Updated: 2025-02-24 Original: 2020-02-25
The lack of security awareness among crypto users is painful to watch. It’s equally painful to see experts recommend advanced setups that are hard to follow and easy to screw up.
Security is a broad topic. I am by no means an expert, but I have witnessed many of the security issues. I will try my best to use layman’s terms to explain:
Why and how you may, or may not, want to store coins yourselfWhy and how you may, or may not, want to store coins on a centralized exchange
First, nothing is 100% secure. Software has bugs, and people can be socially engineered. The real question is, is it “safe enough?”
If you store $200 in your wallet, you probably don’t need ultra-high security. A mobile wallet will do. If you store your life’s savings, you want stronger security.
To secure your coins, you just need to do the following 3 things:
Prevent others from stealing.Prevent yourself from losing it.Have a way to pass them to your loved ones in the event that you become unavailable.
Simple, right?
Why You May Or May Not Want To Store Coins Yourself
Your keys, your funds. Or is it?
Many crypto experts swear that crypto is only safe if you hold it yourself, never considering how technical you are. Is this really the best advice for you?
A bitcoin private key looks like this: KxBacM22hLi3o8W8nQFk6gpWZ6c3C2N9VAr1e3buYGpBVNZaft2p
That’s it. Whoever has a copy of it can move bitcoins on that address, if any.
To secure your crypto, you need to:
Prevent others from obtaining (a copy of) your private keys; preventing hackers, securing your computers from viruses, the internet, etc.Prevent yourself from losing your private keys; have backups to prevent loss or damaged devices, and secure those backups.Have a way to pass your private keys to your loved ones in the event of a death. It’s not a pleasant scenario to consider, but as responsible adults to our loved ones, we must manage that risk.
Prevent Hackers
You have heard about hackers. They use viruses, trojan horses, and other malware. You don’t want any of these near your devices.
To achieve that with a decent degree of confidence, your crypto wallet device should never connect to the internet. And you should never download any files to that device. So, how do you use a device like that?
Let’s talk about the different devices you could use.
A computer is an obvious choice, and often the most versatile in terms of coins supported. You should never connect that computer to the internet, or any network at all. If you connect it to a network, a hacker could get into your device by exploiting a bug in the Operating System or some software you use. Software is never bug-free.
So, how do you install software? You use a USB stick. Make sure it is clean. Use at least 3 different anti-virus software to scan the hell out of it. Download the software (OS and wallet) you wish to install to the USB stick. Wait for 72 hours. Check the news to make sure the website or the software is not compromised. There have been cases where official websites get hacked and the download package is replaced with a Trojan horse. You should only download software from official sites. You should only use open-source software, to reduce the chances of back-doors. Even if you are not a coder yourself, open-source software is looked at by other coders and has a lower chance of having back doors. This means you should use a stable version of Linux (not Windows or Mac) for your operating system, and only use open-source wallet software.
Once everything is installed, you use a clean USB stick to sign your transactions offline. This process varies by wallet and is outside the scope of this article. Aside from Bitcoin, many coins don’t have wallets that can do offline signing.
You need to ensure the physical security of the device. If someone steals it from you, they could access it physically. Make sure your disk is strongly encrypted so that even if someone gets a hold of it, they will not be able to read it. Different operating systems offer different encryption tools. Again, a disk encryption tutorial is out of the scope of this article; there are plenty of those online.
If you can do the above well, you can do your own secure backup and don’t need to read the rest of this article. If the above doesn’t sound like your cup of tea, then there are other options.
You could use a mobile phone. A non-rooted phone is generally more secure than a computer, due to the sandbox design of mobile operating systems. For most people, I recommend using an iPhone. If you are more technical, I recommend an Android phone with GrapheneOS. Again, you should use one phone just for your wallet, and not mix that with your everyday usage phone. You should only install the wallet software, and nothing else. You should keep the phone in airplane mode at all times except when using the wallet for transfers. I also recommend using a separate SIM card for the phone, and only using 5G to connect to the internet. Never connect to any WiFi. Connect to the internet only when you are using the phone for signing transactions and software updates. This is generally fine if you don’t hold super big amounts in your wallet.
