Buying bitcoin from an exchange
There are a variety of methods for keeping one’s bitcoin safe once it is withdrawn from an exchange. However, one of the most overlooked processes in obtaining bitcoin are the security practices needed for user exchange accounts. In order to safely withdraw and store bitcoin, we must take advantage of the available security features exchanges have to offer.
- Do your homework
Before signing up with an exchange that is available in your territory, it is helpful in the long run for individuals to research and compare all available exchanges. Most exchanges require sensitive information from their users in order to comply with KYC (know your customer) and AML (anti-money laundering) protocols in order to operate. Does the exchange you are researching have a good track record of storing personal data? Have there been instances in the past where the exchange loses customer funds? If they have lost customer funds, were they reimbursed in a timely manner? How is their customer support? Are they responsive and helpful? These are the types of questions that need to be answered before deciding to sign up with an exchange. If you plan on purchasing a good portion of your bitcoin from an exchange, you will want the process to be as smooth as possible in order to save time and protect your data.
- Setup 2FA
Two-factor authentication is a method where a code is sent to the user after they successfully sign into their exchange account with their email and password. This code may be sent to a user’s phone through an authenticator app, SMS (text message), or by email. The most secure method is to have this code sent to an authenticator app like Google Authenticator because it is impossible for a bad actor to access the code remotely. If the code is sent via email, a bad actor may gain access if there is a weak password associated with the email. Additionally, a bad actor can also gather personal details and call the user’s mobile phone provider to port the number to their own sim in order to receive all text messages. Using an authenticator app is far more secure than email and text message, because the app generates a new code every 30 seconds. Therefore, a bad actor would need access to the physical device in order to view the code.
- Create a pin code
Pin codes are a great security layer that decreases the opportunity for bad actors to gain access to user accounts. For many, it is necessary to gain quick access to their bitcoin funds in their exchange accounts. However it is also important to have a pin code set up with the device itself to protect any other sensitive data that might be stored locally on the device.
- Activate face and fingerprint ID
Utilizing a face and fingerprint ID is similar to using a pin code to access your device and funds that are stored with an exchange. Despite their similarities, face and fingerprint ID are preferred over a pin code because a bad actor would need you to be physically present in order to unlock the device. A bad actor can also access your device if they have seen you enter your pin into the app and phone.
- Enable email notifications
In your exchange account settings, check to see if there are options to have email notifications set up for things like logging in, fund transfers, and account setting changes. Email notifications are a great way to keep track of all the activity that occurs on your exchange account. By doing so, you will be notified immediately if there is any suspicious activity on your account.
- Add whitelisted withdrawal addresses
Also check to see if your exchange allows for whitelisted addresses, which you can find in your exchange settings. But for every whitelisted address you add, it will take about 7 days (may vary based on exchange) for it to be accessible. This grace period allows a user enough time to cancel or remove an address that they did not add themselves. Even if a bad actor is able to bypass all security protocols, they would only be able to withdraw funds to addresses that you control. They may choose to add an address that they have the private keys to (private keys allow a user to send and receive funds while public addresses only allow users to receive funds), but will not be able to withdraw funds until the approval period ends.
Protecting your privacy
Taking the steps to protect your private information and data may seem cumbersome at times. But it is always better to do this in order to mitigate the risk of your information ending up in the wrong hands. This process takes effort and everyone can always take steps to improve their online privacy.
- Use a VPN
A VPN (virtual private network) allows for all of your data to be routed through an encrypted channel or tunnel. This method allows for a user’s IP address and location to be hidden from everyone (including the internet service providers). Not only is it safer to use a VPN while doing anything Bitcoin related, it is also recommended to use a VPN for all internet related needs.
- Avoid public WiFi
Whenever possible, use a secure network while performing Bitcoin transactions. If a transaction must be done on a public WiFi network, be sure to use a VPN when doing so.
- Do not advertise your Bitcoin holdings
Use your own discretion when speaking to others about Bitcoin. For example, some people may want to know how much bitcoin you own. It is best to treat this discussion the same way you would when discussing other personal information. Also, use your best judgement when posting your bitcoin holdings on social media or anywhere on the internet. Consider the benefits of doing so versus the potential issues that may come up later. In most cases, there are very few benefits for letting friends or strangers know how much bitcoin you have.
Storing your bitcoin in cold storage
This will depend on an individual’s comfort level, but it is important to at least be aware that your bitcoin may be stored offline with a wallet that you control. This storage method is different from storing funds in a bank or exchange. Bitcoin is the only asset in the world that an individual can transfer to another person and vice versa, without the need of a third party. There are many open source wallets that a user may transfer their bitcoin to, but if any of the wallet creators stop maintaining the code for their products, the user always has the option to transfer their funds to the Bitcoin Core wallet or any of the other available wallets.
