You Are One SIM Hack Away From Losing Everything — pt1: The Basics

Yes, YOU

I think most of us have heard at least one horror story of a friend-of-a-friend whose identity was stolen with varying degrees of lost life savings, damaged credit history, IRS/Social Security mess, etc.

One of Sean’s super-useful diagrams from his article. Go. Read. It. Now.

What You Should Do

I’ll start with the “Yeah, duh!” security procedures and progress to deeper levels that almost no one is doing but in reality should be the bare minimum for everyone. Everyone!

Passwords

No excuse to have bad password policies in 2019. You’ve had like 20+ years to heed the warnings.

8 lowercase chars. Oops.
Undecillion = a 1 followed by 36 zeros

Password Manager

If you’re doing it right, there’s no way you can remember all these long, complex, non-patterned passwords. You need a password manager. It’s basically a digital vault that stores all of your passwords, secured under one super-important master password (more on this below).

“W4ET4#kcXb]Mz*NG>no=z6L89hYNiQ” = 233 Duodecillion years to crack

One Password to Rule Them All

Now that you’re putting all your password eggs in one basket, you have to secure that basket. You must create a long, complex master password that will unlock your password manager. But this time you have to be able to remember it. Because this one’s all on you.

Which Password Manager to Pick?

As of May 2019 the top three list has been pretty stable for a while: Dashlane (most features, but 2x the price), LastPass (most popular, good enough price), and 1Password (nicest UI/UX, but originally only for Macs and it shows).

2FA — 2-Factor Authentication

Since 97% of you aren’t using a password manager yet, you damn well better have 2FA active for all your important accounts.

FYI fake 2FA “Security” questions are garbage

Do you really think a hacker can’t figure out your first girlfriend’s name or your first pet’s name or the name of the street you grew up on? These are not true security tests.

Ah, I’ll never forget Prom night with my sweet suburbia-hardpan-swab…

Disaster Recovery

The more you lock down everything, the more careful you have to be that you won’t accidentally lock yourself out of your own accounts! The balance between keeping others out while keeping your recovery options open is delicate.

What if you lose your phone?

Uh-oh, if there’s no way to get a valid 2FA code, then there’s no straightforward way to log into your account anymore (how each site would handle restoring your access will vary wildly).

The blurred out “secret” line is this pairing’s backup key / seed

Separate 2FA backups: Authy cloud backups

Google Authenticator isn’t the only 2FA app that can scan the pairing QR code and issue you the 6-digit TOTP 2FA codes. One worth strongly considering is Authy.

Bonus: it’s a lot less boring and easier to use than Google Authenticator

Separate 2FA backups: Hardware security keys

For the most important, most sensitive 2FA backups (e.g. your retirement account’s TOTP 2FA) maybe you don’t want to take any risks whatsoever. No forgetting or losing passwords. No trusting anyone else’s servers.

Finally… Phone Security

Having the TOTP 2FA codes on your phone is convenient, but do take some precautions to secure your phone. Always secure your phone with an unlock PIN.

…and get a free Google Voice phone number

No, this isn’t a sponsored ad. Google Voice provides you with a free phone number that is not bound to any physical phone. You can send or receive calls or texts from any internet-connected device.

My lightly redacted Google Voice SMS text messages

Whoa, that was a lot to take in!

Yeah. Lots of possibilities and pitfalls here, lots of OpSec (Operational Security) to plan and get right. We’ve looked at the individual pieces but now we need a complete strategy.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store