A few mobile wallets offer offline signing of transactions (via QR code scanning) so that you can keep your phone offline completely, from the time you finish installing the wallet Apps and before you generate your private keys. This way, your private keys are never on a phone that’s connected to the internet. This will prevent if a wallet has a backdoor and sends data back to the developer, which has happened to multiple wallet Apps in the past, even official versions. You won’t be able to update your wallet Apps or OS. To do software updates, you use another phone, install the new version of the App on that, put that into airplane mode, generate a new address, back it up (see later), and then send funds to the new phone. Not so user-friendly. Also, these wallets support a limited number of coins/blockchains.
These wallet Apps usually do not support staking, yield farming, or aping meme coins. If you are into those, you will have to sacrifice security a bit.
You need to ensure the physical security of your phone.
Hardware Wallets
You could use a hardware wallet. These devices are designed so that your private keys “never” leave the device, so your computer won’t have a copy of it. (Update as of 2025, the newer versions of Ledger can/will send your private keys to a server, for backup. So this is no longer true.)
Hardware wallets have reported bugs in the firmware, software, etc. All hardware wallets require interaction with software running on a computer (or mobile phone) to work. You still want to make sure your computer is virus-free. There are viruses that switch your destination address to the hacker’s address at the last minute, etc. So, do verify the destination address on the device carefully.
Hardware wallets prevent many basic types of exploits and are still a good choice if you wish to store coins independently. However, the weakest part of hardware wallets is often how you store the backups, which we will discuss in the next section.
Protect Against Yourself
You could lose the device or it could get damaged. So, you need backups.
There are many methods here too. Each has pros and cons. Fundamentally, you want to achieve multiple backups, in different geographic locations, that other people can’t see (encrypted).
You could write it down on a piece of paper. Some wallets using seeds advise this, as it is relatively easy to write down 12 or 24 English words. With private keys, you could easily make a mistake. Paper can also be lost among other pieces of paper, damaged in a fire or flood, or chewed by your dog. Others can easily read paper - no encryption.
Some people use bank vaults to store paper backups. I generally don’t recommend this option for the above reasons.
Don’t take a picture of the paper (or a screenshot), have it synced to the cloud, and think it is safely backed up. If a hacker hacks your email account or computer, they will find it easily. The cloud provider has many employees who could view it.
There are metal tags explicitly designed to store a backup of seeds. These are supposed to be nearly indestructible, which mostly solves the problem of damage in a fire or flood. But, it doesn’t solve the problem of lost or easily read by others. Again, some people store these in bank vaults, usually together with their gold or other metal. If you use this approach, you should understand the risks.
I recommend using at least 3 USB sticks, but it requires more technical setup, the designed-for-experts fallacy.
There are shock, water, fire, and magnetic-resistant USB sticks. You could store encrypted versions of your private key backup on multiple of these USB sticks and in multiple locations (friends or relatives). This addresses all the requirements at the beginning of this section: multiple locations, not easily damaged or lost, and not easily readable by others.
The key here is strong encryption. Many tools are available for this, and they evolve over time. VeraCrypt is an entry-level tool that provides a decent level of encryption. Do your own research and find the most up-to-date encryption tools for yourself.
Take Care of Your Loved Ones
We don’t live forever. An inheritance plan is needed. In fact, crypto makes it easy for you to pass on your wealth to your heirs with less 3rd party intervention.
Again, there are a few ways to do this.
If you use the low-security approach of paper wallets or metal tags, you could simply share it with them. This has some potential drawbacks, of course. They may lack the proper means to hold or secure a copy of the backups, if they are young or non-technical. If they screw up on security, a hacker could easily steal your funds through them. Also, they could take your money away any time they wish. You may or may not want this, depending on your trust relationship with them.
