Protecting your online accounts is no easy task. You have to be thinking about it though. You have to protect your identity. You have to protect your assets. Don’t expect the banks and whoever else to do it for you either. Technology is changing so fast that they usually have a hard time keeping up. You need to be very proactive with your online security.
With things changing so often it makes it hard for your average person to keep up with everything. One day something is secure and the next day experts are recommending something else that’s better. It could be that the new way is actually better or it could be that the old way was exploitable. There’s just too much going on right now to ignore security online. Please take it seriously.
Unless you’ve been living under a rock you probably have a few things that you do online. Maybe you do your banking online, maybe you access your social accounts, or maybe you’re delving into digital currencies like Bitcoin. If you do anything online you’re at risk of being hacked. Don’t think that it won’t happen to you. Instead, be ready for it.
How to protect yourself, the paranoid hacker
If you do a little research on hacking you’ll come across a lot of information. Try googling your email account and hack and see what you get. Try it with your bank providers and any other accounts that have sensitive information. You’re going to find a lot of info.
I don’t pretend to know everything about hacking because that’s not my expertise. However, I do a bunch of “white hat” hacking every now and then as a hobby. I’m always reading new trends about hacks and security because I’m both interested in it and I want to keep my accounts safe on the internet.
A true hacker will tell you though that nothing is 100% secure. Unless you get rid of all your electronics (maybe not even that will do it) you’re not ever going to be 100% safe from hacking. Not yet anyway. I hope we get there one day, but we’re not there yet. We do have more choices these days for security though.
What would a paranoid hacker do to protect their online accounts?
So, what do you do? That’s not an easy question to answer because we have experts on different sides of the fence on a few things. With that being said, I’m going to give you my opinion on what to do if you’re really paranoid (which is a good thing when it comes to security).
1- The first thing you should do is to get yourself secure google accounts
Why do you want these accounts? Because email is the key to many of your accounts online. Whenever you sign up anywhere they will almost always ask for your email address. Your email address can be used against you in a hack so you better secure it.
How does google secure your email address better than say, yahoo? They allow you to use a hardware security key (U2F key) and they let you use authenticator apps (like Authy or Google Authenticator) to login to your accounts. They also let you turn off the SMS two factor authentication option (SMS has known security flaws). If you’re not using 2FA or two factor authentication you should start using it now if it’s available to you.
2- Secure your accounts with good passwords and 2FA
Most likely you understand how to make good strong password, but if you’re not sure then do a little research. The main thing to understand is that the longer your password is the better it will be because that makes it harder for computers to crack. Don’t use dictionary words in your password unless you’re going to string 4 or 5 random words together.
You need to turn on two factor authentication. Google gives you an option to use a U2F hardware key token (something like the Yubikey). Use that option everywhere that you can do it. Most definitely use it with your Gmail accounts (yes, I do mean “accounts” plural – more on that later).
If you don’t have the option to use a hardware security key token then you should use an authenticator app (Authy and Google Authenticator are good options). This is your next best option for 2FA. If you don’t have this option then you need to weigh whether or not SMS 2FA is worth the risk. Most experts will tell you that any 2FA is better than NO 2FA so use SMS 2FA if you must. However, understand that it can be more easily compromised because of the likely lax security at your phone company.
3- Secure your phone account
This brings me to the next thing you should do and that’s getting your phone as secure as possible. All the major carriers have had problems with people getting their phone numbers hijacked. All it takes is one employee that isn’t doing their job correctly to put you in jeopardy. You should assume that if a hacker wanted to gain access to your phone they could.
However, that doesn’t mean you should make it easy for them. You can do a few things. You should setup a password or PIN on the account that the service rep needs before making any changes to your account. If you can freeze your number from being ported you should go ahead and freeze it. If you can lock your SIM then lock it. Let them know you’re at risk of being hacked and have them put notes on your account.
If you’re really paranoid then you could consider switching to another phone carrier that doesn’t have any human service reps where a hacker can socially engineer their way into your account. Something like Google Fi could be a great option.
You could also consider getting a separate phone line that you only use for security. Then, you should never hand that number out to anyone. Keep it private, and use it only alongside sensitive accounts.
A similar type solution would be to get a google voice number to hide your true number. You would have to port your public number to google voice. Then you would need to get a new, secret number from your phone company and have that number associated with your google voice number. People would still know your public and original number, only that it will now be a google voice number that forward the calls to your new phone number (which you keep private).
4- Compartmentalize your accounts
You will want to keep your accounts separate whenever possible. Think about how you do email right now. If I had access to your email account would I be able to go to a bunch of your different sensitive accounts and do a password change that would be sent to your email address? If I can then you need to change that now.
The more you’re willing to compartmentalize the harder it will be for a hacker to get in to all your accounts. Don’t give him the keys to everything with one email address. If you’re really paranoid then make yourself a new Gmail account for every single sensitive account you have. Never associate the Gmail account with anything else.
Of course, you turn on 2FA for the Gmail account and you also have to be sure to take away all password recovery options. You’re making it harder on yourself to get back in if you ever forget your password, but that also makes it harder on the bad guys.
5- Get a new email address for your phone account plus other sensitive accounts
Getting a new email address for every single account might be a bit “too paranoid” but it could help save one of your sensitive accounts. The least you should do is get a new email account for your phone company and a new email account from your high risk accounts (like banks, brokerage, and cryptocurrencies).
Don’t forget, make sure you use a good password and 2FA with a hardware key on your email accounts. Don’t give out your new email accounts to anyone except for the places that you’re going to use it. The phone company email account shouldn’t be used anywhere else and it should be kept private.
6- Put your authenticator app on a separate smartphone
If you can’t use a hardware key when you login then you’ll want to use a software key app (using Authy or Google authenticator for example). Either one of these two options are reported to do well. However, if you’re really paranoid then you don’t want to use your authenticator app on the same phone that logs into your accounts. Instead you should get a separate smartphone for that.
Maybe you have an old smartphone lying around. Wipe that thing clean and then install the authenticator app. Us this phone for nothing else other than the authenticator app. Don’t ever put the phone online for anything else. Once you get the app you’re done. This can help shield you from certain hacks, but it isn’t fool proof. A hardware key is still a better option, but going this route is great if you have no other option. Don’t skip this 2FA option!
7- Watch your accounts like a hawk or move your accounts
For now, this is the most paranoid you can get. I’m sure some experts might tell you to do something other than what I have recommended, like use a password manager or don’t waste your time with a separate smartphone for your authenticator app. That may or may not be true, but I have my own reasons behind why I would be against those things.
Yes, password managers can be great tools for people that aren’t good about picking good passwords, but I don’t like the idea of have one point of failure for all my passwords. I would rather manage them myself, offline and away from anything digital (and no I don’t just write them all down).
You should also consider moving your accounts somewhere else if you don’t have the option to secure them properly. It might be a hassle to move all your Bitcoins out of an exchange, or moving your phone account somewhere else, but it might be the only way you can better secure yourself online.
If you’re looking for places that offer two 2FA for your accounts then I’d check out Two Factor Auth for a great list of options. It isn’t an exhaustive list, but it’s a good start