In light of the increase in phishing assaults, cryptocurrency exchanges advise users to safeguard their funds using hardware wallets, YubiKey devices, and passkeys.

As criminals use emails, text messages, and phone calls to deceive victims into divulging personal information, phishing schemes are becoming more prevalent. 

A clone of Dogecoiner facilitated the Bitcoin Ordinals ‘Runestone’ airdrop.

Since the start of 2024, the National Cyber Security Centre in the United Kingdom has received reports of 29 million fraudulent schemes.

Additionally, according to the blockchain security platform Scam Sniffer, fraudulent schemes affected more than 324,000 cryptocurrency users in 2023. The “2023 Wallet Drainers Report” estimated that wallet drainers stole approximately $295 million worth of digital assets in 2023.

In response to the increase in phishing schemes, certain cryptocurrency exchanges have begun promoting the use of particular devices to safeguard user funds.

Cryptocurrency exchanges provide a second layer of security.
Jacob Klein, Chief of Trust and Security and Director of Trust and Security at Coinbase, confirmed to Cointelegraph that the exchange was among the first to offer YubiKey compatibility.

Although Yubico first introduced YubiKey devices in 2008, certain cryptocurrency exchanges started permitting users to utilize them in 2019, subsequent to the initial significant bull run.

Klein stated, “YubiKey devices are the most secure method of authentication that we offer.”

According to Klein, Coinbase requires YubiKey devices to function as a means of two-factor authentication (2FA).

“This would require a user to access their account using their physical YubiKey device,” he explained.

Klein noted that account credentials are susceptible to loss or breach via phishing attacks; thus, this can be useful.

“Given the ubiquity of phishing scams, users should ask themselves, ‘How can I protect myself from hacking?'” “For this reason, a YubiKey may appear to be the most logical and optimal defense for cryptocurrency funds,” he explained.

In 2019, Binance, a cryptocurrency exchange, also introduced YubiKey devices to its customers.

Jimmy Su, Binance’s chief security officer, stated to Cointelegraph, “The Yubikey is the most secure two-factor authentication mechanism due to the requirement of physical access to it.” To bypass this, an assailant must obtain access to YubiKey. This is as opposed to transmitting a single-use password via email or SMS, which is considerably more vulnerable to fraud attempts.

Additionally, passkeys can safeguard against fraudulent attacks.
Despite the fact that YubiKey devices are among the most effective anti-phishing measures, cryptocurrency exchanges have recently implemented more modern alternatives for their users.

For example, Klein revealed that Coinbase supports Passkeys, a novel iteration of MFA, which “implements user authentication through a cryptographic technique associated with a user’s device, such as their smartphone.”

Any Coinbase user has the ability to enable the passkey option when logging into their account, per Klein.

Khaja Ahmed, the chief information security officer of cryptocurrency exchange Gemini, told Cointelegraph that the exchange also recently added support for passkeys, stating, “Passkeys are slightly more convenient than physical YubiKeys because they do not require an external physical device.”

Tom D’Eletto, head of product at crypto security platform Arculus, told Cointelegraph that a hardware-bound passkey—such as an NFC-enabled card or a USB dongle—is the gold standard for security, although software passkeys are a step in the correct direction.

According to D’Eletto, both passkeys and YubiKeys utilize the open standard “FIDO2”. He disclosed that Arculus has recently introduced its own FIDO2-certified credentials, which take the form of credit cards made of metal.

“USB hardware keys […] have not attained widespread mainstream adoption despite their many years of availability,” D’Eletto stated. “Arculus incorporates a FIDO2 authenticator into the form factor of a metal credit card, enabling users to authenticate by simply tapping the card against the back of their phone.”

“Compare this to using your bank card and PIN to access your account at an ATM,” D’Eletto advised. “This provides users with a more familiar experience.” “Argulus enables secure authentication and the same flow on your mobile device.”

There is some protection against spoofing attacks, but little else.
Shahar Madar, vice president of security and trust products at Fireblocks, informed Cointelegraph that it is crucial to understand that YubiKeys and similar tangible devices do not store a user’s private key or wallet.

Madar stated, “Its sole purpose is to authenticate the end-user and obtain their consent for a transaction by means of an exchange or wallet.”

The most compelling use case for these devices, according to Madar, is to prevent end-user account takeovers. Madar emphasized that while this can safeguard users against phishing assaults, neither a YubiKey nor a passkey can prevent a cryptocurrency exchange breach.

Users of cryptocurrencies may therefore wish to store their funds in a hardware wallet. In addition, Singaporean authorities have recently advised the use of hardware wallets to protect against wallet drainer attacks.

In Europe, forthcoming DeFi regulations may prohibit non-decentralized protocols.

However, hardware wallets are not immune to their own set of challenges. A hardware wallet user risks irretrievably losing their cryptocurrency funds if they misplace their private keys.

Klien observed that in this situation, a YubiKey linked to a Coinbase account could be advantageous. “A user could still access their Coinbase account even if they lost their YubiKey device, as there is a procedure by which they can regain access to their account,” he explained.

source