Set your exchange in password or biometric before withdraw.

[leonair]

There's something that happened yesterday which is making me to create this thread a friend of mine who is a crypto trader, he usually use binance and kucoin for his trading and we all know when it comes to withdrawing your funds in this exchanges you can set it using authentication code, email, password or biometric but you can still set it in a way you can use only the authentication code to withdraw and the authentication app is usually on the phone or system.
Yesterday someone store my friends phone entered his binance and kucoin Because it was already logged in and withdraw his crypto coins, and this was possible because he used only authentication code for withdraw and since the authentication app was on his phone it was easy for the person to withdraw, so please Set your exchange in password or biometric before withdraw because if it was set like that the person wouldn't have been able to withdraw his crypto coins.

The passkey issue is very secure, but there are many risks in some aspects. For example, I have set my face ID as a passkey on Binance on my iPhone, and when I withdraw, within seconds, the phone is scanned and the withdrawal is successful. Here, no one can withdraw crypto from my account, but when I withdraw to any address, there is no chance to change the decision or do wallet verification. The immediate withdrawal request is successful. So in this case, there may be a withdrawal request to the wrong wallet, and there is also a risk. In fact, there are risks in all aspects of financial management. So being careful is the most important thing.

[shinratensei_]

Make me wonder how some stranger could possibly access withdrawal which requires 3 verification : an sms, 2fa, and a passkey with faceID scan.

This is exactly what's so puzzling about that situation how did they even bypass those 3 verification steps? Especially the face scan, that's really suspicious.
The thief must be really skilled to impersonate the face scan ID of the person they stole from.

And honestly, no one else uses or handles my mobile device. Of course, this is my privacy and personal property,
unless I deeply trust you with something like this.

I suspected it as social engineering where OP's friend is being told to send money to the thief. Binance or any CEXs in general do whatever it takes to put so many security measures in place. They even limit withdrawal and froze account if there is surge of big withdrawal from unknown IP address.
Getting bitcoin stolen just because the phone changed hands for a short time isn't the likely outcome but i will be okay to be proven wrong. Maybe OP's friend actually used self custody wallet provided by exchange and got his seed phrase stolen, Who knows right?

[shield132]

There's something that happened yesterday which is making me to create this thread a friend of mine who is a crypto trader, he usually use binance and kucoin for his trading and we all know when it comes to withdrawing your funds in this exchanges you can set it using authentication code, email, password or biometric but you can still set it in a way you can use only the authentication code to withdraw and the authentication app is usually on the phone or system.
Yesterday someone store my friends phone entered his binance and kucoin Because it was already logged in and withdraw his crypto coins, and this was possible because he used only authentication code for withdraw and since the authentication app was on his phone it was easy for the person to withdraw, so please Set your exchange in password or biometric before withdraw because if it was set like that the person wouldn't have been able to withdraw his crypto coins.

Crypto exchanges have multiple security methods to protect your account and withdrawals. You should think about the threats that you might face in the future. I wasn't using any security feature of Binance until Binance forced me because crypto isn't very well-known in my country, I have a password on my smartphone, people aren't tech-friendly, especially criminals and in overall, I couldn't be in danger in case someone stole my smartphone, so I didn't care much about it. 7 years have passed since I created a Binance account, never had a problem but I implemented security features two years ago (Binance forced me to be honest). Btw your notice is correct. We should use a password during withdrawals and P2P trading, besides Google's 2FA Authentication (I prefer 2FA over SMS authentication because sometimes you don't receive SMS). I also use Withdrawal Address Whitelist feature but it's risky if someone has or will potentially have access to your smartphone.

[Mpamaegbu]

I even just thought about SIM card lock, I never do a lock on the SIM card because I only focus on the security of my mobile and Desktop devices.
But it is an even more perfect way to lock the SIM Card, because all the OTP and the like will go to the main SIM card.

Sure! It's very important to do that. It keeps one's important data on the simcard safe in case of theft. The worst that can happen is the SIM gets destroyed if the thief continues to attempt cracking it open after it has gone into PUK on third wrong attempts. One can retrieve that later. Most people who got their bank accounts hacked after their phones got stolen though their phones were locked was from bank details saved on their SIMs which weren't locked. We all have to be security conscious in this time and age.

