Cryptocurrency Exchange Safety Guide
In the third part of this security series, we turn our focus to cryptocurrency exchanges. In this cryptocurrency exchange safety guide, we discuss how to select an exchange and measures to protect yourself when using them.
If you would like to read other parts of this series, here are the links:
- Part 1: Crypto Security – General security principles
- Part 2: Cryptocurrency wallets
- Part 3: Cryptocurrency exchanges (this article)
- Part 4: Sending and receiving
Blockchain technology has attracted much attention from institutions due to its security features. But, security lapses still occur where blockchains and the real world crossover. One such example would be cryptocurrency exchanges.
There are many reasons for this. First, cryptocurrency exchanges are not security companies. They are Fintech companies first, cybersecurity companies second. Also, while blockchain technology has developed rapidly in recent years, security solutions have not kept pace. Furthermore, exchanges are natural magnets for hackers given their vast stores of crypto. Countries like North Korea even have groups dedicated to hacking cryptocurrency exchanges. It is also worth noting that 2018 was a record-breaking year for crypto exchange hacks.
1. Where possible try not to make crypto purchases through exchanges
Once you have decided which coins to invest in, the best course of action is to sell something to get them. Ideally, you should get your crypto in the following ways:
- Selling your product in exchange for them
- Purchasing them in a peer to peer fashion such as through Local Bitcoins
Doing so puts less of your information “out there”. This also helps the crypto ecosystem by creating an avenue for others to spend their crypto.
You should buy it via an exchange only if the above options aren’t available to you. The fiat system has been set up as a giant surveillance machine. Thus, if your entrance into the crypto space is through fiat, then your journey through it begins with full surveillance. As a result, your privacy is compromised.
Such surveillance begins when exchanges request identification documents as part of KYC procedures. As such, the government would know you have made such purchases in the past. Also, the IRS already has chain analysis technology. Such technology allows them to trace bitcoin addresses through the blockchain and centralized exchanges. Thus, addresses into which you withdraw your crypto would be tainted. This is because they can be associated with you. One way to obscure the association is to carry out transactions between your own wallets. However, doing this only slightly obscures the sources of those funds.
2. Use different usernames, emails, and passwords for different exchanges
When setting up accounts on exchanges, use a unique email ID and password for each exchange. That way, the compromisation of one email limits the potential damage that arises. This also helps protect against phishing scams. For example, if your Binance login uses the email firstname.lastname@example.org, then emails received from Binance on other emails have to be fake.
Also, the emails used to sign up for exchanges should not be used for any other purposes. This further allows you to narrow down on which exchanges leaked your emails. Thus if you receive an unsolicited email at email@example.com, you would know that Binance was the source of the leak.
Use a good password manager to store your login credentials such as KeePass.
Since strong passwords are hard to remember, you may need to send them to yourself. In doing so, never send them in clear text. Passwords should be sent via secure channels. Signal is useful here as it provides end-to-end encryption. It allows you to send messages securely to yourself. Just remember to delete the password from the chat after using it.
Ideally, your email should be set up with a secure email provider such as Protonmail.
As an added precaution, keep this email secret and do not reveal it to anyone.
3. Diversify, diversify, diversify
Register for multiple exchanges
During the 2017 crypto boom, many users faced difficulties trading or withdrawing.
Back then, infrastructure simply couldn’t keep up with user demand. Would this repeat in the future? It’s certainly possible. Thus, you should register for as many exchanges as possible. That way in times of market mania or distress there would still be plenty of options available to you. You don’t want to be registering for exchanges only when there is a surge in demand. If not, this could happen to you…
Trade across many exchanges
For those who have to leave large amounts on exchanges (eg. traders), do split your holdings across many exchanges. That way should one exchange suffer an attack or go under, you still have access to funds on other exchanges.
Trading across many exchanges may mean incurring more commissions. But, doing so protects yourself against catastrophic losses. You certainly don’t want to lose your life savings trying to save pennies on transaction fees.
You can further protect your cryptocurrencies by purchasing insurance for your holdings.
4. Never store crypto on exchanges
There are many reasons why you should never store crypto on exchanges.
Not your keys, not your crypto
Simple rule. If you control the keys, it’s your bitcoin. If you don’t control the keys, it’s not your bitcoin. Your keys? Your bitcoin. Not your keys? Not your bitcoin.
