Keep Your Slush Pool Account Safe
Internet security is a very complex field. However, sometimes you can achieve fairly high level of security with quite a low effort. It is no different on Slush Pool. Please take a few minutes to read this article and make sure your Slush Pool account is adequately protected.
Activate Two-factor Authentication
You probably know this. Two-factor authentication can be set up (Settings → Security) using the apps like Google Authenticator or Authy. The app generate security codes that changes over time. In order to login to your account or change some important settings, you have to know both password and the security code.
We also support more advanced (and secure) standard called Universal 2nd Factor. Chances are you already got the TREZOR or a hardware security token like YubiKey so you can use one of those. It is also pretty convenient since you do not have to input security codes over and over again.
Set & Lock Your Payout Address
Firstly, do not forget to set up your payout address. Secondly, consider locking it (Settings → selected coin → Payouts). This is really straightforward and powerful feature. Even if the attacker hijacks your account and bypasess different security measures including 2FA, he cannot change the payout address and steal your rewards, as long as he has no control of the specified address.
How it works? If you choose to lock the payout address, you (or anybody else) will not be able to select a new address unless you prove that you control the current one. That is done simply by signing given text with the corresponding private key. Be careful though, this feature is kinda like a double-edged sword. You cannot unlock the payout address if you lose the private key or if your wallet does not support signing messages!
Read The Emails
Seriously. We do not like spam and we usually reach you only when something important is going on with your account. Unfortunately, a lot of miners do not read the messages at all or (worse) just open them and blindly click the confirmation button. This is an easy way to lose control over your account and let the bad guy in.
Also — do not rely solely on timing of those confirmation emails. The attacker could utilize some kind of social engineering to trick you into confirming what he wants. Always check the important details like new payout address etc.
Stay safe and Mine As One!