Your primary phone number and email address are far more valuable than you think. As our reliance upon online services continues to grow, these two data points are extremely common means of authentication. If either one is compromised, an attacker can do bad things. If those two factors are tied too closely together, it’s game over for your online identity.
You don’t have to be the next victim. With a little effort and, yes, a little expense, you can lock down the security of crucial online services. Having your identity stolen can be a nightmare, and cleaning up the mess can take months. You can make life difficult for a would-be identity thief by locking down these five key aspects of your online life.
1. SPRUCE UP THE SECURITY ON YOUR MOBILE ACCOUNT
SIM-swapping tricks work because hackers can learn enough about you to social-engineer their way through the normal security checks that keep your account from being compromised.
Accordingly, your first line of defense is to tell your mobile provider that you want them to be extremely cautious, even paranoid, about the security of your account.
Every U.S. mobile provider has the option to add a separate security PIN or password to your account. Do it. This is different from a SIM password/PIN, which prevents your physical SIM card from being removed and automatically activated in another device.
Finally, ask your mobile provider if there’s a way to flag your account for extra security to prevent unauthorized number porting or SIM-swapping. The most inconvenient scenario is you’ll have to show up personally at a local office, with photo ID, to recover from a damaged device.
2. DON’T TRUST YOUR IMPORTANT EMAIL TO A FREE CONSUMER-GRADE SERVICE
Google and Microsoft are the world’s two largest email providers, with both consumer and business-grade subscriptions. The two types of products are superficially similar, so it’s easy to just set up a free Gmail or Outlook account and save the money, right? I mean, what do you really get with the for-pay business-grade account?
The critical difference is ready access to support. With a free Gmail or Outlook account, you have almost no support options except to fill out an online form and pray that someone handles it. You really deserve better, so we recommend you pay for a business account.
A G Suite Basic account costs $6 a month and looks exactly like the free Gmail product. Google’s G Suite support page notes, “24/7 support from a real person is included with your paid subscription to G Suite.”
Microsoft’s Office 365 Business Essentials subscription, which includes a 50 GB mailbox, a custom email domain address, and 1 TB of OneDrive for Business cloud storage, is an even better deal at $5 per month. You can also get those services as part of an Office 365 Business Premium subscription for $12.50 per month, which includes Office apps for 5 Windows PCs or Macs and five tablets.
For any of those Office 365 plans, phone support for Critical issues, that includes events that prevent you from accessing or using your services or data, is available 24/7, with a one-hour response time commitment.
Oh, and one more crucial step? A cybercriminal who manages to crack your business email account doesn’t have access to your administrative console; they might be able to change your password, but they can’t delete your account. In fact, using those admin tools, you can lock down a compromised account immediately, preventing any further damage.
3. DON’T SAVE PASSWORDS IN YOUR BROWSER
We have a firm belief that using a third-party password manager is one of the most valuable security precautions you can take. Having a unique, impossible-to-guess password for every service you use is an excellent way to prevent the most common forms of attack.
However, all that security goes right out the window if those passwords are stored with your Google or Microsoft account and can be unlocked by anyone who compromises that account. That’s unfortunately been the case for many, when hackers have compromised Google accounts, they gained access to all the victims’ passwords, and banking account information. This nightmare isn’t possible with a well-designed third-party password manager .
A great option is 1Password which requires a unique security key in addition to a username and password before allowing access to passwords on a new device. Even if a hacker managed to steal your 1Password login credentials, they wouldn’t have your private security key, that 32-character alphanumeric string that should be stored in a safe place, like on a piece of paper in a locked file cabinet. No security key, no passwords.
If you’ve got passwords saved in Google Chrome, Internet Explorer, Mozilla Firefox, or Microsoft Edge, delete them after you’ve set up a third-party password manager. Every browser has the option to export saved passwords before you take this irrevocable step, an option that could be valuable if you save those exported credentials in a safe place that isn’t tied to your cloud storage.
- In Chrome (or in the Chromium-based Edge browser), press Ctrl+Shift+Delete to open the Clear Browsing Data dialog box. Click the Advanced tab, choose All Time for the Time Range, select the Passwords and Other Sign-in Data option, and then click Clear Data.
- In Microsoft Edge, press Alt+X to open the Settings And More menu, then click Settings. Select the Privacy & Security tab and click Clear Browsing Data. Select Passwords and then click Clear.
- Unlike its rivals, Firefox includes an option to protect your saved passwords with a unique Master Password that’s not tied to your Mozilla account. That might make this option acceptable to you, but if you’re not comfortable and you want to delete all saved passwords, click the menu button, click Logins And Passwords, and click Remove All.
Of course, you want to make sure that whatever third-party password manager app you’ve chosen can’t be compromised by someone who has access to your mobile account or email. That’s inconvenient for you, no doubt, but an absolutely essential precaution.
4. DISCONNECT YOUR TELEPHONE NUMBER FROM CRUCIAL AUTHENTICATION SCENARIOS
The reason SIM-swapping has such a devastating impact on your identity is that your phone is typically the first device that a service will use to help you reset your password.
Whenever possible, remove the option to use that phone as proof of identity and use an authenticator app or a saved code you previously generated. This strategy forces you to use a trusted device as an authenticator. A hacker who has a SIM-swapped phone number or an email password doesn’t have a trusted device and is thus locked out.
- In the G Suite admin console, go to Advanced Security Settings, turn on 2-step verification, and then, under Allowed 2-Step Verification Methods, choose Any except verification codes via text, phone call.
- For an Office 365 Business or Enterprise subscription, go to the Additional Security Verification page (https://account.activedirectory.windowsazure.com/Proofup.aspx) and remove your primary phone as an authentication method.
In both services, you can and should set up the Google Authenticator or Microsoft Authenticator on at least one and preferably two or more trusted devices.
For online services that require SMS-based authentication, consider using a Google Voice number (or another alternate SMS option) tied to an email account that’s completely separate from your primary address. Those codes would not be available to an identity thief even if he had stolen your primary phone number.
5. BACKUP, BACKUP, BACKUP AND SYNC, SYNC, SYNC
Probably the most heartbreaking part of victims hacking stories is the possibility that they lose not just tax returns and other important documents stored in Google Drive, but also thousands of photos that may be lost forever if Google won’t work with them to get their account back.
The most important part of any backup strategy is ensuring that a single point of failure doesn’t cause you to lose data. A cloud-based service is an excellent way to prevent fire or flood from destroying your local copies, but human error, configuration mistake, or forgetting to pay the annual subscription fee can cause some or all those files to disappear.
Save the really important stuff, like family photos, in at least two cloud locations: iCloud and OneDrive, for example, and keep a local backup of those files, just in case!