The freedom and power of the internet comes with massive responsibility. You have to defend yourself from attacks. No one will do it for you.
The downside of not defending yourself online is devastating.
Here is an everyday story: Sarah gets SIM-swapped while she sleeps.
People often do SIM swaps when, for example, they lose their phone and buy a new one.
In this case, an anonymous thief badgers a call-centre agent at her mobile services provider into switching the SIM card linked to Sarah’s phone number with a SIM card in their possession – using time-tested techniques: perhaps pretending to be Sarah (possibly using information gleaned about her online), talking about emergencies, or masquerading as a fellow call centre agent battling to log on.
Once the hacker gets control of Sarah’s phone using the new SIM, he checks the time zone Sarah lives in. Yes, Sarah is fast asleep. Sarah won’t notice anything has gone wrong until later the next morning.
Sarah has a bad feeling and checks her phone during the night. Her WiFi is on. Everything looks like it is okay, but it isn’t.
Now that the hacker has taken over Sarah’s phone by way of a SIM swap, he can go to her Gmail account, type in her email address and ask to recover her password to her phone.
Gmail obliges and sends the recovery password to the hacker-controlled phone. The hacker goes through all the financial services on Sarah’s email: bank accounts, home loans, crypto exchanges and credit cards. He is an expert at what he does.
Sarah’s primary email is essentially her digital identity.
One by one the hacker probes and resets the bank and crypto exchange passwords. The passwords are sent to the Gmail address. Sometimes a one-time-password or text message (Sarah’s two-factor authentication method of choice) is sent to the hacker-controlled phone to confirm access to Sarah’s account. Sarah has two crypto exchange accounts with her bank account linked to both. The hacker sends funds from Sarah’s bank account and home loan to one of the exchanges and does a quick market order to buy crypto. Sarah had a large access bond on her house, and a healthy current account balance for her child’s education.
The hacker buys a huge amount of bitcoin with Sarah’s money. He then sends the crypto to his own crypto wallet. He checks any crypto and fiat balances on the next crypto exchange – and then cleans them out. The crypto takes 10 minutes to appear in his wallet.
The hacker is accomplished and thorough. He deletes all the emails from all his password resets and transfer shenanigans, leaving no trace for Sarah to unjumble her life.
Over the next few hours all Sarah’s available funds are drained. All her bank accounts – current, home loan, savings – are empty.
All the crypto assets she owns on a variety of different exchanges are drained.
All of it – gone.
This SIM-swap scenario happens every day
Imagine this happening to you. This event can break a person. Bring a person and their families to their knees.
There are some key steps to take that can prevent this from happening to you or your family.
Knowledge is power. Here is a simple framework to help guide individuals to protect their identity and assets online.
There are three pillars in my framework called ‘Internet Freedoms’: First you defend, then you advance and lastly, you become powerful (sovereign).
Here are five simple steps to start defending your digital identity and online assets.
Step 1: Remove your mobile phone number as a recovery method from your primary email
Sarah linked both her phone number and secondary email as a recovery method.
This is an exploit possibility once you have been SIM-swapped. Once a hacker has control of your phone number, he will use the recovery method of your primary email to reset your password. The hacker then has access through which he change all of your online accounts.
Remove the recovery methods (both mobile phone number and email) as a matter of urgency. This protects your digital identity from being hacked.
Step 2: Use a password manager to create unique and strong passwords
You may be a bit lazy to do this because it means downloading a password manager like LastPass and creating strong and unique passwords for all of your online platforms.
But, be encouraged that this is best practice.
You can create many difficult and unique passwords using your password manager and you only have to remember one hard password to unlock the password manager.
If your email address and password haven’t been breached before, then you don’t have to do this step. If your data has been breached, then you need to download a password manager like LastPass or 1Password and start to update and harden all your passwords.
To check if your data has been breached, go to this website and type in your email address: Have I Been Pwned.
Once you download the password manager remember to add two-factor authentication (2FA) – using an authenticator app on your mobile phone like Google Authenticator or Authy (it’s free) to your password manager. Your password manager is your digital vault and you want it bulletproof.
Step 3: Add 2FA to your primary email using an authenticator app
Sarah did not have a two-step verification set up for her Gmail account.
As part of this step, you need to use the password manager to strengthen your password.
For the second step go to security settings on your primary email account and set up 2FA.
This – using a strong password and also a time-based authentication (2FA) on your mobile phone with an authenticator app – protects your digital identity from being hacked.
Step 4: Replace all SMS two-factor authentications (2FAs) with a time-based one-time password using an authentication app
Sarah took the easy option and used the text message (SMS) sent to her mobile phone for 2FA.
Banks often use SMS 2FA. This is a vulnerability for SIM swaps.
Make sure you convert all of your SMS 2FA to use an authenticator app like Google Authenticator and Authy.
Step 5: Authy app users must turn off this one dangerous default setting
If you use the Authy app it is crucial that you disable a default setting that will make you vulnerable to a SIM swap – even with 2FA installed.
When you first create an Authy account, ‘multi-device’ is enabled by default.
This means you’ll be free to set up any other device to use your same Authy account and 2FA tokens. All you’ll need to do is download and install Authy on the desired device, add your phone number, and allow this new device on your original Authy installation.
Beware. This is exactly what a hacker will do.
Disable this multi-device on your Authy app immediately.
You have now started a good base for defending your online privacy and security. It all starts with taking responsibility. There are many more steps to take on your journey to become powerful (sovereign).
Eugéne Etsebeth is former CEO of crypto exchange iCE3 and specialises in training related to ‘Internet Freedoms’.