[barbara44]

To be fair, we have a 2FA and it is in the phone as well, so I doubt they would not be able to steal from my phone neither, it would happen. This is the type of thing that we are going to see this as a lot better situation if we just didn't use our phones for this, but at the same time I have a password on my phone, like pin to unlock it so there is really nothing shocking about that.

However, there is nothing wrong with this, it can be very good and nothing further at this than that. For this reason I believe the best we can reach at the moment would be the fact that not using your phone for crypto is superior idea. Just use your pc and you are going to do a lot better, because your pc will not be stolen that easily.

[taufik123]

Sure! It's very important to do that. It keeps one's important data on the simcard safe in case of theft. The worst that can happen is the SIM gets destroyed if the thief continues to attempt cracking it open after it has gone into PUK on third wrong attempts. One can retrieve that later. Most people who got their bank accounts hacked after their phones got stolen though their phones were locked was from bank details saved on their SIMs which weren't locked. We all have to be security conscious in this time and age.

Yes, you are right that all must be provided with security features and no exception such as SIM cards, but if the SIM card is not locked and lost,
you should immediately report to the service center to block or replace the SIM card immediately so as not to be manipulated.

Because I have lost my phone and SIM card and reported the loss right away,
The number will be recovered to the new SIM card and the old SIM card will not be able to be used.

[fighter2627]

There's something that happened yesterday which is making me to create this thread a friend of mine who is a crypto trader, he usually use binance and kucoin for his trading and we all know when it comes to withdrawing your funds in this exchanges you can set it using authentication code, email, password or biometric but you can still set it in a way you can use only the authentication code to withdraw and the authentication app is usually on the phone or system.
Yesterday someone store my friends phone entered his binance and kucoin Because it was already logged in and withdraw his crypto coins, and this was possible because he used only authentication code for withdraw and since the authentication app was on his phone it was easy for the person to withdraw, so please Set your exchange in password or biometric before withdraw because if it was set like that the person wouldn't have been able to withdraw his crypto coins.

Right now, I only have an account on one exchange, but I haven't actually used it yet since I’m still a newbie. I have an account that I think is a centralized one since it requires KYC. I’m willing to submit my KYC documents as long as I know the platform is trusted.

Even though I haven't fully used it yet though I know I'll definitely need it in the future I’ve already activated the 2FA (Two-Factor Authentication). I know this is a way to keep it secure, based on what I’ve read here in the forum. Regarding the OP's story, I personally wouldn't allow anyone else to handle my phone, especially if it contains important information. We should be the only ones handling our personal belongings, of course, and no one else.

[shawonngp]

Your friend was not very aware, because first of all I do crypto related activities on my mobile, I use many extra passwords on that mobile, like firstly my mobile is locked on skin, and I use all exchange apps or other crypto wallet opening passwords, so that no one can open my exchange account even after getting my mobile on their hand, secondly I always use binance passkey or biometric, which is required to log into my account. It applies to any fund transfer, so no one can withdraw money from my mobile. Biometrics is not implemented on most exchanges, but on Binance, it works very quickly. I find it very annoying to use an authentication code, especially for fund transfers via email and confirmation, so I always prefer biometrics.

Usually biometrics is implemented through Googles feature on that matter.. just like for any banking app if such an option is needed by the user, so, yeah - adding additional layers for your security is the least we can do to secure our bags.

All the bank apps and all their mobile financial service (MFS) apps in our country have very weak security, as they ask for a password to log in, then don't need a PIN to transfer funds, even transactions can be done without any OTP, they have not put any security system in the second layer, because of this, money is stolen from mobile banking apps. But most exchange sites have an option to set a passkey. There are several levels of security measures.

[Jatiluhung]

To be fair, we have a 2FA and it is in the phone as well, so I doubt they would not be able to steal from my phone neither, it would happen. This is the type of thing that we are going to see this as a lot better situation if we just didn't use our phones for this, but at the same time I have a password on my phone, like pin to unlock it so there is really nothing shocking about that.

However, there is nothing wrong with this, it can be very good and nothing further at this than that. For this reason I believe the best we can reach at the moment would be the fact that not using your phone for crypto is superior idea. Just use your pc and you are going to do a lot better, because your pc will not be stolen that easily.

