Step by step guide to Personal Internet Security

Updated June 10, 2019
Fred Krueger and Ben Sigman

In the last few months, a very large number of cases of sim-swapping and identity theft cases have been happening to people we know. If you are in crypto, you have a very high likelihood of being targeted. If you are in a senior position at a tech company you have a high likelihood of being targeted. If you know either one of us, you have a very high likelihood of being targeted. We’re going to explain exactly, step by step, what you can do to minimize your exposure.

But first: let’s analyze what you have to lose. There are multiple attack vectors, all of which are very, very bad:

1. If you have crypto on an exchange, and all you have is phone 2FA, then its relatively easy for a hacker with control of your phone to transfer all your crypto into their account

2. If a hacker gets control of your files on dropbox or google drive, either personally or at your company, you could be subject to blackmail

3. If a hacker gets control of your Messenger, Skype, or other social media account, they can extract money from your friends, and/or blackmail you.

4. Even if it does nothing to the hacker, the fact of getting hacked can cause reputational damage and loss of confidence for you, your friends and family, and work colleagues.

As you can see, there are multiple ways in which this is extremely bad.

Step 1: Move all your passwords to 1Password

Password Managers, including our favorite 1Password replace this with a master database, where each service is given a unique long 20 char+ password, with one central key being used to decode the database, and one “master password” used to access the list online.

The first step in your security audit is to replace your entire list of passwords with the 1Password application and a password that is truly unique just to 1Password. For each application, choose a separate “hard” 20 char+ password.

Step 2: Get a PAID Google Voice Account

To do this, go to gSuite, and create a paid domain / email account, and add a Google Voice account to that “1 person company”. This has three great consequences: it gives you an email that you will only use for password recovery, it gives you a phone number that is not swapable, and it gives your 24/7 support in case your Google Voice email gets hacked.

Note: it is imperative that this new google voice account or email be NOT connected to your old number. Otherwise it defeats the entire purpose.

Step 3: Make sure all your web services use the Google Voice number and the new special purpose email

Social and Chat:
- Facebook, Twitter, Linkedin, Quora, Skype, WhatsApp, Slack, Discord

- Google, Adobe, Trello, Dropbox, GitHub,

- Orbitz, Expedia, Priceline, Hotels, Tripit

- Fandango, Netflix, Spotify

- Amazon

Banking + Financial
- Bank of America, Wells Fargo, Schwab, eTrade

Note that the main thing is that NONE of these services should have account recovery that points to your main phone number. You need to work on the basis that you will be sim swapped. Assume somebody has access to your primary phone account. Now minimize collateral damage.

Step 4: In every case where you have the option, use Google Authenticator / Authy

Step 5: Minimize Crypto left on exchanges. Use a hardware wallet

Step 6: Call your Phone Provider and ask to be put on a ultra secure list

In and of itself — not sufficient, but helpful as a final step.

bitcoin, lightning, wrapped bitcoin and wallets