Exchange Security
Cryptocurrency exchanges are extremely tempting targets for cyber-thieves, as they hold enormous amounts of assets. Most exchanges therefore have highly skilled teams of IT specialists and security defense mechanisms to help guard against hackers, although many exchanges have been proven historically to have had insufficient defense mechanisms in place. On this page, we will discuss what you (as an account holder) can expect to encounter in terms of security requirements to open an account on an exchange. We will discuss what happens when an exchange is successfully hacked. And most importantly, we will discuss the issue of whether it is safer to leave your coins on an exchange, or to move them to a hot wallet, or to store them in an offline cold wallet that is completely under your own control.
Opening an Account on an Exchange
The process of setting up an account on a cryptoasset exchange varies from exchange to exchange, and is also affected by the country or countries that the exchange is registered and operating in. However, the overall process is similar on most exchanges.
First, you will need to set up basic account details, such as your email address and choosing a suitable password. In a few minutes, we'll give you some suggestions about "best practices" to follow.
On some exchanges, you may be asked to pick a username. On other exchanges, you may be given something such as a special "Account Number" or "Client ID" that you'll use to sign in.
You'll probably be asked if you want to enable Two Factor Authorization (2FA). It is very important that you do this. Many exchange account holders who haven't taken advantage of 2FA security have had their accounts successfully hacked.
You may be given the option of verifying your real-world identity. In other cases, the exchange will force you to verify your real-world identity. If you're trying to trade on an exchange anonymously, you may prefer not to submit to this verification. However, remember that the majority of blockchain transactions (except perhaps for Monero or Z-Cash) can be traced, so hiding your real identity on your exchange account probably doesn't do any good if government blockchain analysis correlates your identity to a transaction further down the line. Our recommendation is to always take advantage of identity verification if it is an option (unless of course you're a libertarian, which some of you will be).
Verifying your identity is a complex task. You'll need to have a camera that takes good quality digital photos. A high-quality camera on a mobile phone is usually the best option. Most exchanges will ask you to submit at least two types of photos that can confirm your identity. The first photo will be a high quality photograph of a major type of government-issued identity card which includes a photo, date of birth and address information. This ID card must not be expired. Usually, a good photo or color scan of a driver's license or passport is required. If you don't have a driver's license or a passport, you may be out of luck. This will be a barrier to trading for many people. In some cases, a government-issued identity card can replace the driver's license, so for example, you might be able to use a card that shows that you're a member of your country's armed forces.
The second piece of identity verification photo that you'll often be required to submit will be a color photograph of yourself, showing your face clearly, holding the passport or other government document that you submitted in the previous step, and also holding a sign with a piece of paper that clearly shows additional handwritten information (such as your name, the name of the exchange that you're submitting the information to, and the current date). We're not kidding! This can be very tricky, especially if you're by yourself. It's difficult to hold an identity card and a paper sign and take a selfie, all at the same time. By the way, if you're worried about the security of your personal identification information, you should layer some sort of unique watermark onto any ID's that you submit to exchanges, so if something goes wrong in the future, you can at least figure out which exchange caused the leak.
It's very important that the scan/photo of your identification card is high quality and readable. The exchange needs to be able to clearly read the text on the card. It's also very important that the photo of yourself holding supporting documentation is also very clear and high resolution. Make sure that you take the photo in a brightly lit area, to enhance the quality. If someone else can take the photo for you, and you're using a phone, ask them to take the photo with the higher quality camera on the back of the phone, rather than the lower quality camera on the front-facing (selfie) side. If someone else takes the photo, make sure they are close enough to avoid extra "useless space" in the outside portions of the photo. Many people have had their identity verification declined because the photos they submitted were too dark, or of low quality.
In late 2017, most cryptoasset exchanges were facing a huge backlog of support tickets and new account registrations. Some exchanges stopped accepting new account registrations, to allow them to catch up on the backlog and to properly service their existing clients. Thankfully (?) the market price of all cryptocurrencies crashed hard starting in January of 2018, and the amount of new account sign-ups dropped precipitously. Exchanges were able to get their houses in order, and get caught up with all requests for new accounts.
