You Are One SIM Hack Away From Losing Everything — pt1: The Basics
Or: “Get it Right or Get Rekt!”
We’ve all become terribly vulnerable now that every aspect of our lives is managed online. In part 1 we’ll look at the various tools we have at our disposal to try to defend ourselves. In part 2 we’ll assemble them all into a coherent security strategy.
Disclaimer: I am not a security expert. I’m just presenting my best understanding of the best practices and making myself think through this so I can get my own sh*t secured. If I have gotten anything wrong, please let me know!
I think most of us have heard at least one horror story of a friend-of-a-friend whose identity was stolen with varying degrees of lost life savings, damaged credit history, IRS/Social Security mess, etc.
How this can happen — and happen so easily! — is explained extremely well in this painful article by Sean Coonce. He lays out the exact blow-by-blow of how he lost $100k. Go read it. Now.
Come back when you’re done ‘cause we’ve got work to do.
What You Should Do
I’ll start with the “Yeah, duh!” security procedures and progress to deeper levels that almost no one is doing but in reality should be the bare minimum for everyone. Everyone!
No excuse to have bad password policies in 2019. You’ve had like 20+ years to heed the warnings.
Password length and complexity are king. 8–12 char passwords ain’t cutting it. Max out what each site allows; 20–30 chars should be your goal. “Complexity” means at least one uppercase letter, lowercase letter, number, and symbol. Experiment on howsecureismypassword.net to get a feel for how the math works out.
Passwords must be different for every site.
Slightly modifying a long stock passphrase for each site (e.g. “IReallyLoveTurtles52!!_amazon”, “IReallyLoveTurtles52!!_tdameritrade”) is also dangerous. If any site leaks your passphrase, hackers can easily guess what your pattern could be for other sites.
If you’re doing it right, there’s no way you can remember all these long, complex, non-patterned passwords. You need a password manager. It’s basically a digital vault that stores all of your passwords, secured under one super-important master password (more on this below).
It will create random uber-complex passwords for each new site for you. But you never have to remember them or even type them. Just unlock the password manager and retrieve the password when you need it.
If you’re not using a password manager, your passwords are garbage. Period.
One Password to Rule Them All
Now that you’re putting all your password eggs in one basket, you have to secure that basket. You must create a long, complex master password that will unlock your password manager. But this time you have to be able to remember it. Because this one’s all on you.
Don’t store it digitally anywhere. Ever. Don’t type it and then print it. If you must, write it by hand on paper. Keep a copy offsite in case your house burns down.
If you lose or forget your master password, everything in your password manager is lost forever. May as well drop it into a black hole.
Which Password Manager to Pick?
As of May 2019 the top three list has been pretty stable for a while: Dashlane (most features, but 2x the price), LastPass (most popular, good enough price), and 1Password (nicest UI/UX, but originally only for Macs and it shows).
The reviews somewhat contradict my positive experience with 1Password, which I’ve used since 2011(!!); it was derided as having the worst UI but I think it’s clearly the best (and so does Wired). They all have free trials so give them each a try. And while there are slight differences amongst them, they all easily clear the minimum security requirements we’re going to need. They all have browser integrations and mobile apps with biometric fingerprint support that make everything easier. They’re all good at what they do.
They all also store your encrypted password file in the cloud. This seems like an alarming security risk but your master password encrypts the file locally so the only thing sitting on their servers is an uncrackable blob. No one — not even the NSA — has the computing power to peek into your data if you use a strong password. Modern encryption is amazing.
Dashlane wins if you have a ton of bad passwords that you need to update. It has a list of about 500 sites that it can go into automatically and change your bad passwords for you. LastPass can only do that for about 80 sites. 1Password ain’t in that game at all.
After trying Dashlane and LastPass, I was happy to stay with 1Password but it really doesn’t matter which one you pick.
2FA — 2-Factor Authentication
Since 97% of you aren’t using a password manager yet, you damn well better have 2FA active for all your important accounts.
Basically when the hacker easily guesses your crap password, 2FA will then prompt them to enter a second code. There are good and bad variants of this.
Bad: The 2FA code is sent via SMS text message to your phone. See Sean Coonce’s article above for why this is disastrous and why SIM swapping is even a thing.
Bad: The 2FA code is sent via email. Always assume the hacker will go after your email account. Assume they will succeed.
Better: Apps like Google Authenticator that issue expiring Time-based One-Time Passwords (aka TOTP). Pair it with your account and it generates a new 2FA access code every 30 seconds. This turns your phone into an ever-changing key that is required to unlock your account. And, luckily for us, only that physical device is paired; the hacker can port your phone number to a new SIM, but the 2FA pairing has no way to move to the new phone. A hacker would have to steal your actual phone from your pocket (and unlock it).
With 2FA your security is now no longer just about something you know (your password) it’s also based on something you have (your phone).
And we will, of course, add a 2FA layer to secure the password manager itself.
FYI fake 2FA “Security” questions are garbage
Do you really think a hacker can’t figure out your first girlfriend’s name or your first pet’s name or the name of the street you grew up on? These are not true security tests.
Avoid these whenever possible. And when they are required, treat them as if they were additional passwords.
The more you lock down everything, the more careful you have to be that you won’t accidentally lock yourself out of your own accounts! The balance between keeping others out while keeping your recovery options open is delicate.
What if you lose your phone?