I personally have two phones that I use for security reasons. One phone has my crypto wallet and Cex, but it doesn't have the same SIM card that I use to receive verification codes or anything like that. That's because I put the SIM card in my other phone. So, to make a withdrawal from the phone that has my Cex on it, I also need my other phone to receive the verification code and OTP. For the wallet, withdrawals can only be made using my fingerprint. So, wherever I take my phone with the wallet and Cex that I frequently use, I can still feel at ease. At least this simple method has been in use for a long time. And it’s quite secure—even when my phone was left in one of my friend’s bags when I left it with them during an outdoor activity we did together, I could still stay calm. Because at least my phone is also locked with a password, a complex pattern, and fingerprint authentication.

[free-bit.co.in]

All the bank apps and all their mobile financial service (MFS) apps in our country have very weak security, as they ask for a password to log in, then don't need a PIN to transfer funds, even transactions can be done without any OTP, they have not put any security system in the second layer, because of this, money is stolen from mobile banking apps. But most exchange sites have an option to set a passkey. There are several levels of security measures.

What country are you from and which bank are you using? Honestly, I do not believe and have never seen any banking app that does not require a PIN or OTP code to transfer money, or that does not have a second layer of security.

Based on my knowledge and experience, all current financial applications require a password, biometrics, or app PIN to log in. Meanwhile, transferring or withdrawing money will require additional layers of security such as OTP, SMS, in app push notifications, or biometric. There is no way to transfer money without setting up a second layer of security beforehand, let alone without any second layer of security at all.

[Bitcoin_people]

Although I think that someone you know from your friend's phone did this, and a stranger would never know. If he has a password for his phone, then he needs to know enough to open that phone, if he doesn't know, he won't be able to open it. Then we can be sure that the amount of money your friend lost was definitely done by someone he knows. But this is definitely important because when an exchange sets up withdrawals through biometrics or fingerprints, it will be more difficult for fraudsters. So I think if you have any investments or money in this crypto space, you shouldn't share them with anyone because people close to you are often greedy and try to cheat. I think that the person who cheated your friend must have been someone he knows and he was able to access everything about his device because he knows everything about it very well.

[OcTradism]

Although I think that someone you know from your friend's phone did this, and a stranger would never know. If he has a password for his phone, then he needs to know enough to open that phone, if he doesn't know, he won't be able to open it. Then we can be sure that the amount of money your friend lost was definitely done by someone he knows.

First and most important, people must know how vital a strong password is for their account security or file encryption. Then they will have to learn how to create a strong password and apply password manager softwares for this vital task.
[GUIDE] How to Create a Strong/Secure Password
Are your passwords in the green?

But this is definitely important because when an exchange sets up withdrawals through biometrics or fingerprints, it will be more difficult for fraudsters.

Are you really sure about that?

Biometric security (facial recognition, fingerprints scanning, etc.) is much easier to fool and bypass than a strong password. Don't use it.

Based on my knowledge and experience, all current financial applications require a password, biometrics, or app PIN to log in. Meanwhile, transferring or withdrawing money will require additional layers of security such as OTP, SMS, in app push notifications, or biometric. There is no way to transfer money without setting up a second layer of security beforehand, let alone without any second layer of security at all.

Setting up 2FA for your account security and your fund safety is mandatory but I don't recommend OTP, SMS or biometrics.
[Beware] Sim Port Attack.

There are different 2FAs, from open source to close source and I guess you know that recommendations are always open source 2FA, like Aegis Authenticator.
Aegis Authenticator, a decent alternative to Google Authenticator and Authy.

[free-bit.co.in]

Setting up 2FA for your account security and your fund safety is mandatory but I don't recommend OTP, SMS or biometrics.
[Beware] Sim Port Attack.

There are different 2FAs, from open source to close source and I guess you know that recommendations are always open source 2FA, like Aegis Authenticator.
Aegis Authenticator, a decent alternative to Google Authenticator and Authy.

I agree about the risks of SMS, and it is no longer recommended to be used as a 2fa method these days. But are biometrics really so easy to fool and bypass? I have never heard any reports of hackers having cracked Face ID and Touch ID on iPhones.

Aegis Authenticator is an opensource application, but unfortunately, it is only available for Android. For IOS users, I would recommend 2FAS and Ente Auth. They are also open source applications and far more reliable than Google and Authy.