This article is a primer on all things security regarding holding, transacting, and safeguarding cryptocurrencies and NFTs. I didn't mean it to be a complete compendium, but it gives you all the necessary information to start.

I divided this primer into seven parts. Part 1 discusses elementary topics such as passwords, two-factor authentication (2-FA) methods, their comparison, and best practices.

The First Rule for a Crypto/NFT Holder

Don't talk about your net worth in crypto to anyone.

Since cryptocurrencies and NFTs are digital assets, thieves can steal them digitally. A smooth, silent, low-risk operation for a skilled scammer or hacker, especially with social engineering. Since there are myriad methods of hacks and scams, and as a non-cybersecurity expert, you will most likely be unable to keep up with the fast-evolving pace of scams and hacks.

Revealing your crypto net worth puts a number on your head for a criminal to target. Given a sufficiently high value, this becomes the reward for which one or more hackers may try to target you.

So, rule number one is:

Never say aloud; type in a Twitter thread or Discord channel the value of your holdings.

Keep your real name and address off all social media channels as much as possible. This part is essential because if someone can tie a real name or address to your wallet addresses, the open nature of the blockchain puts you at risk of being targeted.

This series will cover different aspects of wallets (hot wallets, hardware wallets, etc.) and private keys. Before moving on to wallets and private keys, we will cover several introductory topics. Thorough working knowledge of the initial topics will help make it a breeze to use the hardware wallet. We will cover the actual usage in a follow-up series.

Passwords and 2-FA

Take the case of passwords. It is commonly accepted that easily guessable passwords with a low degree of randomness and password reuse across websites are the number one reason a victim loses big when a single password is compromised.

When passwords are compromised, hackers sell them to other scammers. Thus if you reuse the same password everywhere, credentials of a single account allow scammers to get into all of your accounts across platforms such as email/socials/exchange accounts.

A secondary fail-safe is the use of 2-FA, such as Google Authenticator/Twilio Authy. 2-FA creates an extra layer of protection beyond passwords and can take various forms such as something you know (e.g. a PIN), something you have (e.g. a security key), or something you are (e.g. biometric patterns) [1]. It is important to use 2-FA for every account on every type of platform - including email, crypto exchange accounts, and social media accounts (Twitter, Discord, Telegram, etc)."

Google Authenticator/Twilio Authy-based 2-FA preferred over SMS-based 2-FA

Scammers easily hack phone numbers or SMS-based 2-FA by using the loopholes in mobile phone provider systems, such as reissuing a sim card to an impostor without thoroughly verifying the person authenticating them as the original customer, also known as the SIM swap scam [2,3].

As noted in the referenced articles, SIM Swap Scams have exploded in the 2020-22 period, and thus you must take necessary precautions to not fall for this and become a statistic.

Hence, the recommendation is always to use 2-FA and the Google Authenticator/Twilio Authy-based 2-FA. You can download these apps from the App Store for iOS and Play Store for Android devices.

Comparing Google Authenticator with Twilio Authy

Remember that a Google Authenticator account is not tied to a phone number and does not have a cloud-based restore option. On the other hand, Twilio Authy accounts are linked to a phone number mandatorily by design and backup all the 2-FA tokens to the cloud. This makes it easy to restore all your 2-FA accounts to a new phone/across devices in case you damage or lose your current phone.

If you fall victim to a SIM swap scam, someone can restore and steal your Twilio Authy-based 2-FA tokens remotely via a restore from the backup on the cloud. You must turn off the multi-device option by going to Settings (gear symbol) -> Devices -> Turn "Allow Multi-device" OFF [4].

The related idea is to sync/restore Twilio Authy to an additional device of yours in advance (before you need the backup) and then turn off the "Allow Multi-device."

This means no newer devices can restore your Authy account, but at the same time, you have a physical device in your possession that is already synced to your Authy account.

Coming Next: We will discuss asymmetric encryption and its application to Bitcoin (and cryptocurrencies in general), wallets, seed phrases, and securing seed phrases in Part 2 of this series.

References: 1. Twilio Authy (2016). Authy. [online] Authy. Available at: authy.com/what-is-2fa [Accessed 11 Jul. 2022].

1. Norton U.S.. (n.d.). SIM swap fraud explained and how to help protect yourself. [online] Available at: us.norton.com/internetsecurity-mobile-sim-s.. [Accessed 27 Jun. 2022].
2. Wikipedia Contributors. (2021). SIM swap scam. [online] Available at: en.wikipedia.org/wiki/SIM_swap_scam [Accessed 27 Jun. 2022].
3. Twilio Authy Help Center. (n.d.). Enable Or Disable Authy Multi-Device. [online] Available at: support.authy.com/hc/en-us/articles/3600163.. [Accessed 27 Jun. 2022].

The author holds an M.S. in Engineering from Columbia University and has a decade of research and industry experience in software and hardware design. He has been researching crypto security since early 2021. You can follow him on Twitter: @MetaversityOne