This is made possible by the seed phrase (private address) that is generated along with the public address for every Bitcoin wallet. Funds may be received from anyone around the world if they have access to the public address (like a bank account number). However, funds may only be withdrawn from that same wallet if the user has access to the private key. This private key is like a password that allows you access to your bank account number. To be read by humans, this private key is generated to appear as a random string of numbers and letters. To make the private key more readable, we have the BIP39 protocol to allow each character be translated as a mnemonic phrase or a memorizable word like “ghost” or “tree”. Depending on the wallet, the seed phrase may be 12, 18, or 24 words long. With these phrases, one is able to recover their funds with a new device if they lose access to the original device.
Whether the chosen exchange suspends a user’s account or a bad actor gains access through security faults, it is always better to have bitcoin stored in cold storage. Storing your own private keys is a very important step because it is not possible to confiscate your bitcoin without your permission. Even if the internet is shut off in a particular territory, the user may still transact with their bitcoin via satellite or ham radio. The risk of losing access to your bitcoin is infinitely lower once kept in cold storage.
- Never type in your private key
When generating a wallet, never digitally store or type the private key onto a device that is connected to the internet. Most would even recommend not to type the seed phrase into any digital device. This includes keeping the seed phrase (private key) in a text file or as a digital photo.
There have been many cases where the seed phrase was stolen by a remote hacker or a user typed their seed phrase into a fake website or interface. Always be skeptical if an exchange or device requires the user to type in their seed phrase. However, there are desktop wallets that require one to type in their seed phrase in order to recover a wallet. Be sure that the software was downloaded from the correct website.
- Backup your seed phrase
As previously discussed, backing up your private key will guarantee you the ability to recover all funds. Multiple copies of the private key will increase the likelihood that you will not lose access to the funds. Be sure to store all copies in safe and secure locations. Having the seed phrase written on paper is fine when starting out, but it may be necessary to have the seed phrase written on a water and fire resistant material such as stainless steel. Cryptosteel and Privacypros are examples of manufacturers that provide specifically made plates for seed phrases.
- Store your seed phrase in separate locations
The physical location(s) of your seed phrase may vary depending on what you are comfortable with. Some individuals prefer to split up a single seed phrase. For example, if you have a 12 word seed phrase, you may want to have 6 words in one location and then have the other 6 words in another location. This method may help in the case that someone finds your seed phrase and knows how to recover the funds on a separate device.
Others may store the whole seed phrase in one location and then have a backup in another location. There are a number of combinations to achieve this and will depend on what you are comfortable with and have access to.
Remember to always take security measures you are comfortable with. If at any point you feel that your storage solutions are not as secure as you would like, continue learning and testing the methods that make sense for your own situation.
Below is a list of some of the best practices for protecting your privacy and ensuring that the funds you send are able to reach the receiver in a timely manner.
- Protect your privacy
You may use a VPN and a secure WiFi network whenever you send funds to another person. Some individuals send funds to another address before sending them to the receiver. The receiver may still see the previous address but they will be unable to verify the funds in the original address belong to you. Running a node will also verify the transaction successfully went through, while maintaining your privacy. Using a third party platform does not guarantee that their transaction history is accurate or that they will maintain your privacy.
- Verify the address
Always verify that the address received by the person you are sending funds to is correct. If needed, you may send a small amount to the receiver’s address to mitigate the risk that the receiver sent the incorrect address to you. The remaining amount may be sent to the receiver once they verify that they see the test amount in their wallet.
- Verify transaction fees
When sending any amount of bitcoin, be sure that you are using a wallet that allows you to adjust the miner fees for executing transactions. Some wallets do not have a custom fee selection. Be sure to use a wallet with a custom fee feature before sending bitcoin to that address. Keep in mind that the lower the fee you choose, the longer it will take for a miner to include that payment in a block they mine. The opposite is true as well, the higher the fee you choose, the more likely it will be executed on the blockchain in a timely manner.
Receiving bitcoin is more straightforward than sending it, but the list below is still important to consider:
- Generate new addresses
Generally, it is best practice to generate a new wallet address for every transaction. This habit will protect one’s privacy and make it easier for personal auditing during tax season.
- Run your own node
Not everyone will participate in running their own node, but the best way to verify that a transaction was received (and sent) is if one is running their own node. Running a node is something to consider once you are comfortable with other technical aspects when using Bitcoin. This practice also protects your privacy from third party platforms that may track which addresses are being searched for on their version of the Bitcoin blockchain.
- Verify the address
You may use the same method used for sending funds. Request that the sender do a test transaction before sending the full amount to your newly generated address.