This article is one of a three-part series on the basics of getting started in crypto. To read from the beginning, visit Part One here.
One of the reasons crypto is unique, as well as advantageous over traditional money, is its speed and efficiency. It doesn’t require an intermediary, and transactions take place often over minutes or even seconds. Another distinction of cryptocurrencies is that they’re largely anonymous. Outside of exchanges or certain on-ramps that might require KYC (Know-Your-Customer procedures), crypto itself is essentially set up to allow parties to send and receive funds without having to disclose any personal information. These are two of the things that draw people to crypto, at the same time that they are also the reason you need to be extra vigilant with your crypto funds.
In the traditional system, it’s possible that someone could steal your password or other personal information and be able to access your account. They might even be able to transfer funds. The catch, however, is that anyone attempting to steal your funds will still have to input a traditional receiving account – and this account will have a name, address, and other personal information attached to it that creates a trail authorities can follow in order to find the offending party. Even in the event of a transaction such as a wire transfer, where funds are automatically sent without waiting periods, the possibility still remains that the transaction, if discovered to be fraudulent, may be able to be reversed. The traditional banking system, with all its checks and balances, is a large part of what makes it slower than using crypto, but also what makes it more secure.
In the crypto ecosystem, once your funds are sent – they’re sent. If someone has managed to get into your account, by either cracking your password or hacking in some other way, your funds are gone the second they’re sent from your wallet, as no third party is there to intervene. Likewise, discovering the identity of the address they were sent to will also be virtually impossible. (Again, while some of the large exchanges can identify stolen funds, this is a unique circumstance that usually applies only in connection to large events, such as a hack from another exchange, and does not occur regularly with individual account breaches.) So what’s the best way to protect yourself, since you’re responsible for your own account security?
What to Do If Your Funds Are on an Exchange
There are multiple levels of personal account security that are available on exchanges, depending on which exchange you use. We’ll go over some of the most generally available ones, and you can find in your account – usually in some form of “Security” section in your account settings – which ones are available to you. It’s important to keep in mind as well that you can usually put into place multiple layers of security – so whichever forms your exchange offers, it’s best to use as many as you can.
First and Foremost: Your Login Information
It goes without saying that you need to create a strong password. However, the aspect you may not have considered is to not only use a strong password, but use one that you only use on the exchange and nowhere else. This is because in the event that your passwords elsewhere get compromised – as they often do these days – the hacker of that site won’t automatically get the password for your funds as well. Along the same lines, you should use an email address that is unique to your crypto account. Creating a new one is easy, and having an email that is only used for your crypto funds protects you in the same way as having a unique password. Not having it out there anywhere else on the internet minimizes your chances of it being acquired without your knowledge. One note: you’ll want to make sure you have a copy of your new information so you don’t make your exchange account or new email account (which will receive messages from the exchange that you may need) secure from yourself by forgetting what unique password or email you used. Just remember to keep copies of sensitive information somewhere secure (offline is best).
2FA stands for two-factor authentication. Without going into exactly how it works, the point is that it protects your account by generating a one-time code that only you have access to in order for the exchange to verify the person trying to log in is really you. It comes in the form of an app, and most people use Google Authenticator or Authy, though there are other forms out there as well that also work fine. You can download the app to the same device you use to access the exchange, or another device if you have one – which, if you do, puts an extra degree of separation between your account and the tools needed to access that account. 2FA requires the times of your devices to be the same to work properly, so if you use another device, just make sure the clocks on both are correct. While doing two-factor authentication via SMS is an option, using an app is more secure. There are, though fairly uncommon, ways for hackers to access your phone number (and thus texts), which just makes it one risk you don’t need to take when there are other easy options.
As we mentioned earlier, crypto funds are always sent to an address. While there’s really no way to recover funds after they’ve gone, there is a way to restrict the addresses to which they can go in the first place. Called “whitelisting,” it’s where you designate what addresses are approved for withdrawals. It has similarities with whitelisting an email address, in that you’re telling the provider (or, in this case, the exchange) what addresses you specifically consider safe. Adding whitelisted addresses will require you to verify them through your email, 2FA, or both, and will sometimes even have a waiting period before new addresses can be used, adding an extra layer of security (and an added deterrent) in the event that an unauthorized person were to also try to whitelist an address.
A Bit About Mobile Wallets
Some of the same features offered on exchanges can also be implemented on mobile wallets, such as 2FA. Meanwhile, like a strong password, the PIN you designate for your mobile wallet should be unique to your wallet and not used elsewhere. Since your funds are theoretically stored “in” your device, however, your phone’s security itself also becomes an important part of protecting your account when using mobile wallets. Ensuring you have a strong pin on your phone itself in addition to other security measures, such as enabling remote lock or even remote wiping of your phone, can help protect your wallet from unauthorized access (and the subsequent sending of your funds) in the unfortunate event your phone is lost or stolen. As with the importance of remembering your login information on exchanges, with mobile wallets the essential thing to always have stored somewhere secure is your recovery seed. This is how you can recover your wallet and your funds if you ever lose access to your device.
This list is not exhaustive. However, these options, in addition to others you may find in your security settings, are some of the first and best security measures you’ll want to take to protect your account from unauthorized access. Crypto is a seamless and efficient way of transacting, investing, and sending money that will likely be a large part of the future. As with any new endeavor, like driving a car or learning to swim, understanding personal account security and how to keep your funds – and thus yourself – safe is an important step as you dive into the exciting new world of cryptocurrency.