As Binancians, we must work together to keep our ecosystem SAFU. To help facilitate this, we’ve compiled some important security habits to practice and keep in mind. (This article has been updated as of June 22, 2021.)Security is the number one priority at Binance. We have invested countless hours and resources into ensuring that our platform is safe from bad actors, including incorporating big data analysis and AI technologies to aid us in preventing attacks. We’ve even partnered with various cyber-security and compliance firms in the blockchain space. Yet, the best security partnership we can build is with the Binance community itself.
Each and every Binancian has the power to ensure that the community remains SAFU from bad actors, starting with maintaining regular habits that help keep accounts safe. With our organizational commitment toward preventing unauthorized activity and our community’s heightened sense of security, we can collaborate to create a more secure environment for cryptocurrency.
1. Always use Two-Factor Authentication (2FA), preferably Google Authenticator.
Activating 2FA on your Binance account is a crucial first step toward securing your funds on Binance. Currently, we offer two options for 2FA: SMS and Google Authenticator. We recommend using Google Authenticator. While SMS 2FA may be more convenient, this increases the attack vectors that may be used to target your account (e.g. SIM swapping).
Since June 2019, we have added support for hardware security keys such as the Yubico YubiKey. These devices securely grant access to your account when plugged in or paired wirelessly. This process is similar to traditional Two-Factor Authentication (2FA) methods, such as SMS (the weakest 2FA option) and Google Authenticator, but manual entry of a code is not required, which makes physical access to the device a necessity.
2. Check the list of devices that have been authorized to access your Binance account. If you see any devices that you don’t recognize or no longer use, simply remove them. To do this:
a) Log in to your Binance account and navigate to “My Account” on your browser or app.
b) Review “Device Management” at the bottom of the My Account page on your browser or under the “Security” menu on the app.
c) Remove any unrecognized or unused devices. Once a device is deleted, it will no longer be able to access your account unless you re-confirmed via email.
3. Use a strong password for your Binance account and change it regularly.
It is highly recommended to use a password that is at least 8 characters long, containing at least one uppercase letter, one lowercase letter, one special character, and one number. We also highly discourage you from reusing passwords previously entered for other websites.
However, a strong password alone is not enough, as there are a variety of ways in which your password may be obtained by an attacker. With this in mind, it’s a good habit to change your password periodically. This practice should not be confined to your Binance account, but also used for your e-mail accounts (especially if used for a financial account such as Binance).
For your own security, any time you change the password associated with your Binance account, your withdrawals will be temporarily suspended for a period of 24 hours following the change. Please consider this when planning password changes.
4. Allow withdrawals only to addresses you trust and check the whitelist regularly. Binance has a feature, “Withdrawal Address Management”, which allows you to limit the wallet addresses to which you can withdraw your funds. As each addition requires email confirmation, this feature can protect you in special cases of unauthorized access. Simply enable the “Whitelist” option in the Withdrawal Address Management section.
5. If possible, complete Identify Verification for your Binance account. Completing Identify verification grants you a higher withdrawal limit, while protecting you from an attacker claiming ownership of your account. In situations where you have made a mistake, it also allows our customer support team to resolve your issue in a more convenient way.
Identity verification, or the “know your customer” (KYC) process, is an increasingly important aspect of handling cryptocurrency, especially in major exchanges like Binance. Completing identity verification unlocks your full access to Binance’s services and increases your deposit and withdrawal limits.
6. Consider managing some funds in your own wallet (e.g. Trust Wallet), but be extra careful. No matter how secure an exchange platform may be, it is often argued that your funds are most secure in your own possession. Trust Wallet, the official crypto wallet app of Binance, provides you with a convenient way to securely store your funds away from third-parties, with support for most major cryptocurrencies and all ERC20 tokens. You may download the Trust Wallet app for Android or iOS. Bonus tip: You can also easily integrate your Trust Wallet with Binance DEX and trade on the decentralized exchange.
However, we want to point out a few things when it comes to managing your own funds in a wallet outside of Binance. One, you should never provide the seed/recovery phrase or private key you generate from your Trust Wallet to anyone. When you share these details with others, you will be giving full control over your wallet and funds to them. One more thing, you should also make sure that you are using official apps, as fake apps are often used to steal this information.
