Exchange Security Checklist (10‑Point)
2FA, withdrawal whitelist, device checks, session control, and data hygiene — everything you should tick off before funding your account.
TrendReward is an independent marketing affiliate. This is not Bybit’s official website.
1) Enable MFA: 2FA, Security Keys, or Passkeys
Turn on multi‑factor authentication for logins and withdrawals. Prefer phishing‑resistant options (hardware security keys / passkeys) where supported; otherwise use an authenticator app (not SMS) and securely back up recovery codes.
- On Bybit: enable Google Authenticator, YubiKey, or Passkey in Security settings.
- Store the setup/recovery key offline; never share codes via chat or email.
2) Set an Anti‑Phishing Code
Create a personal code so official emails/SMS from the exchange display it. If the code is missing or wrong, treat the message as phishing and do not click.
- Keep the code simple to recognize, hard to guess (avoid birthdays, phone digits).
- Verify the code on any urgent “security” or “account action required” email.
3) Use the Withdrawal Address Whitelist
Add your own addresses to the Address Book/Whitelist and withdraw only to verified entries. Always confirm network and memo/tag when required.
- Label addresses clearly (e.g., “My BTC Cold Wallet”).
- Enable “new‑address lock” or cooling‑off if available to prevent rushed changes.
4) Strong, Unique Passwords + Manager
Use long, unique passwords for your exchange and email. A reputable password manager helps avoid reuse and creates high‑entropy passphrases.
- Avoid frequent forced changes unless a breach occurs; favor length + uniqueness.
- Never store seed phrases or 2FA recovery keys in cloud notes without encryption.
5) Keep Devices Clean & Updated
Update OS/apps promptly, install from official stores, and minimize permissions. Avoid public Wi‑Fi/USB; use a reputable AV or built‑in security suite.
- Review browser extensions; remove anything unneeded or suspicious.
- Enable device screen‑lock, full‑disk encryption, and automatic updates.
6) Review Active Sessions / Trusted Devices
Regularly review logged‑in devices and sessions; sign out of ones you don’t use. Avoid staying logged in on shared computers.
- If a new device signs in, confirm it was you and revoke unknown sessions.
- Set alerts for new logins, password changes, and withdrawal requests.
7) Be Ruthless with Phishing
Double‑check domains, don’t click links from unsolicited messages, and never share codes or keys. When in doubt, navigate to the site manually via bookmarks.
- Beware of urgent language, spoofed sender names, and look‑alike domains.
- Verify notices against your Anti‑Phishing Code and official status pages.
8) Lock Down API Keys (If You Use Them)
Create separate API keys per tool, restrict scopes (read‑only if possible), and whitelist IPs. Rotate keys periodically and store secrets securely.
- Never grant withdrawal permissions to third‑party tools.
- Delete unused keys immediately; log and review API activity.
9) Alerts & Authenticity Checks
Enable security alerts (logins, withdrawals, password/2FA changes). Cross‑check suspicious alerts with your Anti‑Phishing Code and the official help/status pages.
- Set notification channels you actually monitor (email/app push/SMS).
- Keep a printed recovery plan (what to revoke, who to contact) offline.
10) If You Suspect Compromise: Pause & Report
Change passwords, revoke API keys, de‑authorize devices/sessions, and consider temporary account deactivation while investigating.
- Contact exchange support via official channels; do not trust DMs offering “help”.
- Report scams to consumer protection/regulators; preserve evidence (screenshots, tx IDs).
Practical Extras
- Prefer phishing‑resistant MFA (security keys/passkeys) where possible.
- Calendar a monthly security review: sessions, devices, API keys, alerts.
- Document recovery steps before you need them.
References (sources used to prepare this guide)
- CISA — Multi-Factor Authentication Overview
- Bybit Help Center — Account Security Features
- AuditBoard — NIST Password Guidelines
- The Guardian — Password Policy Trends
- Synovus — The New Rules of Strong Passwords
- CISA — Mobile Device Cybersecurity Checklist
- Cornell IT — Mobile Device Security Guidance
- Bybit Help Center — Account Settings FAQ
- FTC — How to Recognize and Avoid Phishing Scams
- FTC — Phishing Guidance for Small Businesses
- Bybit Learn — How to Create a Bybit API Key
- Cryptohopper Docs — Connecting Bybit
- Bybit Help Center — How to Deactivate Your Account
- FTC — Scam Alerts
Secure First — Then Trade
Tick off the 10‑point list, then move on to funding and strategy.
Go to Bybit (Official Site)*Opens a new tab; review Bybit’s latest security features and policies.