Set your exchange in password or biometric before withdraw.

[leonair]

There's something that happened yesterday which is making me to create this thread a friend of mine who is a crypto trader, he usually use binance and kucoin for his trading and we all know when it comes to withdrawing your funds in this exchanges you can set it using authentication code, email, password or biometric but you can still set it in a way you can use only the authentication code to withdraw and the authentication app is usually on the phone or system.
Yesterday someone store my friends phone entered his binance and kucoin Because it was already logged in and withdraw his crypto coins, and this was possible because he used only authentication code for withdraw and since the authentication app was on his phone it was easy for the person to withdraw, so please Set your exchange in password or biometric before withdraw because if it was set like that the person wouldn't have been able to withdraw his crypto coins.

The passkey issue is very secure, but there are many risks in some aspects. For example, I have set my face ID as a passkey on Binance on my iPhone, and when I withdraw, within seconds, the phone is scanned and the withdrawal is successful. Here, no one can withdraw crypto from my account, but when I withdraw to any address, there is no chance to change the decision or do wallet verification. The immediate withdrawal request is successful. So in this case, there may be a withdrawal request to the wrong wallet, and there is also a risk. In fact, there are risks in all aspects of financial management. So being careful is the most important thing.

[shinratensei_]

Make me wonder how some stranger could possibly access withdrawal which requires 3 verification : an sms, 2fa, and a passkey with faceID scan.

This is exactly what's so puzzling about that situation how did they even bypass those 3 verification steps? Especially the face scan, that's really suspicious.
The thief must be really skilled to impersonate the face scan ID of the person they stole from.

And honestly, no one else uses or handles my mobile device. Of course, this is my privacy and personal property,
unless I deeply trust you with something like this.

I suspected it as social engineering where OP's friend is being told to send money to the thief. Binance or any CEXs in general do whatever it takes to put so many security measures in place. They even limit withdrawal and froze account if there is surge of big withdrawal from unknown IP address.
Getting bitcoin stolen just because the phone changed hands for a short time isn't the likely outcome but i will be okay to be proven wrong. Maybe OP's friend actually used self custody wallet provided by exchange and got his seed phrase stolen, Who knows right?