Secure your crypto with 2FA and strong passwords
Despite major high-profile attacks on cryptocurrency companies, attackers still find it most effective to target human error. While even the most vigilant security professionals can get fooled by phishing and phone porting attacks, they are far too common.
In this tutorial, we will show you how to use the different types of two-factor authentication options available to you on Coinbase.
In addition, we’ll share some additional tips that will help you secure and protect your Coinbase account from cryptocurrency hackers.
A secure cryptocurrency investment begins with you. Here are some steps to take so your Coinbase account stays as safe and secure as possible:
SMS authentication – Least secure
SMS authentication is a simple and convenient way to secure accounts, but it’s still not as strong as authenticator apps or security keys.
Since SMS is associated with a phone number, it leaves you vulnerable to phone number porting attacks.
Hackers have been successful in social engineering telecommunications providers to take over a victim’s number and gain access to their Coinbase account.
These types of attacks entail an attacker transferring or “porting” a victim’s phone number to a device under the attacker’s control, effectively taking control of the number and connected two-step verification codes.
Coinbase accounts were also compromised by hackers who set up fake websites that mimic the legitimate one which requests password or 2-factor authentication details be sent via text message as part of its login process; these types of attacks happen often enough that users should always remain cautious when entering sensitive information online, even if it appears on what looks like an official website.
We strongly suggest you not use SMS authentication if you truly care about the security of your Coinbase account.
Security Key – Most secure
Using a security key to protect all of your online accounts is strongly recommended. Security keys are the most secure method for 2FA.
Your accounts on sites like Gmail, Facebook, Dropbox, Instagram, and Twitter are just some that can be protected with a security key.
Security keys are the gold standard of modern account security, and browser manufacturers continue to expand support for additional devices.
You don’t have to wait, though; most security keys work out-of-the box with Gmail, Facebook, Dropbox, Instagram, Twitter, YouTube, etc., adding heightened levels of protection against account takeover attempts and phishing attacks.
Security keys are tiny physical devices that contain cryptographic chips to ensure you’re authenticating on the correct website. They work by ensuring no one else can pretend to be you unless they have your security key in their possession at the time of authentication.
Google’s 85,000 employees all use U2F security keys as part of a larger push for better cybersecurity practices, and not a single person has been successfully phished since these measures were implemented!
Security key technology is easy as a button press (rather than 6 digits sent through SMS or smartphone application). If you are looking to purchase a security key, Yubico is an excellent option.
How to set up your Security Key on Coinbase
Prior to beginning this process, you must have a security key that supports the WebAuthN / Fido2 standard.
To set up your security key, follow these steps:
1. To begin, log into your Coinbase account.
2. Navigate to Settings > Security and select Security Key under the 2-Step Verification section.
Using your Security Key with Coinbase
A few points to bear in mind when using your security key:
While the majority of security keys work with adapters, adapters with multiple ports may cause some problems.
Third-party applications that are integrated with your Coinbase account may not support security keys.
To manage your security key(s):
Navigate to Settings > Security in your Coinbase account. You’ll be able to manage your security key under the selected two-step verification method, which includes the ability to add another security key. Please keep in mind that there is a maximum of five keys.
By adding additional security keys, you enable a backup option in the event that your primary security key is lost or stolen.
If you disable security, SMS will be re-enabled as the default method of two-factor authentication.
We strongly advise you not to share your security key with anyone else to maintain the highest level of account security possible.
If you don’t want to invest in a security key or just aren’t ready for one yet, the next best option is Time-based One Time Password (TOTP) with an authentication app.
Google Authenticator and Duo are both apps that generate a one-time code based on two factors: 1) the current date and time on your phone, and 2) a secret key that is only recognized by you and Coinbase.
Coinbase displays a QR code that represents the secret key, which you must then scan with your phone’s Authenticator app.
Google Authenticator or Duo can be downloaded from the app store.
Using TOTP drastically reduces your chances of having your account compromised since it’s challenging and time-consuming to guess one-time codes that are only valid once.
To use TOTP on your mobile device, enable two-factor authentication on all of your accounts with Google Authenticator or Duo, and set a unique strong account password different from those used for other services like Amazon and Gmail.
Note that Authy is no longer supported by Coinbase.
How to configure Coinbase to use Duo or Google Authenticator
1. To get started, you will need to sign in to your Coinbase account on the web using your email address, password, and 2-step verification method.
Keep in mind that you cannot get the set up the authenticator using the Coinbase mobile app. This means you must complete the authenticator setup using a web browser on a desktop computer.
