Almost every story of "I lost my crypto" traces back not to exotic hacking, but to a handful of basic settings someone never switched on. Here is the checklist worth running on day one of any exchange account โ it takes about ten minutes and prevents the overwhelming majority of disasters.
The checklist
1. Two-factor authentication via an authenticator app โ never SMS. SIM-swap attacks let thieves hijack your phone number and intercept text codes. An authenticator app (or hardware key) sidesteps that entirely. This is the single highest-impact setting.
2. A unique, strong password stored in a password manager. Reusing a password from another site means one unrelated breach can open your exchange account. One account, one password, never reused.
3. A withdrawal whitelist. Lock withdrawals so funds can only leave to addresses you've pre-approved. Even if an attacker gets into your account, they can't send coins to their own wallet.
4. An anti-phishing code. Many exchanges let you set a secret word that appears in every genuine email from them. Fake "your account is at risk" emails won't have it โ instant fraud detection.
5. Email account security. Your email is the recovery key to everything. Secure it with its own strong password and 2FA, or a compromised inbox unravels every other protection.
6. Verify the URL every single time. Bookmark the real exchange and use only the bookmark. Phishing sites mimic the login page perfectly; the address bar is your only reliable tell.
7. Disable or scrutinize API keys. If you're not running trading bots, you don't need API keys enabled. If you do, never grant withdrawal permissions to a key.
8. Keep only what you trade on the exchange. The deepest protection isn't a setting โ it's not leaving long-term holdings on any exchange. Move what you're not actively trading to your own wallet.
The mindset behind the list
Notice the pattern: every item assumes the attacker might get one thing right, and adds a layer so that one breach isn't fatal. Security isn't a single wall โ it's layers, where each one buys you time and limits the blast radius.
Run this once, and a fresh account goes from soft target to hard target. The ten minutes you spend now is the cheapest insurance in crypto.
Educational content, not financial advice.