...
Use TOTP as a 2FA tool (e.g. Google Authenticator or FreeOTP)
Enforce the password policies established above.
Update and use the latest browser version to avoid known browser vulnerabilities.
Enforce the password policies established above.
Example Google Policy. Notice that policy prohibits using SMS or phone calls that are vulnerable to SIM swap attacks.
Secure your Funds
Keep the majority of your coins in a Cold Wallet (e.g. a Trezor wallet that is not connected to the Internet, or in an Exchange’s “vault” which requires special permissions & delays to access.
Setup limits on your Hot Wallet. Set withdrawal thresholds on the Hot Wallet.
When a request is sent to your wallet to transfer more than $2000 USD to a single address?
Something is wrong and your Hot Wallet should shut down until the action is reviewed.
e.g. see Bitgo’s Hot Wallet features.
Keep your Hot Wallet’s balance as low as possible and refill it from your Cold Wallet multiple times per day -or- have a second Warm Wallet for manual refills (by a known person from a dedicated IP address).
This is a task your ATM business should never automate (or make easy).
Keep only an amount in your Hot Wallet that you are comfortable losing.
Use the CAS Hot Wallet balance notifications to be notified when:
the balance is too high (when replenishment or SELL transactions may increase your coin balances).
the balance is too low (and you need to refill from a Cold Wallet).
Generate Exchange/Hot Wallet API keys for your production server only.
Don’t store them anywhere else.
Don’t even put them on a test server - otherwise they may be discovered by an attacker and used.
Delete or disable any Exchange/Hot Wallet API keys when they are no longer in use.
Whitelist only your CAS server IP in your Hot Wallet settings (where supported).
You don’t want anyone else to be sending commands to your Hot Wallet.
...