ACCOUNT SECURITY OF THE CRYPTOCURRENCY EXCHANGE: BEGINNERS FRIENDLY GUIDE

The guide has been prepared by the CScalp terminal team. You can get CScalp by leaving your e-mail in the form below.

Password is the basis of a trader's cybersecurity. You must learn how to manage your passwords not only securely, but also conveniently. If it takes a long time to find and enter a password, user automatically starts saving time at the expense of security.

The purpose of this guide is to help traders build their work with accesses not only reliably, but also conveniently.

Let's start with a simple advice - use long and complex passwords.

The longer the password, the better it is. If you store passwords correctly, then it makes no difference to you how long the password is. Therefore, make it longer than 8 characters.

Your passwords must contain both case letters (for example, n and N), numbers, and special characters. Passwords like "12344321" and "iloveyou" are bad passwords.

It’s good if the password is randomly generated. Password managers have a special feature for this - a password generator. A password generated by a password generator is stronger than a human-generated password. Even if they are the same length.

The longer, more complex and random the password, the more problematic it is to crack it by brute force.

One password can only be used once. It couldn’t be used twice.

It often happens like this: a trader remembers one password and uses it everywhere. This is a mistake. If one account is hacked, then all your accounts will be at risk.

It is impossible to remember a large number of unique and complex passwords. What to do? Many users store accesses in browsers (for example, in Google Chrome). This is more convenient than storing "in the head" or Excel, but not safe.

The browser's built-in storage is the first place for hackers. And in most cases, hackers will get there without any problems. Therefore, we do not recommend storing passwords in the browser.

An alternative to storing passwords in memory, Excel or the browser is a password manager. This is an application for storing logins and passwords and secure authorization. The manager “can” not only store, but also insert passwords directly into the authorization form.

Password manager companies use the most advanced encryption technologies and invest huge sums in security. This provides convenience and a level of security that is far superior to “writing the password in Excel”.

It takes time to get used to the password manager. But it's worth it. After implementation, you will need to remember only one password - the password from the password manager.

Tips for choosing and using a password manager:

The services you use can be hacked. Nobody is secure from this. Sometimes hackers publish or sell user databases - logins and passwords. To protect yourself, you need to regularly monitor the DarkNet (dark web) and check your accounts for leaks.

You can check the data through the leak aggregator: you enter your e-mail or login in the search box, the service displays the results of the check. However, not all leak aggregators are safe. Some of them are targeted at phishing.

It is convenient and safe to check accounts for leaks through a password manager. Enter your e-mail and configure the password manager to track it. If the manager detects a threat, it will immediately notify you.

According to the rules of the "old school", it is believed that the regular change of passwords increases cybersecurity. With the manager, changing passwords is easy - you can do it in a couple of clicks.

However, many companies and cybersecurity experts consider changing passwords to be outdated. For example, Microsoft has abandoned the practice of regularly changing passwords in Windows.

Two-Factor Authentication or 2FA - is an account login with two types of confirmation of account ownership. Usually, the first is a login and password, and the second is a special code that is sent via SMS, e-mail or a special application.

For example, you log into your account on the exchange, enter your username and password. Then you will receive a verification code on your phone. You enter the code and only after that you can get into the account.

In order to enter an account, you need two conditions - to know the login/password and have access, for example, to SMS (depending on the authentication method). A variant with three conditions also could be used.

2FA advice - always use two-factor authentication! If you enable 2FA, then it will be ten times more difficult for a hacker to get into your account. Strong argument, right?

There are different options for two-factor authentication. The most common are 2FA via SMS, e-mail and a special application, such as Google Authenticator.

The opinion of the authors is that 2FA through specialized services is more reliable than through e-mail or SMS. There are known cases of hacking the databases of mobile operators and mail services, and fraudsters using fake documents can gain control over the SIM card. Doing this with 2FA applications is much more difficult. Therefore, if you can choose, then choose the option with 2FA through the application.

Below we have prepared a brief description of 2FA services that are used to protect accounts on popular cryptocurrency exchanges.

Majority of cryptocurrency exchanges support two-factor authentication through Google Authenticator (GA). This is a simple and convenient application that does not require creating an account and any settings. It is enough to install GA and connect it to your account. The data is stored only on the user's device. Google Authenticator is available on iOS, Android and BlackBerry OS.

Exchangex:
Binance, Bybit, OKX, EXMO, Bitfinex, BitMEX.

To use Authy, you need to create an account linked to a phone number. The application stores user data on a cloud server, so access them from any of the connected devices. Authy supports macOS, Windows, iOS, Android, and Chrome.

Exchanes: BitMEX.

Binance Authenticator is Binance's own application. User data is stored in the cloud, so you need to create an account to use the application. Binance Authenticator is used to complete two-factor authentication on Binance only.

When you enable app authentication, the service generates a secret key. Based on this key, one-time codes for logging into your account are created. The secret key may look like a set of characters or a QR code. Keep the key in a safe place in case you lose your device. For example, write it down on your paper sheet.

Popular authenticator apps, with the exception of Google Authenticator, offer to store your secret key in the cloud and automatically sync password storage with devices. To do this you need to create an account linked to a phone or e-mail.

Another way to store the secret key is in a password manager, in secure notes. You can also write down the key on paper or print it (if it is a QR code). If you choose the second option, consider the risks associated with storing a "paper" version of the key.

The security of your accounts also depends on the security of the device you are using. Let's analyze the security rules of the device: computer, tablet, smartphone.

