Conversation

SBF
@SBF_FTX
1) FTX *requires* 2FA in order to deposit. Why? Well, it turns out that LOTs of people's usernames and passwords are basically public. If 10 years ago you signed up for some random website and it got hacked, your UN/PWD are probably for sale right now. haveibeenpwned.com
7
87
SBF
@SBF_FTX
Replying to
@SBF_FTX
3) This makes it possible for someone to just buy a huge dataset of usernames/passwords and try them *all* to see if someone re-used.
1
7
SBF
@SBF_FTX
4) There are things sites can do about this--looking at IPs, repeated failed attempts, etc.--but none are perfect. So what can you do?
1
7
SBF
@SBF_FTX
a) USE 2FA. This is the single most important thing. The key thing about 2FA is that it changes every 30s, so 10 year old 2FA strings don't do anything. Alternately use physical 2FA devices.
1
9
SBF
@SBF_FTX
c) Ideally use those QR-code-based 2FA apps and not cell phones; SIM swapping is stupidly easy in many countries!
1
10
SBF
@SBF_FTX
d) Make sure your email account isn't compromised--that's often the key to reset your other credentials.
1
6
SBF
@SBF_FTX
e) Lots of sites will say "for added security add your phone number". THEY'RE LYING! Generally doing so doesn't add any security, it subtracts security because now if someone sim-swaps you they can use that to reset your password.
2
18
SBF
@SBF_FTX
f) Requiring 2FA and a withdrawal password on all withdrawals helps, in case you are signed in someone and someone access your device.
1
10
SBF
@SBF_FTX
g) Some sites will ask for your exchange API keys to connect (e.g. alert/charting/tracking/trading apps). This is ok as long as you give out read-only API keys, but make sure never to give out a full access API key. Requiring 2FA on withdrawal helps here too!
2
16