Bitcoin Forum

There's something that happened yesterday which is making me to create this thread a friend of mine who is a crypto trader, he usually use binance and kucoin for his trading and we all know when it comes to withdrawing your funds in this exchanges you can set it using authentication code, email, password or biometric but you can still set it in a way you can use only the authentication code to withdraw and the authentication app is usually on the phone or system.
Yesterday someone store my friends phone entered his binance and kucoin Because it was already logged in and withdraw his crypto coins, and this was possible because he used only authentication code for withdraw and since the authentication app was on his phone it was easy for the person to withdraw, so please Set your exchange in password or biometric before withdraw because if it was set like that the person wouldn't have been able to withdraw his crypto coins.

How did the person that stole his phone know his phone password or able to bypass the face unlock or fingerprint? I know this is not a question that you can answer but I think without a threat like a wrench attack, the bad actors should not be able to have access to his phone, not to talk of having access to his exchange account.

I do not like passkey
It is better to have authenticor app on another device. Avoid passkey also for higher security.

Withdrawals on Kucoin require 2FA and a trading password.
Regular Binance withdrawals nay simply 2FA or email verification.

Enabling biometrics is good to prevent unwanted transactions especially on mobile.

So just be careful about 2FA and passwords are important.
To protect you must be able to backup everything.

I agreed that if he only got a passkey tied up with the biometrics he wasnt gonna get robbed. Some probably doesn't prefer the passkey but it's quite helpful especially on mobile. I just don't know if you are into laptop and uses that will the passkey needed a biometric off the phone to be able to withdraw or cashout too? Cause if yes that would be hustle though since its needed the phone.

I am surprised how the thief was able to access the stolen phone. Except your friend set up a very weak password, and it was easy for the thief to guess and get access into the device. If not, the only thing they can do is fornat the phone, which would erase all the data in the phone.

That said, your 2fa app should be on a different device from the services and apps you use it for. You didn't tell us how much your friend lost, but it shouldn't be much, because centralized exchanges should never be used as wallets, except this person does otherwise.

If you still store some of your cryptocurrency on your mobile phone in exchanges, a way to safely do it is to avoid moving around with that phone, and also keeping that phone safely away from people even in your home. Lots of people have two mobile devices now, so any phone that you often take around with you should not be the phone that carries your wallet. You phone having your wallet should be kept at home and in a safe place.

If your situation is one where you cannot afford two mobile devices, there is a way people conceal important apps on their phones or even put special locks on them aside the general phone lock. These extra security features should be considered if you really value the security of the coins you have.

Wasn’t your friend’s phone haven any password to first unlock the phone? This would have been avoided if he had a lock on his phone, there was no way this person was going to even have access to the phone, talk more of getting into his exchange and then to the Authenticator app. Also, Authenticator apps can also be locked with biometrics or password in the sense that anyone trying to withdraw from your account will have to unlock the Authenticator app before they have access to the code.

Your friend’s security measure in his account is very weak, he should upgrade it more. And lastly, he should refrain from allowing untrusted people have access to his phone, because it looks like the person that stole the phone knows the password to his phone and was able to unlock it easily, maybe a close ally of him. If he refrains from many people knowing the password to his phone, this would have helped him not to lose money.

In situation as this the person who stole the phone will have every thing they need to unlock and withdraw all the persons funds because of how poor there security is. Apart from this ones you said there is another they called pass key, for withdrawal, is like the pin you use during bank ATM card withdrawal and is something you cannot store in the phone but memorised so definitely if the person who stole the phone cannot provide it then there wouldn't be a successful withdrawal for them, perhaps not staying login all the time in all that has an important data for you is good because is only if they can log in your mail they can do any resetting if they cannot have there way in.

The very first mistake your friend made was to install the authenticator app on the same device with his crypto exchange. He should have installed the authenticator app on a different device for security purpose. And again, how did the person who stoled your friends phone unlocked the phone? Or was the device not locked before the person stole it? However, even though you used biometric to lock your CEX exchange, you can still hack to it so long as they have access to the email. This is why it is important not to install crypto wallet in the same phone we use. Because if a smart person with bad intentions have access to it they can wreck your crypto wallet ASAP.

That was his biggest mistake, to have kept his GA or whatever 2FA app he used on the same phone as where his exchange app was. You don't do that. He should've used a different phone or device for his 2FA. There's a reason it's called 2 Factor Authentication. It's to further strengthen our security on sites. So, why compromise that security by being careless with it. I see people who save their password on their phones and I'm really disappointed in those who do that instead of copying passwords/passphrases out. I'm old school, I like doing it manually rather than backing whatever it's in the cloud. I don't trust any 3rd party with my secret.

I personally also set up biometrics before withdrawing funds from every exchange I use, even from my wallet. Besides being easier and more practical, using biometrics also provides better security. Most importantly, when someone wants to log in to the exchange we use, we ensure that the exchange can only be opened by entering our biometric key. Although, there are ways to find other methods.

And usually, if I use a number for the OTP code, I save it on a different phone. This way, both phones are mutually secure.

Seems like an insider's job but same things happened in Pakistan too, a young male lost a lost of money like it was really a lot, to custom officers, they were corrupt, they stopped him at airport and did an unofficial investigation and stole his funds from the smartphone.

