Last week I came across this pretty scary article on Twitter. The author, Matthew Miller, tells the story of how he got “SIM swapped” and lost access to his Twitter and Gmail accounts, had his personal files and documents from Google Drive deleted and $25,000 stolen from his bank account.
Don't want to read this post, listen to the podcast instead:
This episode of the Paul Minors Podcast is sponsored by TextExpander.
Most people I talk to are far too casual when it comes to protecting themselves and their data online. Either because they think “it won’t happen to me” or because taking steps to protect themselves is seen as too much of a chore.
But imagine if you lost access to your email or personal documents. Or worse, if it was all deleted. A few years ago I read a story about someone who lost all their iCloud data including all their family photos. Getting hacked like this would turn your world upside down. And if you run a business online (like me), then even your income could be at risk.
The frustrating thing about this story is at the end, Matthew lists all the really simple things he did wrong that left him exposed.
In this post, I’d like to list some simple things you can do to protect yourself and your data. I would view the following list as the bare minimum you should be doing. If you’re not following these guidelines, you could be putting your digital life at risk.Protecting your digital life is easier than you think. Here's a checklist to get you started.Click To Tweet [toc]
1. Use strong, unique passwords for everything
This is probably the #1 piece of advice that I’m sure you’ve heard before (I can literally picture you rolling your eyes). But it’s such a simple thing you can do to drastically improve your online security.
At the end of the hacking story, Matthew says: “Consider using password manager”. In my view, don’t “consider” it. Just do it!
Most people use the same password, or variations of that password, for every website and service they sign up for. What this means is that if one website is hacked, the password that you use for a bunch of services is now available for the bad guys to take advantage of.
And if you think this is unlikely, think again. Dropbox and LinkedIn have both been hacked in the past. As a result, millions of username and password combinations were made available to purchase on the dark web. You can even visit haveibeenpwned.com to see if your password is available on the dark web. If it is, you might want to change it.
The solution is to create a strong password (a 20+ character combination of numbers, letters and characters) that’s unique for every service you use.
And there is no easier way to do this than signing up for 1Password. A few weeks ago I wrote about how to get started with 1Password. Even if you don’t change every password immediately, just starting with your email, banking and other important accounts would be a great start.
2. Turn on 2-factor authentication (avoid SMS authentication if you can)
Now that you’ve set up strong, unique passwords, the next step is to turn on 2-factor authentication for any accounts that allow it (which most do). This means that even if a hacker has your password, they would still need a one-time use 6-digit code to log into your account.
These 2FA codes can be sent to you as a text message or via an authenticator app like 1Password.
In my opinion, you should be using the latter option. The reason Matthew was hacked is because the hacker was able to swap his phone number to a new SIM by calling T-Mobile. This meant they were able to reset a load of passwords or gain access to 2FA codes via Matthew’s phone.
With 1Password, you can set up 2FA codes which means instead of waiting for a text message to arrive, you can quickly input the login code using a keyboard shortcut. Once you’re set-up, it’s very fast to log in to your accounts even with 2FA enabled.
3. Talk to your cell provider about “SIM swapping”
As the article describes, the entire hack was possible because the hacker called T-Mobile and was able to transfer Matthew’s phone number to a new SIM that the hacker controlled.
In another case, a hacker was able to get access to the victim's iCloud account by learning the customer's credit card numbers after calling the Amazon support line.
In both bases, these various companies were able to hand over the keys to a customers account after the hacker navigated a few simple loopholes. Obviously, the companies we trust with our data should be doing more, but they usually don’t. So it’s up to you to protect yourself.
After reading this story, I called my cell phone provider and asked them about the process of swapping a phone number to a new SIM. They assured me that before a phone number can be swapped, you have to confirm the action by repeating a code that’s sent to the original phone (the one in your possession).
It may seem like an unnecessary thing to do, but I certainly don’t mind making a quick 10-minute call to make sure my provider is looking after my data.
4. Backup multiple copies of your important documents and data (cloud storage doesn't count)
In the story, Matthew lost access to his Google account including Google Drive where he kept personal documents, passwords and data. The hacker then deleted all this information. Gone.
Matthew is now struggling to get support from Google so he can recover his account.
Again, most people I talk to don’t back up their documents and data even though it’s so easy.
Firstly, Dropbox, Google Drive and Onedrive do not count as a backup. Yes, they might mean you can quickly get access to your data if you lost or damaged your computer, but it’s not really a proper backup (as the story illustrates).
If you're on a Mac, you can use Time Machine to backup your documents and photos to an external hard drive. And if you’re on a PC, after a quick Google search I found Zinstall which does the same thing.
As well as Time Machine, I also use Backblaze (affiliate link) as a secondary backup. Backblaze encrypts and copies my documents and data to their secure backup facilities. If you ever lose my computer, Backblaze will send you a hard drive with a clone of your computer drive on it.
You can lose access to your accounts. Hard drives can break. This is why it’s so important to have multiple backups of your data.
To learn more about different backup strategies, I highly recommend this episode of the Mac Power Users podcast.
5. Make sure you can recover passwords
When you sign up to services like 1Password, you get given a “secret key” which you need to login to your account. Without this code, you can’t get access to your passwords and not even 1Password can help by resetting your master password.
So, if you do sign up to 1Password, make sure you backup this secret key by printing it out (don’t keep a copy stored online) and giving it to trusted friends or family.
It’s the same when you create a Bitcoin wallet. You get given a 12 or 24 word recovery phrase which can be used to recover your funds.
I now have these recovery words stored with different family members so that even if I lose my computer or our house burns to the ground, I still have access to my passwords.
Again, it’s one of these little extra steps that people often skip. But it would be a real shame to go to all this effort to protect yourself only to lose access to your passwords later.
6. Never login to websites with Facebook or Twitter
Finally, if you ever see the option to log in to a website using Facebook or Twitter, avoid these buttons like the plague.
Websites include these buttons so they can get access to your data like your name, age and interests. It helps them to streamline the experience for you. But it means that if your Facebook or Twitter account is compromised like Matthew’s was in the article, you could lose access to all the accounts that you log in to with this social account.
Instead, choose the option to log in with an email address, set up a strong unique password and store this in your chosen password manager.
I know that some of this might be hard to hear and setting up a password manager or backing up documents seems like a chore. But it’s far better than the alternative which is losing access to your entire digital life.
Privacy is a pretty hot topic in the tech sphere right now which is why I do whatever I can to take ownership of my information and protect myself online.
Please let me know if you have any questions about the above in the comments below.