2. To access the Security Settings page, click on the Security tab.
3. Under the Other Options section of 2-step verification, click on the “Select” button in the Authenticator App box.
4. Finish your authenticator setup by following the prompts.
Follow this critical tip to ensure a successful setup of the TOTP authenticator:
Log in to your Coinbase account using a desktop browser (not a mobile web browser), as verification with your TOTP authenticator requires your mobile device.
Bear in mind that enabling an authenticator app will prevent the delivery of SMS codes. Conversely, disabling your authenticator app restores SMS code support.
Tip 1: Transfer all of your funds to a hardware wallet
Don’t keep all your cryptocurrencies on Coinbase. This is the most important thing to remember. Even if you use two-factor authentication (2FA), it is possible that a hacker can successfully take control of your Coinbase account. That possibility exists, and you don’t want to risk losing your funds.
Move any cryptocurrency funds currently held in online wallets into cold storage by transferring them over to hardware wallets which are much more secure than storing your coins on an exchange.
If you do not regularly purchase and sell cryptocurrencies and intend to store them for an extended period of time, keep your funds in your own wallet.
Bear in mind that Coinbase is a cryptocurrency exchange, and cryptocurrency exchanges are regularly targeted by hackers.
Withdraw your funds, ideally using a hardware wallet, and secure your recovery seed.
If you don’t have a hardware wallet, buy one. Of course, it will cost money, but it is a small price to pay for peace of mind.
Tip 2: Use a separate, secure email for your crypto activities
Choosing a secure email provider is extremely important. If a hacker manages to gain access to the email address you use on Coinbase, it’s game over.
In terms of email provider security, we strongly recommend Gmail. Google will always be around, and their email security (spam detection, phishing protection, and account takeover protection) is phenomenal — if not the best.
Coinbase uses your email address to confirm new devices, to send you crucial account alerts, and to communicate with you if you require support.
When your Coinbase-linked email address is secure, your Coinbase account has a higher chance of being secure too.
There are specific steps you need to take to ensure that your Gmail account remains secure.
1. To begin, visit https://haveibeenpwned.com/ to determine whether your email address has ever been compromised due to a data breach by a third party.
If this is the case, we recommend that you change any passwords related to that email address.
2. Create a new separate email address (Preferably Gmail) exclusively for use with Coinbase. Don’t use this new email address for non-crypto activities. Only use the new email address for Coinbase and don’t use it for other exchanges.
Using an existing email address that is linked to your daily activities puts you at risk because that piece of information (the email address) could be known to a potential attacker.
Therefore, creating an entirely new email address mitigates this security risk since attackers won’t immediately know your new address.
3. Use two-factor authentication for your Gmail account. Do not use SMS-based 2FA.
Security keys double up as a second layer of authentication and can be used to keep hackers out of your Google Account. If you aren’t ready for a security key, you can use the Google Authenticator app for your mobile device to receive codes.
Setting up Google Authenticator
1. Navigate to your Google Account on your device.
2. Tap Security in the navigation panel at the top.
3. Tap 2-Step Verification under “Signing in to Google.”
You may be required to sign in.
4. Under “Authenticator app,” tap Set up in the “Add more second steps to verify it’s you” section.
5. Adhere to the on-screen instructions.
Ensure that SMS-based authentication is removed after enabling the Authenticator app or security key for your Gmail account. This is a significant step since you probably had SMS-based authentication on by default when you created the new Gmail address.
When you turn off SMS-based authentication, you decrease the risks of successful account takeover attacks on your Gmail and Coinbase accounts.
Mainly, you are removing the option of SMS-based authentication when a malicious actor attempts a Google account recovery using that method.
A hacker would have limited recovery options for attempting to gain access to your email account. The available options would include obtaining a verification code from the Google Authentication app or acquiring a verification code by reading the email in the Gmail account.
These recovery options are not viable for the attacker since they either need to have physical access to your mobile device or have complete access to your email to read the email containing the verification code.
If you believe you could potentially become a victim of a targeted account takeover attempt, you should check out Google’s Advanced Protection Program.
Google’s Advanced Protection Program, currently the most robust security option available to users of Google accounts, is compatible with Titan Security Keys.
Titan Security Keys help protect your online accounts and keep out anyone who shouldn’t have access to them. These keys are like a second lock for your password, which makes it difficult or impossible for phishing attempts to work since only you should be able to access the key itself.
With Titan Security Keys, you can check to make sure the key has not been tampered with and is legitimate. Google engineers have worked hard on them so that they work well for many apps and services.
