Imagine this: you’re working your 9-5, you’re slaving away at your desk for weeks, you’ve done this months, years on end. Then in 2017, you heard about crypto from a friend but you didn’t jump on the chance. You watched the markets climb to the heavens and then climb some more, only to eventually fall back to earth. “Next time,” you told yourself. Well, next time came around and you created your account, funded it with all of your hard-earned money, and you’re finally ready to make your retirement fund in crypto earnings. But then you wake up to an email confirming a password change on your account…
The bottom of your stomach falls out as you frantically scramble to your laptop and try to log in to your exchange. You’re locked out, your money is gone. It wasn’t market volatility that got you, it was carelessness, and as you spend your morning in bed mourning your financial loss you spool over all of your mistakes: a weak password, linking two-factor authentication to your phone number, using the same password for your exchange and email, and more. These mistakes are as common as they are costly, but that doesn’t mean you have to fall victim to them. We’re here to educate you, and together we will create a secure plan to protect you from a variety of attacks.
Picking a safe exchange
There’s no question here, the safest exchange is, oddly enough, not keeping your money on an exchange at all. This cannot be stressed enough; always move your crypto to a hard, cold storage wallet whenever possible. But we get it, that takes time, effort, and know-how, and it also puts you in a position of decreased liquidity during quick market shifts. Although cold storage is your absolute best bet, we are all guilty of keeping money on exchanges. So, since you are going to do it anyway you might as well be keeping it on the most secure exchanges out there.
In 2018, roughly 4.5 million dollars on average was stolen per day from the crypto economy, and roughly $950 million of $1.7 billion stolen in 2018 came from exchanges. This number isn’t brought to your attention to strike fear into your heart (don’t worry, that comes later), instead it’s brought up to raise awareness about one simple fact: crypto theft is real and growing. With this in mind, and with exchanges forever increasing their security, where will hackers turn to next? Users. We are the obvious weak link, since people are objectively terrible at making passwords and keeping their data secure.
There are many exchanges on the market to choose from, and all of them share a common set of security options while some go the extra mile to ensure their users are practising safe sessions. Let’s take a look at some popular exchanges and do a bit of comparing and contrasting to see what the best fit for you is.
Looking at CoinMarketCap’s ranking of exchanges by trade volume, let’s examine the number one, five, and ten spots to see what types of security there is across the board. By pulling a selection of different exchanges we can really get a feel for who’s doing what in respect to their trading volume. Binance is the largest trading volume exchange, followed by HitBTC at number 5 and BW at number 10.
When you investigate what each of the exchanges are doing to protect its customers, and help them protect themselves, it becomes obvious why BW ranked lower in volume than the other two. In a blog post by BW, they emphasize their partnerships with crypto security expert companies, but never mention anything besides two-factor authentication for their users to take advantage of. As Verge pointed out years ago, 2FA is a mess, especially when it uses SMS to a phone number to verify the code. So when it comes to security, BW is already out of the race, unfortunately. This isn’t to say that BW isn’t inherently unsafe to use, of course, but it is rather a remark to the fact that it could be far safer if they implemented some of the following features that their competitors have:
Whitelisting Withdrawal Accounts: This feature, which is found on both HitBTC and Binance, allows users to specify what addresses funds can be withdrawn to, blocking all withdraws that don’t match the whitelisted accounts. Each of these exchanges handles it a bit differently, but HitBTC definitely takes it more seriously. On Binance, you can use 2FA to add/remove and turn on/off your whitelisting features. This is great, except when a hacker has gotten a hold of your 2FA credentials. HitBTC goes a step further by putting a time delay on their whitelisting, so whenever it is turned off there is a 48 hour period during which no withdrawals can be made. Both exchanges send emails to users when any whitelist actions are taken, but the time delay that HitBTC implements is a necessary extra step.
Device Lists: Being able to see who has been accessing your account can help you sniff out suspicious activity, and a log indicating this is kept on both exchanges. Binance allows you to review specific login activity and remove accounts one at a time if you feel something fishy is going on. HitBTC has a similar feature and has also included a “Terminate All Sessions” button, which immediately clears every other active login and session at once. This is a great tool when you’ve changed your password and want to reset every device that may have had a saved login stored or may be actively logged in.
Strong Password: This is a no-brainer, people. Please, please, please stop using your birthday, your pet’s name, your mother-in-law’s nickname, or any other easily obtainable information as a password. You’d be surprised what can be found with a simple Google search these days (past addresses, friends, family, birthdays/anniversaries/memorable dates, etc). Randomly generated, painful to actually type in, secure passwords are a must. No words! (Seriously, stop using words, you aren’t clever when you Wr1t3 y0uR p4sSw0rD l1k3 tH1$.)
Enhanced Verification: This feature, which is offered by both exchanges, allows users to take extra steps to verify their accounts through KYC procedures. Not only does it increase the amounts and ease of trading, but it also gives you enhanced security options when it comes to recovering and protecting your account. The bottom line is that verified users receive priority support when they have a problem, which can make a crucial difference when you fear your account may be compromised.
Email Notifications of New IP Logins: This one is an HitBTC creation, and although email notifications can be compromised if hackers got a hold of your email, it is still nice to receive an update when new logins are happening in weird locations.
Automatic Logout: This is such a simple thing that HitBTC implements, but it makes such a big difference. Heck, even the public library has this feature on their computers, so why don’t more exchanges implement it? You can set your session time limit, and after a certain period of no activity you’ll automatically be logged out. Do you keep your exchange open all day in a different tab to track prices? Set the timer longer. Do you have kids who use your computer randomly while you’re in the bathroom? Set that timer as low as possible, trust us, or “you” may end up buying a ton of DOGE coins because the picture is cute.
As you’d expect, two exchanges that are both in the top five trading volume have similar security features, but the small things like automatic logout, email notifications, and time-lockouts for whitelisting accounts put HitBTC a bit further ahead on the security scale than Binance. It should also be noted that Binance was hacked in May of this year, losing over $40 million through a “variety of techniques, including phishing, viruses and other attacks,” according to Binance CEO Zhao Changpeng. The exchange was able to use their Safe Asset Funds to ensure no customers lost money, but it definitely hurt them.
HitBTC has never suffered such an attack, the closest thing would be when they purposely froze accounts in 2015 to protect their customers after Bter, a different exchange, was hacked.
Even with Binance’s hack and HitBTC’s one security freeze, both of these platforms are miles ahead of BW. Seriously BW, get your act together!
Exchanges can’t save you from everything
I don’t want to be a fear monger, but I feel that this is an important topic to cover. Exchanges CANNOT save you from everything, no matter how extensive their security features are. Humans are inherently stupid, it seems, which is why social engineering hacks still work all the time. Listen, this should be common sense but people keep falling for it, so we have to keep writing about it. NEVER give out your password to anyone… EVER! It doesn’t matter how legit their Twitter handle looks, Vitalik Buterin DOES NOT want your password. NEVER log in to your exchange unless you triple, no… quadruple check the URL.
Look, the bottom line is that if a hacker gets a hold of your crypto, it’ll make like Houdini and disappear. Poof, it’s gone! Unless the hacker hacked the exchange itself and not your account, your crypto is never coming back. Exchanges that implement security features, like those presented by HitBTC and Binance are great, but they can only fight so much of the battle for you. So here’s the deal, educate yourself and learn how to fight the rest of the security battle, or you’ll be doomed to never having crypto again.