Crypto Security Checklist: 2FA, Whitelists & Phishing Protection

Cryptocurrency security is entirely your responsibility. Unlike traditional bank accounts, there is no deposit insurance or fraud reversal mechanism for most crypto transactions. Once funds are sent to the wrong address or stolen, they are typically unrecoverable. This checklist covers the most important security measures every crypto user should implement.

Two-Factor Authentication (2FA)

Two-factor authentication adds a second layer of security beyond your password. Even if someone obtains your password, they cannot access your account without the second factor.

Authenticator App vs. SMS 2FA

Authenticator app 2FA (Google Authenticator, Authy, Microsoft Authenticator) generates time-based one-time passwords (TOTP) that expire every 30 seconds. This method is significantly more secure than SMS.

SMS 2FA is vulnerable to SIM-swapping attacks, where a criminal convinces your mobile carrier to transfer your phone number to a SIM card they control. This gives them access to your SMS messages, including 2FA codes. Several high-profile crypto thefts have occurred via SIM-swapping.

Always use authenticator app 2FA when available. If an exchange only offers SMS 2FA, consider this a security limitation.

Backup Codes

When setting up 2FA, you will receive backup codes. Store these codes securely offline (printed on paper or in an encrypted offline file). If you lose access to your authenticator app, these codes are the only way to recover your account.

Withdrawal Address Whitelisting

Most major exchanges offer a withdrawal address whitelist feature. When enabled, withdrawals can only be sent to pre-approved addresses. Adding a new address typically requires email confirmation and a 24–48 hour waiting period.

This feature is highly effective against account takeovers. Even if an attacker gains access to your account, they cannot immediately withdraw funds to their own address — the whitelist lock gives you time to detect and respond to the breach.

Enable this feature for all significant holdings.

Phishing Protection

Phishing attacks — where criminals impersonate legitimate platforms to steal credentials — are the most common vector for crypto theft.

How to Identify Phishing Attempts

• Check the URL carefully: Phishing sites often use domains that look similar to the real site (e.g., "binnance.com" or "byb1t.com"). Always verify the exact URL.
• Bookmark legitimate sites: Navigate to exchanges via your bookmarks, never by clicking links in emails or messages.
• Be suspicious of urgency: Phishing messages often create a false sense of urgency ("Your account will be suspended in 24 hours").
• Verify email sender addresses: Check that emails come from the official domain, not a lookalike.

Anti-Phishing Codes

Many exchanges allow you to set a personalised anti-phishing code. When enabled, every legitimate email from the exchange will include this code. If you receive an email without your code, it is not from the exchange.

Password Security

Use a unique, randomly generated password for each exchange account. A password manager (such as Bitwarden, 1Password, or KeePass) makes this practical.

A strong password should be at least 16 characters and include a mix of uppercase, lowercase, numbers, and symbols. Avoid using personal information, dictionary words, or reusing passwords across services.

API Key Security

If you use trading bots or third-party tools that require API access to your exchange account:

• Create API keys with the minimum permissions required (read-only if possible).
• Never grant withdrawal permissions to API keys used by third-party software.
• Restrict API keys to specific IP addresses where the service supports it.
• Regularly review and revoke API keys that are no longer in use.
• Never share API keys in screenshots, messages, or public forums.

Hardware Wallets for Long-Term Storage

For cryptocurrency you do not intend to trade actively, consider moving it to a hardware wallet (cold storage). Hardware wallets store your private keys offline, making them immune to remote hacking.

The general principle: keep only the funds you need for active trading on exchanges. Store long-term holdings in cold storage.

When setting up a hardware wallet, write down your seed phrase (recovery phrase) and store it securely offline — never digitally. This seed phrase is the master key to your funds.

Monitoring and Incident Response

Enable login notifications on all your exchange accounts so you are alerted to any new logins. Regularly review your account's active sessions and API keys. If you notice any suspicious activity:

1. Immediately change your password.
2. Revoke all active sessions.
3. Disable and re-enable 2FA.
4. Contact the exchange's support team.
5. Move funds to a new wallet address if you suspect key compromise.