Practicing Safe CEX

After a recent scare tied to the Coinbase data leak, I realized it was time to share some best practices for anyone using a centralized exchange (CEX) to hold or manage funds.

Had the attackers breached my Coinbase account, they could have caused some damage, but solid security measures gave me time to respond and protect my funds. If you use platforms like Coinbase or Kraken, it's critical to understand your risks and how to protect yourself.

I got into crypto because I believe in the power of self custody. While some in the space criticize using a CEX for anything beyond converting fiat to crypto, the reality is that everyone has different needs. What matters most is knowing how to secure your assets wherever they are.

With self custody, one mistake can be permanent. But centralized exchanges aren’t automatically safe either. If your login gets compromised and your security settings are weak, your funds can disappear just as quickly. In crypto, there are no chargebacks. Once funds are sent out, they are gone.

Investing in a hardware wallet is a small price to pay for the peace of mind that comes with learning self custody. It also gives you an emergency exit option if something goes wrong.

The best time to learn how to use a hardware wallet is before you actually need it, when you are calm, not in a panic, and able to take the time to get comfortable with the process.

Popular Hardwale Wallets (X + Official Site Links)

Ledger - @Ledger - https://ledger.com/
One Key - @OneKeyHQ - https://onekey.so/
Keystone - @KeystoneWallet - https://keyst.one/
Trezor - @Trezor -https://trezor.io/
Tangem - @Tangem - https://tangem.com/en/

In traditional finance, if your credit card or bank account is compromised, fraud detection systems often step in. But in crypto, attackers move fast—sometimes before you even know anything is wrong. They create chaos, push you into panic, and count on you to make a mistake.

Next, I’ll break down the most effective security features on Coinbase and Kraken to help you protect your accounts before something goes wrong.

Secure your email

In addition to the tips below, strengthening the security of your email is critical, especially if you use it for anything related to finances. Enable passkeys and two factor authentication. Reset your passwords to complex and unique ones that are not reused anywhere else. If your email has appeared in multiple dark web leaks, it is time to stop using it for sensitive activity altogether.

Never store credentials or seed phrases online, whether in your email drive, cloud storage, or on your phone.

Consider switching to encrypted email services like Proton. Even their lowest tier includes features like aliases and multiple email accounts linked to one main address. For example, your main email could be johndoe@proton, and you could create aliases or emails like john.coinbase@proton or john.kraken@proton to separate logins across platforms.

There are many tools available to help manage strong passwords. Options include Proton Pass, 1Password, and Google's built in password manager. LastPass is also widely used, though it has experienced breaches in the past.

Securing your Coinbase account

Make sure you have two factor authentication enabled. Add a passkey and consider using an authenticator app if you have not already. While you can add SMS as a backup, remember that with SIM swaps, texts can be intercepted.

If you have not updated your email and password recently, now is the time. Go to your profile icon, then select Manage Account. Use a unique and complex password, and consider using a separate email address dedicated to your Coinbase account.

Set up your Allow List. This feature is available on the desktop version of Coinbase under your profile icon, then Settings, then Allow List.

  • When you enable the Allow List, it takes 48 hours to activate or remove (this delay is important).

  • Add external wallets you control, such as cold storage wallets for your main holdings. Coinbase is very specific about what you can send. For example, if you whitelist an Ethereum address on Arbitrum, you cannot send USDC or other EVM tokens to that address unless each token and address is specified.

  • If someone gains access to your account and the Allow List is active, they cannot send funds to an unapproved address. If they attempt to add a new address, it will take 48 hours before funds can be sent. This window gives you time to lock your account.

  • While it may feel inconvenient if you want to send funds quickly, this system reinforces patience and preparation.

Check your settings to make sure you have security alerts and push notifications turned on.

If you use Coinbase regularly for dollar cost averaging or storing crypto, consider subscribing to Coinbase One. For $29.99 a month, it includes live support with a callback feature directly from the app, account protection up to ten thousand dollars, and other benefits.

Important reminders: Coinbase will never call you out of the blue. If you request a call through the app, it will come from a San Francisco number with a 415 area code. They will never send you links via text. They will not ask you to click any links or provide account details, other than confirming basic information during a call you requested.

 

 

Securing your Kraken account

Make sure you have two factor authentication enabled. Add a passkey and use an authenticator app if you have not already. You can add SMS, but as with Coinbase, SIM swaps make this vulnerable.

If you have not recently changed your email and password, go to your profile icon and select Manage Account. Use a strong, unique password and consider using a separate email address for Kraken.

Enable Funding two factor authentication and Trading two factor authentication. This requires confirmation each time you withdraw funds, generate a deposit address, or make a trade. Without two factor authentication, funds could be moved, sent out, or pulled from your bank without your approval.

Set up Global Settings Lock.

  • When enabled, GSL prevents changes to your account settings and hides sensitive information.

  • It acts as a final layer of protection if both your password and sign in two factor authentication are compromised.

  • You will receive an email notification if anyone tries to unlock the GSL.

  • Depending on your settings, unlocking GSL without a Master Key takes at least 24 hours and can be delayed up to 30 days. This delay gives you time to intervene if your account is under attack.

  • Check out this video on Youtube to learn more about GSL
    https://youtu.be/NHJ3oUrJl58?si=JLJhoOAz0amq9aXJ

Set up a Master Key

  • A Master Key prevents unwanted password resets, even if your email is compromised. If enabled, it is required to reset your Kraken password.

  • It can also be used as an alternative method for two factor authentication during sign in.

  • It does not work if Global Settings Lock is enabled. If GSL is active, turn it off before setting the Master Key.

In Conclusion

Hackers are getting increasingly sophisticated and data leaks happen constantly.  If you are investing in crypto, there is an additional target on your back.  We have gotten used to the Web2 style scams, yet when it comes to Web3 and crypto, people are making mistakes that can have a massive financial impact, with no recourse.  It never hurts to recheck your security, update passwords and double check your accounts.  

Referral Codes + Bonuses for you + DTS

Back to blog