I strongly advise against sharing keys between people, no matter the relationship. If the funds are stolen, it’s impossible to determine who moved them or who was hacked. It’s messy.
You could leave your paper wallet or metal tags in a bank vault or with a lawyer. But, as mentioned above, if any of the people involved get a copy of the keys, they can move the funds without much trace. This is different from lawyers having to go through a bank to move your bank account balance to your heirs.
If you use the USB stick approach mentioned above, there are ways to pass on your wealth more safely. Again, this requires a bit more setup.
There are online services called Deadman’s switches. They ping/email you once a while (say a month). You have to click a link or login to respond. If you don’t respond over a certain period of time, they assume you are a “deadman” and send any number of emails to your pre-specify recipients. I will not endorse or vouch for any of the services, you should google them and test it out for yourself. In fact, Google itself is a deadman’s switch. Deep in Google’s settings, is an option to let someone have access to your account if you don’t access it for 3 months. Personally, I have not tested it and can’t vouch for it. Do your own testing.
If you are thinking, “Oh great, I just put the private keys in the emails to my kids,” please reread this article from the beginning.
You may be thinking, "I could put the passwords I used to encrypt the USB sticks in those emails; this way, my kid or spouse can unlock them." This is getting closer, but it's still not good. You should not leave the passwords to your backups on a server on the Internet. It significantly weakens the security of your backups/funds.
If you are thinking, I could scramble/encrypt the emails that contain the passwords to the USB sticks with another password that I share with my loved ones, then you are on the right track. In fact, you don’t need the 2nd password.
There is an old time-tested email encryption tool called PGP (or GPG) that you should use. PGP is one of the early tools that use asymmetric encryption (the same used in bitcoin). Again, I won’t include a full tutorial of PGP, there are plenty of them online. In summary, you should have your spouse and/or kid generate their own PGP private key, and you encrypt your deadman’s message to them using their public key, this way, only they can read the message contents and no one else. This method is relatively secure, but it requires that your loved ones know how to keep their PGP private key secure, and not lose them. And of course, they need to know how to use PGP email, which is somewhat technical in itself.
If you follow the recommendations shared thus far, then you have reached the basic (not advanced) level to store a meaningful amount of coins yourself. There are many other topics that we could discuss that may also address some of the issues mentioned so far, including multi-sig, threshold signatures, etc., but they belong to a more advanced guide. In the next part, we will look at:
Use Exchanges
When we say exchange in this article, we mean centralized exchanges that hold custody of your funds.
So, after reading the previous part, you may say, “darn, that’s a whole lot of trouble. Let me just store my coins on an exchange then.” Well, using an exchange isn’t risk-free either. While exchanges are responsible for keeping the funds and systems safe, you still need to follow proper practices to secure your account.
Only Use Big Reputable Exchanges
Yes, that’s easy for me to say, as Binance is one of the biggest exchanges in the world. However, there are some strong reasons for this. Not all exchanges are the same.
Big exchanges invest heavily in security infrastructure. Binance invests billions of dollars in security. It makes sense for our scale of business. Security touches so many different areas, from equipment, networks, procedures, personnel, risk monitoring, big data, AI detection, training, research, testing, 3rd party partners and even global law enforcement relationships. It takes a significant amount of money, people, and effort to ensure proper security. Smaller exchanges simply don’t have the scale or financial means to do this. I may get some heat for saying this, but this is the reason I often say, for most regular people, using a trusted centralized exchange is safer than holding coins on your own.
There is counterparty risk. Many smaller/new exchanges are exit scams from the beginning. They collect some deposits and run away with your funds. For this same reason, stay away from “non-profitable” exchanges or exchanges offering 0 fees, heavy rebates or other negative profit incentives. If their target isn’t business revenues, then your funds may very well be their only target. Proper security is expensive and requires funding from a sustainable business model. Don’t skimp on security when it comes to your funds. Large profitable exchanges have no motive to perform exit scams. When you already run a profitable and sustainable billion-dollar business, what incentives would you have to steal a few million and live in hiding and fear?
