Lesson 7 — Exchange account security
Withdrawal whitelists, API-key scoping, the underused 'disable everything I do not use' principle, and SIM-swap defence at the carrier level.
An exchange account is a high-value target because it holds money you have already deposited and often has both a phone number and an email address attached. The defaults are weak by design — exchanges optimise for sign-up conversion, not for your security. This lesson is about hardening the defaults.
Enable a withdrawal whitelist on every exchange that supports it. A withdrawal whitelist locks outbound transfers to a small list of addresses you pre-authorise, with a cooldown period (typically 24-72 hours) before any new address takes effect. The cooldown is the most important part. Even if an attacker gets full account access — through SIM-swap, phishing, or credential reuse — they cannot withdraw to their own address without first adding it, which triggers a notification and gives you a window to intervene. Major exchanges (Coinbase, Kraken, Binance, Gemini, Bitstamp) all support this in 2026; the option is buried in settings on every one of them, and is almost never on by default.
If you use exchange API keys (for tax software, portfolio trackers, or trading bots), scope them correctly. Most exchanges offer at minimum three permission levels: read-only, trade-only, withdraw-enabled. Use read-only for tax software like Koinly or CoinTracker — they do not need to trade or withdraw. Use trade-only for portfolio managers that need to read positions and place orders. Never enable 'withdraw' on an API key unless you have a specific, audited reason to do so. If an exchange supports IP allowlists, set the API key to only work from your known IPs. Rotate keys annually.
Audit the things to disable on a new exchange account. Most exchanges enable several things by default that increase your attack surface: 'social trading' that exposes positions, public profile pages, third-party affiliate programmes that share your data with partners, marketing-email cross-shares. Turn them all off in account settings within ten minutes of signup. Keep email notifications enabled — you want to be alerted on every login and every withdrawal attempt.
Defend the phone number layer. Even with hardware-key 2FA on the account itself, your phone number is often listed for SMS notifications, account recovery, or 'verify by call.' A SIM-swap that compromises your number can still bypass weak recovery flows on individual exchanges. Mitigate by: setting a carrier PIN with your mobile provider (required to authorise a port-out or SIM swap), enabling port-out / 'number lock' protection where your carrier supports it, removing your phone number from any account where a hardware key has fully replaced SMS, and on US carriers specifically, using a 'port freeze' if available. T-Mobile, AT&T, and Verizon all support a port freeze or similar option as of 2026; the names differ.
Proof of reserves is a useful but limited signal. After FTX, most major exchanges began publishing 'proof of reserves' — Merkle-tree audits showing they hold customer balances. This is much better than nothing, but the limits are real: PoR shows assets at a moment in time, not liabilities; it does not capture loans, off-balance-sheet exposure, or behaviour between snapshots; and the auditors are often not the major accountancy firms. Use PoR as one input among many. Combine it with regulatory status (FCA, FinCEN, ESMA registers depending on your jurisdiction), public incident history, and the platform's response when things go wrong.
Example
In a documented 2023 case, an attacker SIM-swapped a victim's phone number, used the number to receive password-reset emails on an account that listed the number as recovery, gained full access to a major US exchange account, and attempted to withdraw to their own wallet. The withdrawal was blocked by the exchange's whitelist cooldown — the attacker added their address to the whitelist, but the 48-hour cooldown gave the victim time to receive the new-address notification email, log in from another device, and lock the account before withdrawal became possible. The whitelist saved a six-figure account. The attacker still had full read access for those 48 hours, but no funds left.
Common mistakes
- Skipping the withdrawal whitelist because you 'might need to move funds quickly.' The 48-hour cooldown applies only to new addresses; addresses already on the whitelist withdraw normally.
- Generating one all-permission API key for everything because it is convenient. Each key should have the minimum permission it needs.
- Leaving your phone number on the account after migrating to a hardware key. The number is still a recovery path.
- Treating proof-of-reserves attestations as the same as financial audits. They are not. PoR is a useful signal, not a guarantee.
- Storing 2FA recovery codes in the same password manager as the password. Compromise of one compromises both.
Safety warning
If you notice your phone has suddenly lost cellular service — no signal, 'SIM not recognised,' or 'No service' — and you have crypto on exchanges, treat this as a high-confidence indicator that a SIM swap is in progress. Get to a known device, log into your exchange accounts from a desktop, disable any phone-based recovery, lock the account if possible, and call your mobile carrier from a different line to verify whether a port-out was requested.
Check your understanding
An attacker has gained full access to your exchange account. You have a withdrawal whitelist enabled with a 48-hour cooldown on new addresses. What is the actual benefit?
Key terms covered
Sources & further reading
- PrimaryNIST SP 800-63B — Digital Identity Guidelines (Authentication)
US government authoritative reference for authenticator assurance levels.
- PrimaryFBI IC3 — SIM swapping (public service announcement, Feb 2022)
Direct US law-enforcement guidance on SIM-swap prevention.
- SecondaryFCA — Cryptoasset firms register (UK)
Authoritative register for evaluating regulatory status of UK exchanges.
We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.