. Without it, recovering access to your account requires identity verification with the exchange’s support team — a slow, frustrating process.
SMS 2FA (Not Recommended)
SMS 2FA sends a code to your phone via text message. This seems secure, but it’s vulnerable to SIM swap attacks where an attacker ports your number.
SIM swap attacks are disturbingly easy. Attackers call mobile carriers with basic personal information (often purchased from data brokers or obtained via social media) and successfully port phone numbers with alarming frequency. Once they have your number, they can reset passwords and bypass SMS 2FA.
If an exchange only offers SMS 2FA, accept it as better than nothing. But if you have the choice, always use an authenticator app.
Hardware Security Keys (Advanced)
Physical security keys (YubiKey, Google Titan Key) provide the strongest 2FA available. Plugging in the key and tapping it completes authentication — no codes to intercept. Supported on Coinbase, Gemini, and some other exchanges. Highly recommended for large portfolios.
Step 2: Use a Strong, Unique Password
Your exchange password should be:
Every year, billions of username/password combinations from breached websites are traded online. If your exchange password is the same as your email, streaming service, or any other account, and one of those gets breached, your exchange account is compromised automatically through “credential stuffing.”
Use a Password Manager
A password manager (Bitwarden, 1Password, Dashlane) generates and stores unique random passwords for every site. You remember one master password; the manager handles everything else.
Bitwarden is open-source, free for personal use, and has been independently audited. It’s an excellent starting point.
After setting up a password manager:
- Generate a new random password for your exchange account
- Update the exchange password
- Make sure your email account also has a strong, unique password — it’s the recovery key to everything else
Step 3: Secure Your Email Account
Your email account is the master key to all your exchange accounts. Password reset, withdrawal confirmations, and security alerts all go through email. If an attacker has your email, they can access your exchange.
Secure your email with:
- A strong, unique password (via password manager)
- An authenticator app for 2FA (not SMS)
- Recovery options that don’t point back to vulnerable accounts or phone numbers
Use a dedicated email address for crypto accounts — separate from your everyday email. This reduces phishing exposure (you know that any crypto-related email to your main address is suspicious) and isolates your crypto activity.
Step 4: Enable Withdrawal Address Whitelisting
Most major exchanges offer a withdrawal address whitelist feature. When enabled, your account can only send crypto to addresses you’ve pre-approved. Adding a new address requires:
- Confirmation via email
- A mandatory waiting period (typically 24–48 hours)
This is an extremely powerful security layer. Even if an attacker fully compromises your account, they cannot withdraw funds until they also access your email and wait out the cooling-off period — giving you time to detect the breach and lock them out.
Enable on Binance: Account > Security > Withdrawal Address Management > Enable Whitelist
Enable on Coinbase: Settings > Security > Allowlisted Addresses
Enable on Kraken: Account > Security > Global Settings Lock (provides similar protection)
Step 5: Set an Anti-Phishing Code (Binance)
Binance offers an anti-phishing code feature unique to that platform. You set a short custom phrase, and every legitimate Binance email includes it. If you receive a Binance-branded email without your code, it’s a phishing attempt.
Set it at: Account > Security > Advanced Security > Anti-Phishing Code
For other exchanges without this feature, mentally verify every email by checking: Was I expecting this email? Does the sending address match the exchange’s official domain exactly? Does the link go to the official domain?
Step 6: Manage Withdrawal Limits and API Keys
Withdrawal Limits
Some exchanges allow you to set personal maximum daily withdrawal limits lower than the exchange’s default. This limits damage from a compromised account. Set this to a level appropriate for your typical activity.
API Key Security
If you use trading bots, portfolio trackers, or any third-party tools that connect via API:
- Create separate API keys for each application
- Never grant withdrawal permissions to API keys used by third-party services — read-only and trading-only permissions are sufficient for most use cases
- Review and delete unused API keys regularly
- Never share API keys in any support ticket, Discord message, or form
API keys with withdrawal permissions are as dangerous as account credentials. An attacker with a withdrawal-enabled API key can drain your account without needing your password or 2FA.
Step 7: Don’t Leave Funds on Exchanges Long-Term
Exchanges are targets. Every major exchange has experienced some form of security incident — hacks, insider theft, technical failures, or regulatory seizure. The history of crypto is littered with exchange failures: Mt. Gox (850,000 BTC, 2014), FTX ($8B, 2022), Bitfinex hack (2016, partially recovered), Cryptopia, QuadrigaCX.
The rule: Only keep on an exchange what you actively need for trading. Long-term savings should be in self-custody.
Self-custody means holding crypto in a wallet where you control the private keys:
“Not your keys, not your coins” is the foundational principle of Bitcoin and remains relevant for any significant cryptocurrency holding.
Step 8: Recognize and Avoid Phishing
Phishing is the most common way exchange accounts are compromised. Attackers create convincing fake exchange emails and websites to steal credentials.
Red Flags in Emails
- Urgency or fear: “Your account will be suspended in 24 hours”
- Generic greetings: “Dear customer” instead of your name
- Suspicious sending address: binance-security@gmail.com instead of @binance.com
- Links that don’t go to the official domain
- Requests for your seed phrase, password, or 2FA code (exchanges never ask for these)
Safe Browsing Habits
- Verify the URL in the browser address bar before entering credentials
- Enable your browser’s phishing protection
- Use a hardware security key if available — phishing sites can’t use it even if you accidentally log in
Cold Storage Strategy for Large Amounts
For significant holdings (anything you’d be devastated to lose), the standard recommendation is:
Quick Security Checklist
- [ ] Authenticator app 2FA enabled (not SMS)
- [ ] Strong, unique password (via password manager)
- [ ] Dedicated email address for crypto
- [ ] Withdrawal address whitelist enabled
- [ ] Anti-phishing code set (Binance users)
- [ ] API keys audited — withdrawal permissions revoked from all third-party apps
- [ ] Exchange bookmarked — never use email links
- [ ] Long-term holdings moved to hardware wallet
Frequently Asked Questions
Which 2FA method is most secure?
Hardware security keys (YubiKey) are the most secure, followed by TOTP authenticator apps (Google Authenticator, Authy). SMS 2FA is better than nothing but vulnerable to SIM swap attacks. Use an authenticator app at minimum.
What should I do if my account is compromised?
Act immediately: contact the exchange’s support team to freeze your account. Change your email password. Review connected devices and revoke any sessions you don’t recognize. File a report with local authorities if funds were stolen. The faster you act, the better the chance of limiting losses or catching the attacker.
Is it safe to use the same exchange for years?
Using reputable, regulated exchanges (Coinbase, Kraken, Gemini) for years is common. The risk isn’t usually the exchange’s longevity — it’s your personal account security. Maintain strong security practices indefinitely.
How do I safely store my seed phrase?
Write it on paper using a pen (not pencil, which fades). Store it in multiple physical locations — a home safe and a safety deposit box, for example. Never photograph it. Never store it in cloud storage, email, or on any internet-connected device. Metal backup plates (like Cryptosteel) provide protection against fire and water damage.
Can exchanges freeze my funds?
Yes. Regulated exchanges can freeze accounts for compliance review, suspected fraud, or legal orders. This is a risk of using custodial exchanges and one reason long-term holders prefer self-custody for significant amounts.
Related guides:
Leave a Reply