Securing Your Trading Account
There has been a rise in phishing attacks recently. Here I will share some tips about how to better secure your account.
Phishing attack is one of the simplest, oldest and hardest to eliminate hacks out there. All the attacker has to do is to send emails. There are a few ways to guard against them though:
Unique Email Addresses
Use a unique email address for Binance.com, and every other site you use. You could manually create a new email address each time, setup forwarding to your main email account. Or you could buy a random domain name, and create a catch-all email address for that domain. This costs less than 10 BNB a year (as of this writing). This way, unless you received the email through [email protected], you know it is not sent by Binance. In fact, sometimes this will let you know which site leaked your email addresses. If you receive an unsolicited email at [email protected], then you know exchange A has leaked your info or has compromised security. You should stop using that exchange immediately and tell your friends to do so as well.
Keep your email address secret. Don't tell people about your unique email address. They don't need to know it. For this reason, never use a QQ email for any crypto exchange. Your QQ email address is known to be [email protected] And if you happen to be in any crypto related QQ group, then it’s pretty easy for phishing sites to spam you with bait.
Don’t Click Links in Emails
In general, don’t click links in emails. If you have to, say the email contains a verification link, check the domain name carefully in your browser after you click the link. Verification links are safer due to the timing. You probably just submitted a form online. If not, be very careful. Always close the browser after you open the verification link. Close the browser fully, not just the tab, then start a new one. Go to the link from a bookmark or just type in the domain. Never enter any password after following a link from an email (or instant message), even a verification email.
Don’t Open Attachments
Don’t open email attachments. If you must, make sure you have a good anti-virus software running.
Subscribe to a good antivirus software. Compared to losing coins, the small fee is very cheap. Keep it up to date.
Use Unique Passwords
Always use a unique password for Binance and every other website you use. Never use the same password twice. Why? The answer should be obvious, right? If another site gets hacked or has lower security standards, you don't want your Binance account to be at risk.
If you have trouble remembering many unique passwords, then use a password manager. If you want an easy option, use LastPass. It has browser plugins which makes it convenient. It's not open-source though. If you want peace-of-mind on that, then go for KeePass or other open-source choices.
Don't Tell Anyone Your Password
Binance staff never need to know your password. Your friends and family do not need to know either. In fact, if any site operator requires your password, you should stop using that site. No system should be designed that way.
Sending to Yourself
Because you have chosen a hard password, if you need to send it to yourself, to your phone, for example, don't send it in clear text. If you use LastPass, they have a mobile app. You don't need to send anything. If you use KeePass, then you should send it using a secure channel. WhatsApp comes in handy here. Save your own number as a contact, then you can send secure messages to yourself. Remember to delete the message after you have used the password. This should be sufficient for normal use. If you want to be more secure, you should PGP encrypt the password, send it, and decrypt at the destination. I won’t get into the details of PGP in this article. But PGP is definitely worth learning. The world tomorrow is going to be a heavily encrypted one. Better to learn sooner than later.
If you don’t know what this is, google it. Then use it on Binance.
Secure Your Email Account
Use a secure email provider. Gmail is pretty good, although it does not have built-in encryption. You should use PGP on top of it if you can manage it. If you don’t want to deal with PGP, Protonmail seems to be popular these days.
Don’t use emails that only provide non-encrypted access. I am surprised some email services in China still don’t offer secure options. Don't use them.
Again, enable 2FA for your email account(s), and don’t give your password to anyone.
Secure Your Phone
You need to protect your phone. It probably has full access to your email, the Binance App and your 2FA codes. Do not jailbreak your phone. Default phone OS has some security measures built-in. You don’t want to break that. Enable fingerprint and passcode lock. If you use iPhone, enable erase-phone from your Apple account, in case if you lose the phone. If you use Android, don’t store sensitive info on SD cards. Again, don't share your phone passcodes with anyone, including your kids and spouse. How you manage that is your issue, I won't get into that either. :)
Secure Your Computer
Don’t install too much software on your computer. Antivirus software is not 100% bulletproof. For a hacker, nothing beats the convenience of a trojan horse on your computer calling home to his master. For you, it’s one of the worst scenarios.
Be careful about browser plugins as well. Only install the well-known ones. Don’t install anything that’s new on the market. There have been many cases of plugins stealing passwords, private keys, or replacing the receiving address for the crypto transaction you are about to send.
I recommend using a dedicated computer, install Linux on it, the Chrome browser, a password manager plugin, and nothing else. Be sure to turn on the encrypt entire disk option during install, and turn on the firewall right afterwards. "sudo ufw enable" on Ubuntu should do the trick for most people. Use this computer for crypto trading. And that’s it. You probably could use this computer for hot wallets as well, if your crypto funds are not too large. This computer still does not meet "cold storage" requirements, though. So don't store too many coins on this computer. Cold storage requires higher security and is a different long topic.
If you have to use Mac or Windows, that’s ok too. Just follow the same rough guidelines, and don’t install too much stuff on it. I haven't used Windows for a few years now, and don't know it in detail anymore.
WiFi is a security weak point. There are just too many variables. Older routers use weak encryption methods that are no longer secure. Many have default admin passwords that are extremely easy to guess. WiFi password is often shared with guests, and if one person has a password sharing app on their phone, then there could be millions of people having access to your wifi, including a hacker sitting outside of your window sniffing all your traffic. The list is endless. I recommend always using a wired connection if possible. If you have to use a WiFi, especially an open one like in Starbucks, route all your traffic through a VPN.
Lastly, security is a cat-and-mouse game. You have to continuously upgrade your defensives to stay secure. There is also no 100% security. If Earth gets destroyed by a comet, the above measures may not be sufficient to save your account. This is by no means a complete or exhaustive list. But if you do all of the above, your Binance trading account should be relatively secure.
If you think this article helps, please help spread the word. The more people become security conscious, the safer our community will be.