As of mid-2019, the process for signing up for a new account is usually fairly quick. On some exchanges, you might be able to get a new account approved within 24 hours or less. On other exchanges though, even though the support pages may say that the verification process will take a few days, expect that in reality, it might take several weeks before your identity verification is processed. Likewise, if you have a problem and need to contact a support team, expect to potentially wait for several weeks for an issue to be resolved. Even today, some of the most "reputable" of licensed (and government-approved) major exchanges (such as Coinbase) may take much longer to respond to some support tickets than they should, which inevitably causes a huge amount of frustration among their user bases.
When picking an exchange to register with, you'll probably want to consider a few different factors. Is the exchange in your own country? If so, it may be easier to get support tickets resolved due to legal options. A customer doesn't have a whole lot of leverage when it comes to an overseas exchange. What are the fees on the exchange? Different exchanges have different fee rates for buying, selling, and transferring cryptos, and for funding the account with fiat or withdrawing fiat. Does the exchange act as a fiat gateway? Some exchanges are crypto only, so no matter if you have an account on one exchange or six, you'll need to ensure that at least one account is on an exchange that takes traditional fiat currency and lets you buy cryptoassets with that fiat money. Does the exchange accept customers from your jurisdiction? American citizens are prevented from opening accounts on a large number of foreign exchanges, for various reasons. Citizens from certain countries, or who have been flagged as "problem individuals" for any of a variety of reasons, may not be able to open accounts on American exchanges such as Coinbase and Bittrex. Does the exchange that you want to use offer trading in the particular cryptoasset(s) that you want to buy? Some exchanges have very limited trading options. For example, if you want to buy a lesser known crypto such as Everex, you won't find it on Coinbase.
It is useful to review customer feedback about various exchanges, by using sources such as Reddit. Most exchanges have their own subReddits on that site. However, it is also important to remember that a person is far more likely to post a negative review than a positive one. That's just human nature. Consider it inevitable that every exchange will have some negative reviews. Also, during any periods when crypto prices are increasing rapidly and new registrations start to shoot up, the number of complaints about even the "best" of the exchanges will no doubt be quite high.
Some of the larger exchanges in the world (in mid 2019) as ranked by daily trading volume, include the following: Binance (Hong Kong), Bittrex (US), Bithumb (South Korea), Bitfinex (Hong Kong), Coinbase/GDAX (US), Bitstamp (UK), BitMex (Seychelles), HitBTC (Denmark), Coinone (South Korea), ACX (Australia), and Gemini (US). Always investigate the reputation of an exchange before deciding to trust your funds to that exchange, just as you would research a bank before opening an account. It is common for many cryptoasset investors to open accounts at several exchanges.
Protecting Your Exchange Account
There are five main components to protecting your exchange account: Using a secure and perhaps unique email address, using a strong password, enabling 2FA protection, verifying your identity on the exchange, and following other best practices when it comes to general computer and online security. Most of these items have already been discussed in far more depth on our Computer Security page, but we'll do a quick overview here too.
Using a secure email address is important. If someone is trying to hack specifically into your account on an exchange, and have done any social engineering legwork, they'll probably know your usual email address(es) and will presumably attempt to access any potential crypto accounts by using those addresses. One way to mitigate risk in this respect is to have a separate and unique email account for each exchange. For example, an email address such as cholm78fq9mx2@gmail.com is much less likely to be hacked than claytonholmwood@gmail.com, especially if you don't ever use that more complex special email account on any website other than your cryptocurrency exchange.
A strong password is important. Best practices with respect to having a strong password include the following: A longer password is better, passwords which include capital letters and digits and symbols are better, and having a unique password for every website is better.
Two factor authentication is extremely important. With 2FA enabled, even if your email account AND exchange account password both become compromised, it is much less likely that hackers can access your account because they will essentially need to be in physical possession of your mobile device. However, you should never use SMS texts as your method of 2FA from a mobile device if that can be avoided. Device-based authorization, using an app such as Google Authenticator or Authy, is far more secure.