Uh-oh, if there’s no way to get a valid 2FA code, then there’s no straightforward way to log into your account anymore (how each site would handle restoring your access will vary wildly).
When you set up Google Authenticator-style TOTP 2FA you’re usually given a backup key or “secret” for each account pairing.
In crypto parlance this is a “seed” that can enable any device to start generating the same TOTP 2FA codes. Add this seed to any TOTP 2FA generator app on another device and you’ll see it produce the exact same codes as your first device (for those familiar with cryptocurrency hardware wallets this seed is analogous to your wallet’s mnemonic seed phrase; initialize a new crypto wallet with your seed phrase and you’re good to go. Same for TOTP 2FA generator apps).
Your online bank account’s TOTP 2FA will have a unique seed while your favorite ecommerce site will have its own TOTP 2FA seed generated just for your account.
Interesting note: there’s no limit to the number of additional devices you can pair to the same backup key as part of your redundancy/recovery plan. This will come in handy in Part 2.
Alternatively some sites will give you a set of backup codes and tell you to print them out or save them to your computer. These codes provide one-time use access into your account.
Notice that now these 2FA seeds and backup codes are vital to your recovery process but ALSO pose a new security risk.
Clearly these have to be stored securely somewhere. Maybe in your new password manager? You could do that, but you should feel a tingle of worry if everything is in your password manager. That creates one mega honey pot, one crippling vulnerability should it ever get compromised. And this is supposed to be TWO factor authentication; your 2FA world should be kept separate from your password world.
Separate 2FA backups: Authy cloud backups
Google Authenticator isn’t the only 2FA app that can scan the pairing QR code and issue you the 6-digit TOTP 2FA codes. One worth strongly considering is Authy.
Authy has some nicer UI bells and whistles (which isn’t saying much; whichever Google engineer built Google Authenticator clearly spent approximately zero time on its UI).
But what really matters is its free cloud backup feature. Much like the password managers, you set a strong password for your 2FA backups which encrypts them. That encrypted file is then uploaded to Authy’s servers. And, just as before, Authy has no way to decrypt what’s on their servers (and just as before if you forget this password, the backup will be useless).
You can then authorize a new device to download those backups.
That authorization goes through a phone number step, unfortunately, but the system is set up to actually still be pretty hack-proof — you have to approve the new device from a previously approved device and you still have to know the hard master password to decrypt the backups. This is great for initializing a new phone with all of your 2FA intact, but also convenient for cloud syncing your 2FA pairings across the devices that you commonly use.
Bonus tip: disable “Multi-Device” authorization after you’re done adding a new device. The current devices will all remain cloud synced with each other but you’ll prevent a hacker from trying to add his/her own devices to your backup. You can always temporarily re-enable the authorization feature when you need to add a new device.
Long story short: we now have secure enough backups for our 2FA pairings that are completely separate from our password manager!
Separate 2FA backups: Hardware security keys
For the most important, most sensitive 2FA backups (e.g. your retirement account’s TOTP 2FA) maybe you don’t want to take any risks whatsoever. No forgetting or losing passwords. No trusting anyone else’s servers.
Your best option here is a hardware key like the YubiKey 5 NFC. It looks like a small USB thumbdrive but it’s stuffed full of specialized encryption hardware.
It has a companion Yubico Authenticator app that is yet another TOTP 2FA app that generates our 6-digit access codes. But rather than storing the TOTP 2FA seed on your phone, it writes it to the YubiKey. You can then install the Yubico Authenticator app on any device, hold the YubiKey up to the back of that device, and, voilà, there are your next set of 6-digit TOTP 2FA access codes.
Your 2FA pairings live in the YubiKey. The phone is now just a dumb display. And the YubiKey is totally hacker-proof; there’s no way to extract the secret 2FA pairing data from inside of it.
It is effectively a highly durable, easily portable backup of your 2FA pairings.
Finally… Phone Security
Having the TOTP 2FA codes on your phone is convenient, but do take some precautions to secure your phone. Always secure your phone with an unlock PIN.
And unfortunately not every site supports true 2FA— including most banking and investment sites! They still insist on texting you a security code. So we’re still vulnerable to a SIM swap attack.
Cell carriers are starting to (sorta) get better at security. Request to have a passphrase set on your account that would be required before they will port your phone number to a new SIM.
But mostly I just don’t believe cell companies are on top of this. Yes, call them and get your account as locked down as possible. But there are too many stories of company employees either incompetently failing to follow the guidelines or straight-up inside job thievery.
Just assume the worst…
…and get a free Google Voice phone number
No, this isn’t a sponsored ad. Google Voice provides you with a free phone number that is not bound to any physical phone. You can send or receive calls or texts from any internet-connected device.
And, most importantly, it’s a phone number that you control through your Google account. As long as you properly secure your Google account, there is no SIM to worry about getting swapped.
This puts us in much better shape when we’re interacting with all these dang sites that still rely on faux-2FA via SMS.
Yes, it creates a new honeypot problem (your Google/Gmail account now also controls your phone — one single point of vulnerability), but the risk posed by incompetent cell phone companies is just too great. Security is about balancing various tradeoffs and compromises. There is no “perfect”, only “better”.
Whoa, that was a lot to take in!
Yeah. Lots of possibilities and pitfalls here, lots of OpSec (Operational Security) to plan and get right. We’ve looked at the individual pieces but now we need a complete strategy.
That’s coming in Part 2.