Here at Version One, we had two nightmarish weekends in early February when our accounts were hacked by pretty sophisticated and aggressive hackers. As we’ve since learned, hackers love weekends, because it’s a time when targets may not realize the hack right away and the customer service at service providers is limited. But thanks to very immediate help from Google, Twitter and other organizations, we were able to regain control of our accounts pretty quickly.
Through the process, we’ve learned quite a bit about safeguards to prevent these kinds of hacks from happening – and here are some key lessons that everybody should take to heart:
- Do NOT use 2fa (two-factor authentication) with text messages. Our experience has shown that there is really no safe way to protect your phone number from a SIM swap attack and it happens all the time. Some of the most aggressive hackers use fake documentation to pretend to be you and neither the tech nor the customer service at mobile carriers is currently very well set up to prevent such fraud. Once hackers have control of your phone, they can use the recover password process to take over the account. If you take away just one piece of advice from this blog post, it should be “Do NOT use 2fa with text messages – remove your phone number from any recovery mechanism” 🙂
- While you are eliminating a big piece of risk by not using text messages as a 2fa method, you should still protect your mobile carrier account: please put a PIN on your account plus a lock, if your carrier offers that option.
- Use an authenticator app wherever you can. Services will offer ‘backup codes’ in case you don’t have access to your authenticator app. Write them down or print them, then store them in a safe place (ideally, a safety deposit box). In addition to these steps, you can also get a physical dongle/key like Yubikey or Google Titan.
- Follow these steps for all of your key accounts: email, Facebook, Twitter, Dropbox, bank accounts, PayPal, domain registrars, etc. As we found out, domain registrars are actually a dangerous point of attack: if a hacker is able to take over the account (again with 2fa and text messages), he/she can change the email records and suddenly have control of all incoming emails without having to hack into your Gmail.
- Use a password manager like 1password or Dashlane. There have been so many hacks of large sites out there, that there is a chance that hackers have access to your email and a password that you have been using on one of those sites. Given that we all have used the same / similar password on other sites, you are at risk of getting hacked.
- Use the opportunity of setting up your passport manager to change all of your passwords for all of your accounts.
- Take a minute to delete accounts that you no longer use, but might have sensitive information.
- On the topic of passwords, we also recommend not storing your passwords in Google Chrome. If your Gmail account gets hacked, you immediately give the hacker access to all of your accounts (even with the option to export this data and use this data at a later stage).
- Consider making your primary phone number private and giving out an alias number with services like Google Voice (which works in the US)
- And for those of you who use Google Suite (or a similar service), make sure that your public accounts / email addresses do not have super/admin privileges. You can create an admin account like firstname.lastname@example.org and then make email@example.com a “regular” user. That’s because if hackers get a hold of an admin account, they can lock out everyone else related to you and your org.
And the last piece of advice you should take away from this blog post: don’t just read it but reserve a few hours today or tomorrow to actually do these things. Believe us, it is a very good investment 🙂
P.S.: Funnily enough, we recently invested in a company that provides managed security for small- and medium-sized companies that cannot afford a full-time security expert on staff but want to get ahead of any potential attacks on their software / network. We will be able to share more about this company in the upcoming weeks and months but this attack has certainly confirmed our investment thesis.