Day 6 — Build your weekly security routine
A 10-minute weekly check that prevents the vast majority of preventable losses.
Security is not a one-time setup. The most reliable users have a short weekly routine that catches mistakes early and keeps their attack surface small. Today is the routine itself, then you set it up.
The routine has six items. None take more than two minutes once set up. The whole thing fits in a 10-minute Sunday session.
1) Review approvals. Visit revoke.cash, connect a read-only or watch-only view of your active wallet, and revoke anything you no longer recognise or actively use. Approvals you granted six months ago to a DEX you do not use are pure attack surface.
2) Check 2FA on every exchange. Use an authenticator app (Aegis on Android, Raivo on iOS), not SMS. SMS-based 2FA is bypassable via SIM-swap attacks. Confirm your recovery codes are stored somewhere you can find them.
3) Verify hardware wallet firmware. If you have a Ledger or Trezor, check that you are on the latest official firmware. Always update through the official desktop app, never a browser pop-up.
4) Read the news on the protocols you actually use. Five minutes on rekt.news or your protocol's official Twitter / status page. If a protocol you have funds in has been exploited, you may have hours, not days, to withdraw.
5) Re-check your seed phrase storage is intact. Once a month is fine for this one. Confirm the paper, metal, or split-share storage is where you expect, that water and fire have not gotten to it, and that no household member has rearranged it.
6) Audit your social engineering exposure. Are there public posts on social media where you boast about holdings, share wallet screenshots, or reveal information that helps someone target you? Edit or delete them.
Example
A user reported on r/CryptoCurrency in 2024 that their Sunday revoke-cash check caught an unlimited USDC approval to a protocol they had used once 18 months earlier. That protocol had just been exploited that weekend; the attacker was systematically draining accounts with stale approvals. The user revoked four minutes before their address came up in the attack script. The whole 'check' took 90 seconds.
Common mistakes
- Setting up SMS 2FA because it is the path of least resistance. Sim-swap attacks are common, well-documented, and devastating.
- Treating the routine as 'paranoid.' It is faster than your weekly meal-prep.
- Updating hardware wallet firmware through unofficial channels. Always use Ledger Live, Trezor Suite, or the manufacturer's official app — never a browser pop-up that 'detected an update.'
- Posting screenshots of wallet balances or staking rewards on public social media. That information is exactly what targeting algorithms use.
Safety warning
Never enter your seed phrase into any website, browser extension, or 'wallet verification' page during the routine. Approvals (revoke.cash) require connecting a wallet, but they NEVER require typing the seed phrase. If anything asks for your seed phrase, close the tab.
Check your understanding
Which type of 2FA is most vulnerable to SIM-swap attacks?
Key terms covered
Sources & further reading
- PrimaryFIDO Alliance — phishing-resistant authentication
Standards body behind hardware-bound 2FA.
- Primaryrevoke.cash
Authoritative, non-custodial tool for inspecting and revoking token approvals.
- Secondaryrekt.news — DeFi exploit case studies
Useful for the protocol-news step of the routine.
We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.