Big exchanges are also more tested on the security front. Yes, this is a risk as well. Hackers target big exchanges more. But, hackers also target smaller exchanges equally, and some of them are far easier targets. Big exchanges typically have 5-10 external security firms they engage on a rotating basis to perform penetration and security tests.
Binance goes a step further than most exchanges in terms of security. We invest heavily in big data and AI to fight hackers and scammers. We were able to prevent many users from losing their funds even when they got SIM swapped. Some users using multiple exchanges also reported that when their email accounts got hacked, funds from other exchanges they used were stolen, while funds on Binance were protected because our AI blocked the hackers’ attempts to withdraw their funds. Smaller exchanges couldn’t do this even if they wanted to, as they simply don’t have the big data.
Securing Your Account
When using exchanges, it is still very important to secure your account. Let’s start with the basics.
Secure Your Computer
Again, your computer is often the weakest link in the security chain. To access your exchange account, use a dedicated computer. Install commercial anti-virus software on it (yes, please invest in security) and minimal other junk software. Turn on the firewall to the max.
Play your games, web surf, downloads, etc., on a different computer. Even on this computer, have the anti-virus and firewall running to the max. A virus on this computer will make it much easier for the hacker to access the other computers within the same network, so keep it clean.
Don’t Download
Even if you only use a CEX, I recommend you not download any files to your computer. If people send you a Word doc, ask them to send you a Google doc link instead. If they send you a PDF, open them in Google Drive in a browser, and not on your computer. If they send you a funny video, ask them to send you a link to it on an online platform. Yes, I know it’s a lot of trouble, but security isn’t free, and neither is losing your funds. View everything on the cloud.
Turn off “automatically save photos and videos” in your instant-messaging apps. Many of them download GIFs and videos by default, which is not a good security practice.
Keep up with Software Updates
I know all the OS updates are annoying, but they contain fixes for recently discovered security exploits. Hackers monitor these updates too and often will use those on the people who are lazy with updates. So, make sure you always apply the patches as soon as possible. Same goes for wallets and other software you use.
Secure Your Email
I recommend using Gmail or Protonmail. These two email providers are more secure than others, and we have seen a higher number of security breaches on other platforms.
I recommend setting up a unique email account for each exchange you use, making it hard to guess. This way, if another exchange breaches, your Binance account won’t be impacted. It will also reduce the number of phishing or targeted email scams you receive.
Protonmail has a feature called SimpleLogin that allows you to get a unique email address for each website you visit. I recommend using that if you don’t use another email forwarding service.
Turn on 2FA for your email service. I recommend using Yubikey for your email accounts. It is a strong way to prevent many types of hacks, including phishing sites, etc. More on 2FA later.
If you live in a country with reported SIM swap cases, don’t associate your phone number as a recovery method for your email account. We have seen many SIM swap victims having their email account passwords reset and hacked as a result. I don’t recommend binding phone numbers to email accounts anymore. Keep them separate.
Use a Password Manager
Use a strong and unique password for each site. Don’t bother trying to remember the passwords; use a password manager tool. For most people, Keeper or 1Password will probably do the trick. Both are well integrated into browsers, mobile phones, etc. Both claim to store passwords locally but sync across devices using only encrypted passwords.
If you are more serious, then go for KeePass. It only stores information locally, so you don’t have to worry about your encrypted passwords in the cloud. It doesn’t sync across devices and has less mobile support. It is open-source, so you don’t have to worry about backdoors.
Do your own research and choose a tool that fits you. But don’t try to “save time” here by using the simple, or worse same password everywhere. Make sure you use a strong password, otherwise, the time you save may cost you a lot in funds.
