Taming a Wildhorse CEX App
0xB25C
January 4th, 2023

Greetings!

Today, you'll discover a somewhat unusual essay where I deviate from my typical advices to store your cryptocurrency in an airgap-self-custodial, paper, or cold wallet and instead focus on the security of the exchange (CEX) or exchanger mobile application!

Only useful advices are provided in this post! Let’s get started!


I - Basis

Use a separate, clean device! Never install on it anything non-important, keep it updated, do not use for chatting & browsing!

To begin with, you must understand that you will be haunted by the same threats as the user of the any banking application: banking Trojans (1), (2), (3), (4), (5), stealers, RATs and so on.

Choose yourself a reliable phone! Read my article on the subject!


II - 2FA(3FA) & Email

Learn about 2fa (and 3fa!), turn it on in the exchange, also turn on limits and SMS alerts. Ideally, you should be able to set up everything else by yourself according to guides from the security blogs of any of the major crypto exchanges, but what I listed at the beginning is something that everyone needs to know!

If you see suspicious password activity or failed log-ins on any of your accounts, change all of your passwords, starting with sensitive and authorization accounts, such as your primary email and bank/crypto accounts!

Check out:


III - SMS

In other words, protect your email, 2FA token, SIM card and internet connection! Study threat modeling!

Everyone has different tasks, but you can protect yourself from sim-swapping! Ask them to NEVER make changes to your phone number/SIM unless you physically show up to a specific store with at minimum two forms of identification.

This (should) prevent hackers from calling up AT&T or T-Mobile or Vodafone, claiming to be you, and asking them to port your phone number to a new phone. That is a standard that has been tested by telecommunications operators in the US, the UK, Poland, and China - also check out this tweet and this article.

You just need to insist on it or visit the head office, and I’m sure that the support manager on the phone mayn’t know about it!

On the opposite:

Never link phone numbers to crypto platforms. Use trusted multiple e-sims if you have to link the phone. To lock down your SIM, contact your mobile phone carrier.

Instead, require staff to verify via phone call to a secondary number because show ID is compromised or just use something like Efani. Or tend to use E-sim only!


IV - 2FA & Password

As a 2FA I advise to choose Aegis, as a phone operator - at your discretion. Aegis Authenticator is open source (licensed under GPL v3) and the source code can be found here.

The issue with Authy is that it depends on a phone number which can be changed through an email request, allowing anyone access to HOTP/TOTP after an approximate 4-day wait period. To avoid that, disable multi-device function in Authy's settings!

For 2FA one can use KeePass + Yubikey as well. KeePass allows setting up TOTP to any entry in your .kdbx file. Yubikey could be used in company with KeePass to add a bit of entropy on each re-encryption when adding an entry in your db file: Ref No.1Ref No.2Ref No.3.

As for password managers I recommend:

KeePass or Keepassx or KeePassDX or KeePassXC or BitWarden are good options. I also found this tutorial for integrity check (and other checks) very helpful, be sure to check it out as well: link.

Somewhere along the line, the 'stop writing passwords on sticky notes' narrative got misinterpreted as 'never write them down'. There's nuance to it!

For a perfect-level privacy, always generate complex passwords and write them down on a notebook. It takes time but saves headache.

Check out:


V - OpSec Tips

As for VPN:

Don't forget that the VDS/RDP + VM combination can replace all of this, but it is not available to everyone. If you know how to do it correctly - choose this way. Check out this article as well.

On the opposite:

Don’t use 3rd party VPN, rent a VPS and bootstrap open source VPN server!


VI - Dangers

SS7 Attacks

Unfortunately you can not protect yourself from SS7 attacks (this old technology is still used in many places, e.g. LTE).

Unless you move to Germany, where you can become a telco and issue your own SIM card and monitor your own SS7 gateway. That's probably not the way for everyone.

IMSI-Catchers

You also can not protect yourself from IMSI catchers unless you prohibit your phone to work in 3G and 2G in the settings. And then - there are already such devices for 4G are being sold on blackmarkets.

Social Engineering & Scam

It is important to remember that you can be scammed on the exchanges. Do not click on links from the dialogue, in case of any suspicions - report them to support.

Wi-Fi & Physical Attacks

Keep in mind that a physical attack can be used against you so use Duress and other tools & tips from my guide.

Think about what hackers might find out about your passion for cryptocurrency from leakages or through other methods…

Think ahead, don't use your phone or email anywhere except the exchange!

Check out:


I don’t have as much money as the fictional character in our essay, but your support helps me to exist 🙂

If you want to support my work, you can send me a donation to the address:

Stay Safe!

Subscribe to Officer's Blog
Receive new entries directly to your inbox.
Collectors
View
#1
#2
#3
View collectors
This entry has been permanently stored on-chain and signed by its creator.
Author Address
0xB25C5E8fA1E53…9F6A66B786ED77A
Content Digest
scaEkpIpF7pd9Dh…hDg9TeAGIo76aRY