Binance vs Electrum - safety concerns.

[9thsky]

1) Does Binance let you keep your keys? Or are they like a coinbase?

2) Should the safety concern in regards to your private keys being stolen/compromised be as high as it it with say a wallet like Electrum?

3) If they don't let you keep your keys, isn't the up side to that that your crypto is not as easy to steal?

4) What safety precautions should one follow when using Binance?

5) If they implement a 2FA when sending your crypto, doesn't that mean that your funds can never be stolen without getting the pass code they send you to verify the transaction?

Reeeally appreciate your expertise in this guys!

[TryNinja]

1) Does Binance let you keep your keys? Or are they like a coinbase?

No. They are a full custodial exchange, so they control all coins (like Coinbase).

2) Should the safety concern in regards to your private keys being stolen/compromised be as high as it it with say a wallet like Electrum?

Ehm, that's a thuff one. If you do everything right, you will most likely never get hacked. Most (good) exchanges also focus a lot on their wallet security and store most of the coins on secure cold storage wallets, but a lot of them already got hacked, so... I personally prefer to do everything myself.

3) If they don't let you keep your keys, isn't the up side to that that your crypto is not as easy to steal?

Depends. See what I said above.

4) What safety precautions should one follow when using Binance?

Use 2FA (not SMS 2fa), don't fall for phishing websites, don't let someone hack your email, always triple check the addresses you are sending the coins to, etc... the same as any other website.

5) If they implement a 2FA when sending your crypto, doesn't that mean that your funds can never be stolen without getting the pass code they send you to verify the transaction?

No. If someone hacks them, they can change your 2FA. If a rogue employee wants to steal your coins, they can change your 2FA (or literally just steal the exchange's wallet). The only reason you need to use 2FA is to be safe against external hackers that may find out about your password.

[pooya87]

Keep in mind that the risks are not just about "getting hacked" when you are trusting a third party. The more common risks is the company scamming you. For example they can use one of their terms (in the ToS you already agreed to) to block your account and never give back the money you had in their pocket. These terms can also change overnight and then they can block you using the new terms. That's just the normal stuff, the company running away with the money, etc is also possible.
Besides best case scenario is that you are trusting the company is both honest and solvent in case of a hack. They may very well declare bankruptcy and you'll never see a satoshi.

[ranochigo]

2) Should the safety concern in regards to your private keys being stolen/compromised be as high as it it with say a wallet like Electrum?

3) If they don't let you keep your keys, isn't the up side to that that your crypto is not as easy to steal?

It is easy. Most of the malwares prey on the user's negligence to steal the funds. Putting your Bitcoins on an exchange doesn't mean that it is impossible for the attacker to be able to steal your coins. The additional attack vector on the exchange part would make it much more risky. 2FA does not completely mitigate the social engineering attacks, malware attacks, etc.

5) If they implement a 2FA when sending your crypto, doesn't that mean that your funds can never be stolen without getting the pass code they send you to verify the transaction?

Common misconception. 2FA is just an additional layer of security if your password gets leaked and stuff like that. If the exchange doesn't explicitly display the transaction information on a secondary device for the user to check, it is possible for the attacker to just replace your address with theirs and use your 2FA codes to transfer your funds.

By putting your funds on an exchange, they also have the ability to freeze your accounts for whatever reason they can spin up.

[9thsky]

2) Should the safety concern in regards to your private keys being stolen/compromised be as high as it it with say a wallet like Electrum?

3) If they don't let you keep your keys, isn't the up side to that that your crypto is not as easy to steal?

It is easy. Most of the malwares prey on the user's negligence to steal the funds. Putting your Bitcoins on an exchange doesn't mean that it is impossible for the attacker to be able to steal your coins. The additional attack vector on the exchange part would make it much more risky. 2FA does not completely mitigate the social engineering attacks, malware attacks, etc.

5) If they implement a 2FA when sending your crypto, doesn't that mean that your funds can never be stolen without getting the pass code they send you to verify the transaction?

Common misconception. 2FA is just an additional layer of security if your password gets leaked and stuff like that. If the exchange doesn't explicitly display the transaction information on a secondary device for the user to check, it is possible for the attacker to just replace your address with theirs and use your 2FA codes to transfer your funds.

By putting your funds on an exchange, they also have the ability to freeze your accounts for whatever reason they can spin up.

Valuable info! They all come with risks. "Reletive" to wallets such as Electrum though, is what I am wondering about.

Use 2FA (not SMS 2fa),...

Why not? How is email safer?