7. Take the necessary steps to secure your account when using API. A large portion of the Binance community uses our API, our documented programming interface that allows Binance data to be shared with other applications. Using APIs give traders a more customized trading experience, but if not used securely, it may lead to issues. When using the API, you may consider things such as restricting access by IP address, avoiding providing your API keys to third-party services, changing your keys regularly, and/or using the aforementioned withdrawal address whitelist.
8. Regularly check official messages from Binance for security updates. At Binance, we make it a point to communicate any security-related updates to everyone who uses the exchange. It can come in the form of an email, FAQ post like this, or blog updates like this article you’re reading. We also broadcast these updates on our official social media channels. On your part, please make sure that the sources of information you get from Binance are official, as there are impostors who pretend to be from Binance. We’ll discuss social engineering and other potential security threats further below in this article.
The next steps go beyond your Binance account and tackle general security procedures. Take these steps as well.
9. Make sure that your Internet connection is secure. Checking for the security of your connection extends to multiple fronts, from your Internet service provider and how you are connected to them, to any software and/or services in between. Avoid connecting to public Wi-Fi networks and other shared connections, as these expose a risk for attackers that may want to intercept the data that you transmit.
10. Install antivirus software and trust only secure apps/programs. It pays to be sure that the apps you use and the files you access or download are not infected with viruses, malware, or anything else that may compromise your information. Ensure that all of your devices are protected with the latest version of your preferred anti-virus software and that regular scans are scheduled. Always download apps/programs from trusted, official sources, and avoid accessing links or software shared by someone you do not know and trust. For extra security, you may consider a dedicated device strictly for your sensitive account(s). Binance FAQ also has a list of guidelines that specifically talk about antiviruses.
11. Put a lock on your phone. There’s a big chance that you use your phone for 2FA and other sensitive activities. Knowing this, it’s a no-brainer that you need to keep your phone protected. Whether it’s via password or fingerprint, any additional layer of security is helpful.
12. Use a secure password manager. Multiple secure and different passwords are, unfortunately, not easy to remember. Password managers make it easier for you to keep track of these complicated passwords across multiple accounts, and many of these services have sophisticated encryption mechanisms that make password storage more secure. Of course, the password you choose for your password manager should be as complex as possible.
13. As much as possible, use unique emails for each of your accounts, including your Binance account. Most people use one or two emails for all of their accounts. This may create many opportunities for your information to be shared across different websites and/or services. A sophisticated attack can leverage your info stolen from one service to attempt to access your account on another service. Use unique emails for each of your accounts to prevent unintended sharing of information from happening.
14. Constantly check your network of contacts for potential security threats to avoid social engineering attacks. Nowadays, most security breaches go beyond the usual hacking attempts like phishing and other tech-related methods. Other attackers come in the form of the online contacts and posts you interact with. This is called social engineering, which refers to activities that attempt to manipulate people into making bad moves such as giving up personal or confidential information that can be later used against them.
In the crypto context, this means that there are certain behaviors that you should avoid. You should not post screenshots of crypto holdings or brag about holdings to anyone, especially online. The larger the amount, the more likely you will become a target of hackers and scammers.
This also means that you should be careful with the people you communicate with. As mentioned above, there are people who pretend to be from Binance (usually claiming to be from Binance Support) and attempt to talk you into giving your account details to them. Beware of these scammers and impersonators.
15. Identify and avoid phishing and malware campaigns. Always check the emails you receive and the websites you log in to. Many successful attacks involve fake websites, e-mails, and forms that masquerade as exact replicas, or giveaways, for websites you have accounts with.
Malicious browser extensions and applications are often to blame for compromised accounts or wallets and related losses. When you install browser extensions or applications, these programs can gain full access to various aspects of your browser or device, potentially allowing unauthorized access to your online accounts (including exchange accounts), and possibly even personal wallets. Exercise caution when selecting browser extensions and applications, especially those that are crypto-related or claim to offer security for crypto activity. Try to limit usage to renown options and stay appraised of potential security issues that may arise.
Make it a habit to check the address bar of the websites you visit or the sources of your emails for accuracy. You may read this comprehensive guide on how to avoid phishing from Binance Academy, which also has more lessons regarding security in the crypto space. Also consider taking the Phishing Quiz to try your luck at distinguishing and avoiding phishing attempts.
Here are more security-related articles from Binance, which can help you protect your accounts and funds better.