When your crypto is on an exchange you do not control the private keys. Thus, you should never store an amount greater than what you can afford to lose on an exchange.
Lack of regulatory oversight
The maximum amount of time I have left currency, crypto or fiat, on an exchange is 15 minutes.
This is understandable considering how most exchanges lack the security architecture of banks. Lack of funding or regulations has contributed to this. For example, only 39% of fiat-supporting crypto exchanges hold an operating license. Thus, funds stored on them are more susceptible to theft and fraud.
The absence of regulations has led to surprising ways in which losses have happened. One such example would be the death of Quadriga CX CEO, Gerald Cotten who supposedly passed on a trip to India. What’s surprising was that Gerald was the sole owner of passwords to customer funds. As a result, hundreds of millions of customer funds remain inaccessible.
Attractive target to hackers
Exchanges contain vast stores of crypto and are thus prime targets for hackers. The threats from hackers continue to be very real as recent incidents have shown.
Another risk of leaving your funds on exchanges? Custody Risk. One Binance user holding 1.2k BTC found this out the hard way after the blocking of his account.
Recently, exchanges like Gemini have announced they have acquired digital assets insurance. Should you then store your crypto on such exchanges? Personally, we would not. Gemini’s policy does not protect against all forms of loss on their exchange as shown below. Emphasis ours.
Our policy insures against the theft of Digital Assets from our Hot Wallet that results from a security breach or hack, a fraudulent transfer, or employee theft.
Our policy . You agree and understand that (and you will not hold us responsible)
Before we end this section, here are some thoughts from cybersecurity firm Group IB in their 2018 report on cryptocurrency exchanges.
At the moment there is no cryptocurrency exchange that would provide its users with absolute security – whether it is a large exchange with a large team of highly paid engineers and programmers or a newcomer to the market.
5. Only sign up for reputable exchanges
Do unknown Ukrainian exchanges offering 0% trading fees ring any alarm bells? What about those which offer to pump crypto on their exchange?
Always stick to reputable crypto exchanges such as the following:
Reputable Crypto-Crypto exchanges
Here are some factors to consider in determining which exchanges to sign up for. This list is not meant to be exhaustive.
- Do not sign up for exchanges that engage in or allow market manipulation or abusive trading. Examples include:
- Pumping coins (as shown above).
- Providing fake volumes. Blockchain Transparency Institute (“BTI”) provides a list of exchanges that engage in wash trading.
- Allowing a single user to have multiple accounts.
- Trading fees? These directly impact on trading performance. Thus, exchanges should have full disclosure of fees. Any “hidden” charges associated with trading activity must be spelled out.
- Do you need beginner or advanced trading features? Gemini is a good exchange for beginners while Binance is a good exchange for advanced users.
- Currency pairs? To consider if they accept fiat only, crypto only or both. And also whether they support the coins you want to trade.
- Trading volume of these currency pairs? Low liquidity would mean more costly trades.
- Location incorporated or headquartered? This affects legal remedies available to customers should any issues arise. Possible issues include data breaches, stolen funds or liquidation of the platform.
- Acceptance of fiat currency? If a crypto exchange accepts fiat, it indicates they have an existing banking relationship. This would mean they at least passed KYC procedures of banks. Users can thus have some level of comfort from this.
- Standards and considerations for listing a coin? Clear disclosure is necessary for this area. Some exchanges only exist to collect listing fees and use bots to create fake volume.
- Restrictions on employee trading? Employee trading poses a conflict of interest. Policies should be in place prohibiting employees from trading on insider information. Insider information includes upcoming coin listings or information about the order book. Insider trading provides employees with an unfair advantage over users and should be banned.
- Quality of investor base? If reputable financial institutions have invested in an exchange, it provides significant comfort. This is because you can bet they have done thorough due diligence on the exchanges. Investment failures are very public affairs and can cause huge embarrassments to investors.
- Use an exchange that offers multiple ways of securing your account. Common security features include:
- Requires two-factor authentication for key activities eg. logging in, sending funds. Note that you should never use SMS authentication as they are hackable.
- Requires users to set strong passwords. Strong passwords are longer than 8 characters. Also, they require a combination of letters (lower and upper case), numbers and special characters.
- Email confirmations before releasing funds from your wallet.
- Email confirmations if your login originated from a new device or location.