Significantly, NinjaLab’s French researchers published a technical paper detailing how they circumvented Titan’s anti-clone protection and discovered a way to extract secret data from the device.
Nonetheless, the researchers concluded that using your Google Titan Security Key or other impacted products to sign into applications such as your Google account is clearly safer than not using one.
Google announced a new Titan Security Key with USB-C and NFC in August 2021 as part of a refresh of its 2FA hardware lineup. This is a new model worth checking out!
Additionally, you should perform a periodic security review of your email account and settings, including:
- Verify that your email account does not contain any unusual rules, filters, or forwarding addresses.
- Examine your email account’s settings for unfamiliar authorized devices.
- Examine the email account for any unauthorized recovery emails or phone numbers.
Tip 3: Enable requirement of a verification code to send crypto
Be sure to require a verification code for withdrawals of any amount on your Coinbase account. When this option is enabled, you’ll gain another additional layer of protection against malicious withdrawal attempts by unauthorized individuals.
Tip 4: Secure Your Mobile Phone Account
When an attacker obtains the target’s phone number and transfers it to a mobile device under the attacker’s control, this is referred to as a SIM swap or phone port attack.
This is accomplished through various methods, including identity theft and using social engineering on mobile carrier customer service representatives.
This kind of attack is dangerous for all accounts that use SMS-based two-factor authentication and for any account that can be recovered using phone-based authentication.
Consider completing the following to help safeguard yourself against this sort of attack:
- Contact your mobile service provider and request a port freeze and SIM lock on your account.
- To port or transfer your phone number to a new device, request that they create an account note mandating you to be in-store with a valid photo ID.
- Request the addition or activation of a PIN number for use when making changes to your account.
- Ask about additional security features you may enable on your mobile account to protect it from unauthorized changes.
Even if you do not use SMS-based two-factor authentication, you should secure your mobile device with a screen lock.
This helps prevent a thief from gaining access to your Coinbase account and email if your phone is stolen.
Tip 5: Ensure Your Devices are Malware-Free and Updated
Malware can be especially dangerous if used to steal your sign-in credentials and gain unauthorized access to your online accounts.
A few of these malware types that are potentially more harmful include keyloggers, remote access trojans (RATs), and cookie stealing malware.
Consider the following to safeguard your devices against these types of threats:
- Employ anti-virus protection and perform regular device scans.
Additionally, you should update your virus signatures on a regular basis to stay ahead of emerging threats.
- Maintain an up-to-date operating system and install security patches on your device.
- Update to the most recent versions of your web browser and all other software.
- Remove all dubious or superfluous software from your device, particularly tools that enable remote access.
- Install an ad blocker such as uBlock Origin in your browser to help safeguard you against malicious advertisements.
- Use safe web browsing techniques and avoid clicking on suspicious links or downloading suspicious programs.
- Avoid installing and utilizing browser plug-ins or add-ons created by unidentified third parties.
- Enable a screen lock and password protection to prevent unauthorized access to your device.
Tip 6: Maintain accurate and up-to-date personal information
Even though this does not assist you in protecting your Coinbase account from hackers, if something happens to it or if you lose access to it for any reason, the chances are that Coinbase support will request that you send in some documents proving that you are the account’s legitimate owner.
The company will undoubtedly compare the information on the documents you sent to the personal information in your Coinbase account, so ensure it is accurate and current.
Tip 7: Do thorough research before downloading and install software
It always pays to be extra careful when installing software on your device.
There are a few things that you should do to protect your Coinbase account when installing software on the device.
First, make sure you know who created the app and what their background is before downloading it.
Second, always practice due diligence before allowing any third-party applications to access your Coinbase account.
Third, avoid downloading and using suspicious or shady cracked versions of paid apps from unknown websites.
Four, browser plugins may also pose security risks, so always install browser plugins directly through their official repositories for browsers like Chrome or Firefox.
A little prevention goes a long way
2-step verification is a powerful tool for protecting your Coinbase account, but it’s not the only one. Always remember to set up and use strong passwords that are unique among all of your online accounts.
This will help protect you against phishing attacks as well as unauthorized access to your primary two-factor authentication device and Coinbase account.
We also showed you how adding an authenticator app or security key to your Coinbase account increases its security drastically.
The choice between an SMS, authenticator app, or security key as the second-factor authentication method is up to you.
Coinbase is a great way to purchase cryptocurrency and store it securely. If you’re not using your account anymore, we recommend closing it for security reasons.