What about concerns about the device you use (where you wouldn't access your email) to get on the your Binance account? Technical concerns like when using Electrum (cold storage, air gap, offling signature...etc).

Like what are the risks if your device is infected with malware/spyware?

[TryNinja]

Why not? How is email safer?

I'm not talking about email, but OTP based 2FA. You download an app on your mobile and everytime you need to login to your account or do an important function (like withdrawing or changing your password), you'll have to open the app, grab a 6 digits pin code that changes every 30 seconds and put on the page. This way, someone would not only need to find out your email and password, but also manage to somehow get your 2FA code, which is on a separeted device.

But even email is probably safer than SMS based 2FA. People can quite easily social engineer your telecompany to SIM swap you, hijacking your number and getting all your SMS, thus making the 2FA useless.

[o_e_l_e_o]

But even email is probably safer than SMS based 2FA.

I would say both email and SMS are terrible for 2FA.

As TryNinja has explained, SMS based 2FA is terrible because it is almost trivially easy in some cases to perform a SIM swap attack. As in, "one phone call to the mobile operator and 5 minutes and its done" easy. Don't use it wherever possible. Email however, is equally terrible, for the main reason that almost everyone uses the same email address for their exchange account as they do to receive their 2FA code. If someone hacks your email, then they can reset your exchange account password and receive your 2FA code all in one. Therefore, since both your factors (password and 2FA code) can be compromised at once, then it isn't really two factors at all.

You should use, at a minimum, an authenticator app on a device you do not use to log in to said exchange or store your exchange account's password on. Even better is to use a physical 2FA hardware key.

Like what are the risks if your device is infected with malware/spyware?

The risks to both Binance and Electrum are significant. Clipboard malware could make you send your coins to an attack if you are not careful from either exchange or wallet. Malware could steal your exchange log in details, and malware could also steal your private keys. This is one of the main reasons people recommend either hardware wallets or cold storage, to mitigate the risks of infected devices.

[The Cryptovator]

We can't compare Binance and Electrum any way. Both of them is different themes. Binance is a centralized exchange, it's not a wallet service. But Electrum is an open-source non-custodial Bitcoin wallet. Electrum is safe if you can save your seed and private keys, also you need to secure your device from hackers as well. Although Binance is a reputed exchange, they never give access to your funds, which means they never share private keys. They just assign a deposit address for you and holding funds by themselves. Although there is 3 step verification during withdrawal, mobile, email & Google 2FA, but still funds aren't under your control of you. So, don't compare both of them.

[9thsky]

But even email is probably safer than SMS based 2FA.

You should use, at a minimum, an authenticator app on a device you do not use to log in to said exchange or store your exchange account's password on. Even better is to use a physical 2FA hardware key.

Does an authenticator app work on a pc?

Like what are the risks if your device is infected with malware/spyware?

The risks to both Binance and Electrum are significant. Clipboard malware could make you send your coins to an attack if you are not careful from either exchange or wallet. Malware could steal your exchange log in details, and malware could also steal your private keys. This is one of the main reasons people recommend either hardware wallets or cold storage, to mitigate the risks of infected devices.

I meant when on Binance

[ranochigo]

Does an authenticator app work on a pc?

There are authenticator apps on PC but that doesn't mean you should use it. It puts you at the risks of having malware stealing your OTPs with the authenticator apps being on the same PC used to access the account. The authentication should be done with a separate device that you own.

[o_e_l_e_o]

Does an authenticator app work on a pc?

Sure, but as ranochigo says, any time you combine both your 2FA in to one device or account, then it ceases to be 2FA. If someone can hack your email then use your email to reset your exchange account password and also receive your 2FA code, then it isn't two factors. If someone can hack your computer, and then use your computer to log in to your exchange account and also generate your 2FA code, then it isn't two factors. Your second factor should be on a device which has nothing to do with your first factor.

I meant when on Binance

I can't comment specifically on malware which targets exchange accounts (since I don't use any exchanges), but given that there exists malware which can give complete control of your computer to an attacker, then it is certainly possible that malware could access your account, steal your login details, withdraw your coins, change the address when you make a transaction, and so on.

[bL4nkcode]

Does an authenticator app work on a pc?

Yes, such authy but I still not recommend using it on pc, use the 2fa app/software on a different device from the one you're using to log in an account for security reasons.

Sms 2fa isn't recommended there are already some cases of hacked exchange account due to sim swap, and the SMS is used to hack the email and other accounts probably can be used to bypass sms 2fa.

I meant when on Binance

Aside from clipboard malware, using binance on any browser can lead to access a phishing website, though it's easy to detect a phishing website but there are still lots of users got phished and hacked.