- Storage of crypto. The bulk of their funds should be in cold wallets as these are more difficult to hack than hot wallets. For example, the Coincheck hack happened as hot wallets were used to store all its NEM coins.
- Compensation of lost funds? Does the exchange have sufficient funds to compensate users for lost funds? If not, do they have insurance to cover them?
- Commitment to security. Do they offer hacker bounty programs? Binance is one such exchange that offers this.
We personally use Gemini and Binance and have had a great experience using them. Having said that, one of the drawbacks of these exchanges is that they are all centralized. Transacting on them would mean taking on custody risks since you have to transfer your funds to them. Thus, it is advisable to *NEVER* store more than what you can afford to lose on any exchange.
Decentralized exchanges are alternatives to centralized exchanges. They enable users to trade directly with each other. This means that users do not have to move their crypto onto exchanges to trade. However, there are downsides to using these exchanges such as the lack of liquidity. While still far from mainstream adoption, we feel decentralized exchanges are the future.
6. Set up two-factor authentication whenever possible and as soon as possible
If you’re trading on exchanges, you must absolutely enable two-factor authentication (“2FA”). This could mean using Google Authenticator or Authy on your smartphone. Each site would have their own instructions on setting this up. The key point here is to set up 2FA before you deposit any funds onto an exchange.
Hot tip. When signing up using Google Authenticator or Authy, you would be asked to scan a QR code. Make a backup of this QR code and store it somewhere safe. You certainly don’t want to be locked out of your funds when the markets crash because you lost your phone!
There is an alternative if you have two devices such as a phone and a tablet. You can use them both to scan the QR code when setting up Google Authenticator or Authy. That way you have two means of retrieving your pin.
Don’t end up like this user…
Authy is better than Google Authenticator as it backups your passwords online. However, doing this means having to trust them to keep your data secure.
Also, *NEVER* set up 2FA using your phone number whether on exchanges or for emails. While users can reset their passwords using verification pins sent to their phone numbers, this is unsafe. Because of flaws in cell phone networks, scammers can intercept such text messages. They can then reset the password to your email account and gain control over it. From there they can work their way into your crypto exchange accounts.
Avoiding mobile phone 2FA also helps ensure you don’t fall victim to SIM swapping scams. In such scams, the attacker hijacks your sim card to gain access to your mobile phone. To do so, criminals call up your cell phone provider pretending to be you. They then trick your provider into issuing a new SIM card to them. Motherboard describes such an example below.
Sebastian had hijacked Goetz’s SIM card and directed any password reset messages to his own phone. This also let Sebastian bypass any SMS-based, two-factor authentication on Goetz’s accounts; those text messages companies send to check it’s really you. With Goetz’s phone number, Sebastian was Goetz, for all that the internet cared.
Thus, always set up 2FA with Google Authenticator or Authy. They interact directly with your physical device rather than your phone number. Also, they generate new keys every 30 seconds.
As an added precaution, do remove your phone number from your email accounts. Also, do disable account recovery via phone numbers.
Setting up 2FA can be troublesome and result in less fluid user experience. However, it is incredibly important and we would use an example to illustrate how it can protect you. Back in 2017, fake Poloniex Exchange apps showed up on Google Play.
Both of the apps shown in the screenshot above are fakes. If users did not read the app reviews, they could have downloaded the malicious versions. The app would steal their login credentials when users access them. However, even with these login credentials, scammers would not be able to access accounts protected by 2FA.
7. Watermark KYC documents prior to submission
As part of KYC procedures, exchanges usually ask for scanned copies of passports and/or a selfie. Criminals have been using doctored KYC documents to access user accounts on exchanges. They use the documents to reset a user’s 2FA and work their way into their accounts.
Needless to say, be very careful about submitting verification documents. Never submit them to unreputable or questionable exchanges. If submitting documents, do watermark them first. But of course, do not obscure identifying information. Watermarking helps you identify the exchanges that leaked your documents.
You can create watermarks using Microsoft Paint or IrfanView (free) to do this.
We hope this cryptocurrency exchange safety guide has helped you. We have discussed many areas including how to select the right cryptocurrency exchange and how to protect yourself when using them.
Now it’s your turn: leave a comment below and let us know which you’re going to sign up for.
Or if you have other suggestions, we would love to hear it.
Let us know with a quick comment below!