Even with all of these tools, you are toast if you have a virus on your computer. So, make sure you have good antivirus software running.
Enable 2FA
It is highly recommended that you enable 2FA (2 factor authentication) on your Binance account right after you sign up, or right now if you haven’t done so. As the 2FA code usually lives on your mobile phone, it can protect you to some extent against a compromised email and password.
2FA doesn’t protect you against everything, though. A virus on your computer that steals your email and password can also steal your 2FA code as you enter it by monitoring your keystrokes. You could interact with a phishing site, enter your email and password, and then enter your 2FA code on the fake site. The hacker then uses that to log in to your real account on Binance. There are many potential possibilities; we can’t list them all.
Set up U2F
U2F is a hardware device that generates unique, domain-specific, time-based code. Yubikey is the de facto device for this.
U2F offers three big advantages. One, they are hardware-based so it’s almost impossible to steal the secret stored in the device. Two, they are domain-specific. This protects you even if you are inadvertently interacting with a phishing site. And they are easy to use. You just have to carry it with you.
For the above reasons, I advise you to bind a Yubikey to your Binance account. It offers one of the best protection against hackers.
You should also bind your Yubikey to your Gmail, Password Manager, and any other accounts to keep them safe.
Stop Using SMS Verification
There was a time when SMS verification was promoted, but times have changed. Given the increase in SIM swaps, we recommend you not use SMS anymore and rely more on 2FA or U2F described above.
Set up a Withdrawal Address Whitelist
We highly encourage you to use the Binance Whitelist feature for withdrawals. This feature allows fast withdrawals to your approved addresses and makes it much harder for hackers to add a new address to withdraw to.
Turn on the 24-hour wait period for new addresses added to whitelists. This way, if a hacker wants to add a new address, you will receive a 24-hour notice period.
API Security
Many of our users use APIs for trading. Binance offers several different versions of APIs, with support for asymmetric encryption. This means Binance only needs your public key. You generate your private key in your environment and give the platform your public key. We use your public key to verify that the orders are yours, and we never have your private key. You must keep your private key safe.
You don’t necessarily have to backup your API key the same way you would when holding your coins. If you lose your API key in this case, you can always create a new one. You just gotta make sure no one else has a copy of your API keys.
Do not enable withdrawals for your API keys unless you really know what you are doing.
Complete L2 KYC
One of the best ways to keep your account safe is to complete the level 2 KYC. This way, we will know what you look like. When our big data risk engine detects anomalies with your account, we can use advanced automated video verifications.
This is also important for the “if you become unavailable” situation. Binance is able to help family members access the account of their deceased relatives, with proper verification.
Physically Secure Your Devices
Again, keep your phone secure. You probably have your email App, the Binance App, and your 2FA codes in it. Don’t root or jailbreak your phone. It significantly reduces its security. You should also keep your phone physically secure and have proper screen locks. The same goes for your other devices.
Phishing
Beware of phishing attempts. These typically come in an email, text message, or social media post with a link to a fake site that looks like Binance. The site will invite you to enter your credentials, which the hackers will use to access your real Binance account.
Preventing phishing only requires diligence. Don’t click on links in emails or social media sites. Only access Binance by typing in the URL or using a bookmark. Don’t share your email with other parties. Don’t use the same email on other sites. Be careful when strangers (especially guys named CZ or similar) suddenly talk to you on Telegram, Instagram, etc.
If you stick to the above recommendations, your Binance account should be relatively secure.
So, which is better?
I generally recommend people use both centralized exchanges and their wallets. If you are not so tech-savvy, then I recommend a more significant portion on Binance and a spending wallet (TrustWallet) on your own. If you are technically strong, then adjust the portions.
Centralized exchanges occasionally go on maintenance, and if you need to make a transaction quickly, having a separate wallet available is handy.
If you follow the recommendations described here, you should be able to securely hold your funds, either by yourself or on a CEX like Binance.
Stay SAFU!
CZ