Updated June 10, 2019
Fred Krueger and Ben Sigman
In the last few months, a very large number of cases of sim-swapping and identity theft cases have been happening to people we know. If you are in crypto, you have a very high likelihood of being targeted. If you are in a senior position at a tech company you have a high likelihood of being targeted. If you know either one of us, you have a very high likelihood of being targeted. We’re going to explain exactly, step by step, what you can do to minimize your exposure.
But first: let’s analyze what you have to lose. There are multiple attack vectors, all of which are very, very bad:
1. If you have crypto on an exchange, and all you have is phone 2FA, then its relatively easy for a hacker with control of your phone to transfer all your crypto into their account
2. If a hacker gets control of your files on dropbox or google drive, either personally or at your company, you could be subject to blackmail
3. If a hacker gets control of your Messenger, Skype, or other social media account, they can extract money from your friends, and/or blackmail you.
4. Even if it does nothing to the hacker, the fact of getting hacked can cause reputational damage and loss of confidence for you, your friends and family, and work colleagues.
As you can see, there are multiple ways in which this is extremely bad.
Step 1: Move all your passwords to 1Password
The average tech worker today uses 20+ online services on a daily basis for social networking, productivity, entertainment, domain name registration, banking, crypto exchanges and travel. A high percentage of us use the same relatively simple password for all of these services. The inertia of changing passwords for all 20+ services keeps the password the same for very long times.
Password Managers, including our favorite 1Password replace this with a master database, where each service is given a unique long 20 char+ password, with one central key being used to decode the database, and one “master password” used to access the list online.
The first step in your security audit is to replace your entire list of passwords with the 1Password application and a password that is truly unique just to 1Password. For each application, choose a separate “hard” 20 char+ password.
Step 2: Get a PAID Google Voice Account
The second step to preventing sim card fraud damage is to stop your dependency on your primary cell phone phone number. At the end of the day, it may not be possible to stop your number from being ported, but its possible to minimize the consequence. The way to do that is to sign up for a separate Google Voice number that is in no way connected to your key phone account.
To do this, go to gSuite, and create a paid domain / email account, and add a Google Voice account to that “1 person company”. This has three great consequences: it gives you an email that you will only use for password recovery, it gives you a phone number that is not swapable, and it gives your 24/7 support in case your Google Voice email gets hacked.
Note: it is imperative that this new google voice account or email be NOT connected to your old number. Otherwise it defeats the entire purpose.
Step 3: Make sure all your web services use the Google Voice number and the new special purpose email
Once you have created your completely personal email / google voice retrieval credentials you need to make sure that all your web services use these. In particular:
Social and Chat:
- Facebook, Twitter, Linkedin, Quora, Skype, WhatsApp, Slack, Discord
- Google, Adobe, Trello, Dropbox, GitHub,
- Orbitz, Expedia, Priceline, Hotels, Tripit
- Fandango, Netflix, Spotify
Banking + Financial
- Bank of America, Wells Fargo, Schwab, eTrade
Note that the main thing is that NONE of these services should have account recovery that points to your main phone number. You need to work on the basis that you will be sim swapped. Assume somebody has access to your primary phone account. Now minimize collateral damage.
Step 4: In every case where you have the option, use Google Authenticator / Authy
In particular, for every crypto exchange 2FA is absolutely not sufficient. We personally prefer Authy over Authenticator, as Authenticator relies on a phone being there, and Authy can be re-instated if you lose your phone.
Step 5: Minimize Crypto left on exchanges. Use a hardware wallet
Don’t leave large amounts of Crypto on centralized exchanges, or on software / mobile wallets. Move any meaningful amounts fo crypto
Step 6: Call your Phone Provider and ask to be put on a ultra secure list
Both T Mobile and ATT have special settings where a user cannot be ported unless they come into the store and present physical ID. (In the case of ATT the hacker is given 4 attempts at a code before this is applied).
In and of itself — not sufficient, but helpful as a final step.