Article Summary
- SMS-based two-factor authentication is vulnerable to SIM-swapping attacks, so app-based authenticators or hardware security keys offer meaningfully stronger protection for exchange accounts.
- A seed phrase written on paper and stored securely, never photographed or typed into a computer, remains one of the simplest and most effective defenses against remote hacking of a self-custodied wallet.
- Granting a decentralized app 'unlimited' token spending approval is a common attack vector — reviewing and revoking old smart contract approvals periodically closes a door many users forget is open.
"It takes 20 years to build a reputation and five minutes to ruin it."
Warren Buffett
Crypto security gets treated as a single decision — hardware wallet or not? — when in practice it behaves more like home security: a good lock on the front door doesn't help if a window is left open. Attackers who target crypto holders are patient and specifically look for whichever layer is weakest, whether that's a reused password, an SMS-based two-factor code that can be hijacked through a phone carrier, or an old smart contract permission that quietly grants a compromised app ongoing access to a wallet. Because blockchain transactions are irreversible and there's rarely a customer service line to call, the entire security model shifts from 'the bank will catch it' to 'the individual has to catch it first' — which makes a handful of unglamorous habits far more valuable than any single tool.
Securing Exchange Accounts
Anyone using a crypto exchange should start with the same basics that protect any financial account, applied without exception: a long, unique password stored in a password manager rather than reused across sites, and two-factor authentication enabled on every account. The critical detail most people miss is which type of two-factor authentication to use — SMS-based codes are vulnerable to SIM-swapping, a technique where an attacker convinces or bribes a phone carrier to transfer a victim's phone number to a new device, intercepting the verification codes in the process. An authenticator app, or better yet a physical hardware security key, avoids this specific attack path entirely. It's also worth enabling any available withdrawal address whitelisting, which restricts an account from sending funds to a new, unrecognized address without an additional verification delay — a feature that has stopped many attempted account takeovers from resulting in an actual loss of funds, since the attacker gets locked out during the delay window.
Cold Storage and Seed Phrase Hygiene
For any holdings beyond what's needed for active trading, moving funds into a self-custodied wallet — ideally a hardware device that keeps private keys offline — removes exposure to an exchange being hacked or becoming insolvent. The tradeoff is that all responsibility for backup shifts to the individual, which makes seed phrase handling the single highest-stakes security decision in this setup. A seed phrase should be written by hand on paper or, for more durable protection, stamped into metal, and stored in a secure physical location, ideally with a backup copy in a separate location in case of fire, flood, or theft. It should never be typed into a computer, stored as a photo, saved in a cloud note, or entered into any website — a legitimate wallet only ever asks for a seed phrase during an intentional recovery process on the wallet's own official app, never through a pop-up, email, or support chat. Anyone who has ever typed their seed phrase into an unfamiliar site, even briefly, should treat that wallet as compromised and move funds to a newly generated wallet immediately.
Smart Contract Approvals and DeFi-Specific Risks
Using decentralized apps — decentralized exchanges, lending platforms, NFT marketplaces — typically requires granting a smart contract permission to access tokens in your wallet, and many apps request broad or even unlimited spending approval by default for convenience. If that app is later compromised, or was malicious from the start, an unlimited approval can allow an attacker to drain the approved token from a wallet without needing the seed phrase at all. It's worth using tools, often built into wallet interfaces or offered by third-party approval-checking services, to periodically review which contracts currently have standing permissions on a wallet and revoking any that are no longer needed or come from unfamiliar sources. It's also worth granting only the specific amount needed for a transaction, when an app allows it, rather than defaulting to unlimited approval. This category of risk is specific to interacting with smart contracts and doesn't apply to simply holding crypto in a wallet without using it in DeFi applications, which is one reason some experienced holders keep a separate wallet strictly for DeFi experimentation, distinct from their main long-term holdings.
A Layered Security Framework
A practical way to think about crypto security is in layers, each catching what the previous one might miss. Layer one is account access: unique passwords and app-based or hardware two-factor authentication on every platform. Layer two is asset location: keeping only actively-traded amounts on an exchange and moving longer-term holdings to self-custodied, ideally hardware, storage. Layer three is backup integrity: a securely stored, offline seed phrase backup that could survive a house fire or a lost device. Layer four is ongoing hygiene: periodically reviewing smart contract approvals, staying skeptical of unsolicited messages, and never entering a seed phrase anywhere outside an intentional wallet recovery. No layer needs to be perfect on its own — the point of layering is that a single mistake, like clicking one bad link, doesn't automatically translate into a total loss if the other layers are holding. Revisiting this checklist periodically, especially after acquiring new holdings or trying a new platform, keeps security habits from quietly lapsing as convenience creeps back in.