Exchange Security ยท 2FA ยท Account Protection

How to Secure Your Crypto Exchange Account (Coinbase, Binance, Kraken)

Your exchange account probably has weaker security than your bank account, with far less fraud protection. Most people find this out the hard way.

Most exchange account compromises don't happen because Coinbase or Binance got hacked. They happen because the attacker got into your account specifically โ€” through a SIM swap on your phone number, a phishing site that captured your login credentials and 2FA code, or an API key you created for a trading bot that got stolen.

The exchange did its job. Your account security didn't. And unlike a bank, most exchanges have no obligation to return funds lost through account compromise.

Replace SMS 2FA with an authenticator app

If your exchange account uses SMS for two-factor authentication, change it now. SMS 2FA is vulnerable to SIM swapping โ€” an attacker convinces your carrier to transfer your number to their SIM, then uses the SMS codes to log into your accounts.

Switch to an authenticator app (Google Authenticator, Authy, or 1Password TOTP). These generate codes locally on your device that never go through your carrier. SIM swaps don't affect them.

If your exchange supports hardware security keys (most major ones now do), those are the strongest option. A YubiKey or similar device can't be phished โ€” it verifies the domain before signing, so even if you land on a fake Coinbase site, the key refuses.

Withdrawal address whitelisting

Most major exchanges offer withdrawal address whitelisting โ€” a setting where withdrawals can only go to pre-approved addresses. New addresses require email confirmation and a 24โ€“48 hour delay before they can receive funds.

Turn this on. Even if an attacker gets into your account, they can't immediately move funds โ€” they'd need access to your email too, and the delay gives you time to notice and respond.

API keys: the silent risk

API keys let trading bots and portfolio trackers interact with your account. Keys with withdrawal permissions are a serious risk โ€” if they're stolen or the third-party service is compromised, funds can be moved without triggering your normal 2FA.

  • โ€ขNever grant withdrawal permissions to an API key unless you have an extremely specific reason
  • โ€ขSet IP restrictions on API keys so they only work from your server's IP
  • โ€ขAudit active API keys periodically and delete any you no longer use
  • โ€ขIf a trading service asks for withdrawal permissions, that's a red flag โ€” legitimate bots only need trading permissions

Use a dedicated email address

Your exchange account is only as secure as the email address attached to it. If that email is compromised, account recovery can bypass everything else. Use a dedicated email address for your exchange accounts โ€” one that you don't use for anything else, don't share, and don't sign up for services with.

Also enable 2FA on that email account itself. An exchange account protected by a 2FA app is only secure if the email recovery path is equally protected.

Frequently asked questions

What is a SIM swap attack?

An attacker convinces your mobile carrier to transfer your number to their SIM. They then receive all your SMS codes and can log into exchange accounts that use SMS 2FA. Switching to an authenticator app eliminates this risk.

Should I use an authenticator app or hardware key?

Both are much better than SMS. A hardware key (YubiKey) is strongest โ€” it verifies the domain before signing, so phishing sites can't capture your credentials. An authenticator app is excellent and practical for most people.

Is it safer to hold on an exchange or in a wallet?

Different tradeoffs. Exchange: they hold keys, there's a support line, but you trust their security. Self-custody: you control keys, but losses are permanent. Long-term holdings belong in self-custody hardware wallets; active trading stays on exchanges with maximum security settings.

For everything outside the exchange

When you move to DeFi and self-custody wallets, GuardianAI explains every MetaMask transaction before you sign it โ€” keeping you safe from the approval-based attacks that exchanges can't protect against. Free Chrome extension.

Get GuardianAI โ€” It's Free