Regularly update your OS (Windows, macOS, iOS, etc.) and the applications you use, such as the exchange app. Almost every update contains patches for discovered vulnerabilities. If you do not update, then a situation is possible when the vulnerability has already been discovered and is known to everyone, but you still have it "open".

Use a licensed antivirus downloaded from the official website of the developer. If you have downloaded and installed a pirated version of the antivirus, do not count on reliability and security. The antivirus must have an updated database. It also needs to be updated regularly.

When you work through an unfamiliar network, use a VPN. This is a secure, encrypted connection that allows you to keep your data private and bypass local restrictions. If you're going to be using a VPN all the time, set it up carefully to keep it secure.

Register an account on a cryptocurrency exchange using an e-mail that you do not use anywhere else. If you have ten accounts on the exchange, register ten email addresses.

Important! Mail also needs to be protected by 2FA.

Phishing is a way for fraudsters to obtain user data (logins and passwords). Phishing could be done in a variety of ways. For example, hackers can host an email campaign on behalf of Binance. The letter contains a link to a fake site that cannot be visually distinguished from the real Binance site. If you enter your username and password on such a site, they will fall into the hands of scammers.

Some cryptocurrency exchanges have an anti-phishing feature in order to fight scam. In your account security settings, you can set a code that the exchange will use to sign all your emails. It looks like this:

There is a code - the letter is real. If you receive a letter without a code, beware.

Some exchanges allow you to set master passwords.

The master password is an additional password for individual actions. For example, you can log into your account using the usual login / password combination, and in order to withdraw assets, you also need to know the master password.

Be sure to use master passwords if you store significant amounts on the exchange.

The white list allows you to set addresses that proceeds withdraw with minimal checks. Add your addresses to this list and making transactions with these addresses will become faster and more convenient.

It’s amazing, If you use a separate device for trading on a cryptocurrency exchange that you don’t use for internet surfing.

If you do not need a large monitor for trading (you are not actively trading), then make trades from your phone through the exchange application. Do not use other devices to log into the exchange account.

It should be understood that different devices have different levels of security. It is believed that due to its architecture, the iPhone is more secure from viruses and hacks than a Windows PC.

API keys are an analogue of the login (Api Key) and password (Api Secret). They are needed to connect a third-party application to an exchange account.

API keys have customization options. For example, you can configure the keys that can only receive exchange information ("read only" keys), and transactions will be prohibited.

Use a separate API keyring for each service. For example, one pair for CScalp, another for a trader's diary, etc. Delete keys that you no longer need. Access to the account on them will immediately disappear.

You can set an IP limit in the API Key settings by whitelisting trusted IP addresses. After that, it will be possible to connect to the trading account through the keys only from the IP specified by you.

This setting is recommended if you have a static (permanent) IP address. Also, IP can be dynamic, that is, change. You can find out the IP type and connect a static IP address from your ISP.

Log in to Binance and click on the user icon in the top menu. A side menu will be opened: here you can set up two-factor authentication at “Security” and API keys at “API Management”.

Enable two-factor authentication via Binance Authenticator or Google Authenticator. To set up a logging in, you will need to install one of the applications on your phone.

Below, in the “Devices and Activities” section, enter the anti-phishing code. All emails from Binance will be signed with this code.

You can also specify addresses for cryptocurrency withdrawal (white list). Withdrawals can only be made to these addresses. For example, you can set the withdraw only to the address of your cryptocurrency wallet.

In the "API management" section, you can create API keys and create options for them.

To trade on Binance Spot and Futures markets through the trading terminal, check the boxes next to “Enable Spot and Margin Trading” and “Enable Futures”. To connect to the diary, use the “Enable Reading” keys. Add your IP address to the whitelist if using a static IP.

Bybit account security settings are located in the “Account and Security” section, API keys in the “API” section.

Follow the "Account & Security" section and enable two-factor authentication via Google Authenticator. Without this step, you won't be able to generate API keys.

In the “API” section, you can configure the keys according to the “Reading and Writing” and “Read Only” parameters.

You can also add your IP address to the whitelist.

On OKX account security settings are located in the “Security Settings” section, key settings in the “API” section.

In the security settings, enable two-factor authentication via Google Authenticator and enter an anti-phishing code. You can also set a password and enable two-factor authentication for withdrawals.

OKX API keys parameters are specified when they are created. You can create "Read" or "Trade" keys, add your IP address to the whitelist and set a password for the API.

Go to the EXMO website and click on the username. In the list that appears, open "Settings".

In the "Security" section, enable two-factor authentication via Google Authenticator. In the "API" section, you can add your IP address to the whitelist.

On BitMEX account security settings are located in the “Security Centre” section, API key settings are located in the “API keys” section.

In the security center, enable two-factor authentication via Authy or Google Authenticator. To do this, click "Add TOTP". Add your IP to the whitelist if you have a static IP.

You can also enable PGP email encryption.

BitMEX API keys parameters are set when they are created. You can specify an IP address to restrict the key.

There are currently no other settings for API keys on BitMEX.

On Bitfinex, security settings are located in the “Security” section, key settings in the “API keys” section.

Enable two-factor authentication with Google Authenticator. You can also configure email encryption, set session parameters, add cryptocurrency withdrawal addresses, and set up withdrawals.

API keys are configured upon creation. If you need keys to trade, enable the "Create and cancel orders" option. Needed keys to read - leave it off.

In real life, traders do not always follow the recommendations from our guide.
We advise you to treat the recommendations as follows: each item makes it harder for a hacker to get into your account. The more recommendations you use, the more secure your account is.
If you keep insignificant assets in your account, then you should not complicate your life. If you keep a lot of money on your account, then you should follow all the rules from the manual in order to "sleep well".