We've already mentioned that different exchanges have different requirements for opening an account. If verifying your identity is an option, you should consider doing this, even if you don't need to. That way, if you somehow get locked out of your account in the future, you MIGHT be able to convince the exchange support staff to let you back into your account, by providing the same documentation again.
Other best practices for computer security, which will help keep your exchange account secure, include ensuring that your computer is clean of viruses and malware and trojans and keyloggers, ensuring that your connection with your ISP is not being monitored through a compromised WiFi connection or similar attack, and ensuring that any private keys or seeds are stored in encrypted format on your computer.
As mentioned, all of these best practices are explained in much more detail on our Computer Security page. There is nothing more frustrating that losing your financial assets to a cyber-criminal. Although it takes time and effort to ensure that you're following the necessary steps for basic computer and internet security, this is one of the most important pieces of groundwork that all potential investors should take care of before putting any funds into purchasing cryptocurrencies.
Storing Assets on an Exchange
Perhaps one of the most contentious questions in cryptocurrency is whether or not it is safe to leave your assets on an exchange. In absolute terms, the answer should be a resounding no. If you don't control your private keys, you don't control your crypto. If your investments are held on an exchange, you don't control the private keys.
Having said that, there are a number of reasons why storing your assets on an exchange might actually be a smarter decision than moving your assets off-exchange to a hot or cold wallet. The decision is not always that simple. For instance, if you're trading frequently, you won't want to move your assets to a wallet, because you'll need to keep them on the exchange.
If the monetary value of your holdings is very small in terms of your own personal wealth, you may prefer the simplicity of keeping your cryptoassets on an exchange. If you can handle the possibility of the exchange being hacked and losing your investment, then keeping assets on an exchange becomes more reasonable. Of course, we can't give you an absolute dollar amount as guidance, because risk tolerance is different for every individual. A wise mantra is to never invest more than you can afford to lose.
There are also significant risks, unfortunately, to moving assets off an exchange and into a wallet. This process should make your assets a lot safer, in practice, but the sad reality is that many people have inadvertently lost their coins this way, either through user error, or from being hacked. A common user error involves sending coins to the wrong type of wallet address, for instance by sending Litecoins to a Bitcoin wallet. A second common user error is losing your private keys. Being hacked is also a risk. This can happen through an insecure internet connection, various types of malware that are installed on your computer, weak security practices, poor security of your private keys, and many other ways. This is probably one of the biggest problems with the cryptoasset markets right now, in that these risks should be negligible. However, they're NOT negligible. Many, many people have lost funds after being hacked, in literally hundreds of different ways.
If you're not fairly technically literate, and you're not comfortable with learning the process of creating paper wallets or desktop/mobile wallets and moving assets, then you may be better off leaving your assets on an exchange. We feel very nervous making this statement, simply because when you're on an exchange, you don't control your private keys. However, we have to accept the reality that some investors have very little IT prowess, and the security of their systems may also be questionable. Many people don't have the skills or motivation to set up a completely clean, sandboxed computer to handle their cryptocurrency trading. If you're using the same machine for your crypto that you do for everyday use, you've exposed yourself to a higher risk profile. If you're using a machine that is shared with family members or friends, that risk profile increases yet again.
Some cryptocurrencies are safer and easier to transfer and move than others. For example, through late 2017, Ark had a reputation as having one of the best wallets in crypto, and we never seemed to hear of anyone having problems with moving coins off an exchange and into the desktop wallet. On the other hand, the vast majority of Iota users had problems with the basic Iota wallet, and with zero balances, and with transactions that needed to be resubmitted or reattached, or that disappeared. Although we were big fans of the Iota technology, we were also quite unimpressed with the user experience in securing our assets. In Iota's defense, the Trinity wallet (which was released in late 2018) is probably one of the best wallets in crypto right now.
Ultimately, when you make a decision about how to store your cryptoassets, it comes down to balancing simplicity against the value of your portfolio, and in comparing risks of an exchange being hacked versus the risks of being hacked as an individual, or of making a mistake with your wallet setup. You also need to understand what options your own cryptoassets have in terms of off-exchange storage, and how secure and user-friendly those options are.
Please make sure you fully understand everything on our Wallets & Security page before making a decision to move assets from an exchange.