Although there is not much information on how they were able to move them but of course the otp code or 2fa codes were received on his own phone like this case.

I know this already that we must setup our 2fa on some other mobile but we would be taking that with us too, I guess we must lock out the authentication app, every smartphone nowadays have built-in app locks we must use them if we can't manage multiple smartphones.

Most of the users have their 2FA apps also installed in the same phone. And that's for easier access whenever they withdraw.

Because it's going to cause some delays if they have their exchange app on phone and then the authenticator is on another device.

But that's not a safe practice, and I agree with OP that 2FA should be on another device for safer keeps and as well as setting up biometrics but I think most exchanges are forcing users to require this, isn't it?

Exactly what I wanted to pointed out, there is trading password on the most of the exchanges it just simply depends on you actually changing this withdrawal requirements and most of the time for easy withdrawal user actually go for the less stressful one and it usually affects one’s security.

Even if your authenticator app is on another device I think with the email used to register the authenticator still in that phone it will still be easily possible to access the authenticator app too. The only way is that the user doesn’t takes off his trading Password

I don't know how authentic the anti-phishing code on Binance exchange is, but I doubt even with it, someone can confidently still steal one's funds if they lay hold of your devices.
These days it is way better to even use different devices, like a trader should have more than a device of which the main one with all the exchanges will be on and always kept safe, while the other should contain less important information and data, possibly for just receiving and making calls and send texts.

We may be scared to use so much security features so that we don't become victims of our forgetful nature and that's okay, but to be safe is to learn new ways to avoid compromising situations like the story we all read.
Also, learn to keep a private life mostly as it revolves around BTC and cryptocurrency because it is not a major currency for everyday use but instead a store of value that could assure one of wealth if invested rightly.

For our convenience, cryptocurrency exchanges offer us various types of authentication and we need to choose a method that we think is more convenient for us. But at the same time, one should not forget about the elementary security rules when working with cryptocurrency, and in this case the phone should be well protected from unwanted interaction.

With any account, you must secure it by a strong password, 2FA for that account, and also a strong password and 2FA for the email used for that exchange account registration.

It's not enough if you only set up these things but don't make backups of exchange account's password and 2FA, email's password and 2FA. Do it if you don't want to lose your accounts (exchange and email accounts) and don't want to wait for customer support for your account recoveries when you lost the password or 2FA.

[GUIDE] How to Create a Strong/Secure Password. (https://bitcointalk.org/index.php?topic=5132378.0)
Are your passwords in the green? (https://www.hivesystems.com/blog/are-your-passwords-in-the-green)
Check if your email address is in a data breach with HaveIbeenpwned.com (https://haveibeenpwned.com/)

The only security features on the exchange that integrate with phone security are fingerprint and facial recognition. I hope the person who keeps your friend's phone hasn't considered changing biometrics in the phone's settings, as disabling/changing them only requires a PIN or pattern (and, let's hope it's not an easy-to-guess pattern).
Losing a phone is a real worry, especially if the owner likes to store sensitive information on the device.

Maybe the phone got stolen while the phone was unlocked  :D?
But it's still fishy because even if it's unlocked and some phones and exchanges will ask verification again, like biometrics, even if the phone is unlocked already.

Yeah, Biometric still important because most of exchange now only have 2FA and email verification to login or withdraw, so if phone is stolen and unlocked, they can easily open your 2FA app in your phone and the email app you are using.

I am sorry to heard your fund loss at Binance exchange, I think very important how to secure our exchange account and nowadays Binance as my experienced exchange just taking 2FA code only for withdrawing fund. Most important I think if you are mobile phone trading and install all exchange APP put at difference position likely your exchange email and 2FA code login it at difference mobile phone. Firstly your mobile phone not secure yet by using PIN code and easily to some one access all your mobile phone feature.

Likely trading at mobile phones and login exchange at mobile phones really risk one day later if stolen easily for some one stole our binance or other exchange assets. They got an email of exchange account linked at mobile phone and exactly all of us use 2FA application installing at the same mobile phone with app exchange, better separated between app exchange market, email and 2fa although our mobile phone installing exchange app loss the some one else can't access fully with our account.

The fund is not lost yet, just not accessible at the moment. The person can recover his account by going to account recover process requested by Binance with surely many verification requirements. I believe that it is possible to pass those verification step if the person is the original owner of that account, and it is only impossible with a hacker.

Even it is possible to recover the account, it is still a very big lesson for the person and he must change his practice, make email, Binance account, 2FA backups for self recoveries more easily and almost immediately by himself.

Don't have backup and have to rely on exchange support for account recovery will need time, and with risk of recovery failure, then fund loss.

Op when I first came across your thread this was the exact question that came into my mind which I will like to ask you, because if actually your story is true and your friend phone was stolen how did the thief bypass the password of your friend phone and then enter his or her  both trading exchanges and stole your friend's fund? but wether your story is true of not your advice is valid let's not only leave our exchange withdrawal only on authentication code let's add more security by including password or biometric before withdraw just in case someone successfully have access to our mobile phone or PC, so that it will be very difficult for the person to successfully make a withdrawal from our trading exchange.