We have spent a fair bit of time over the past year working on security at USV and across the USV portfolio. Anyone who has spent time working on personal or corporate security — and in particular information security, knows that there are a million ways in, and you’re never “finished”.
Fred wrote a bit about his experience last year, and we had an issue yesterday with Albert’s phone:
Thanks to everyone who has been helping me recover from a Twitter account takeover based on an unauthorized SIM switch on my phone
— Albert Wenger (@albertwenger) January 11, 2018
The way we have been thinking about it is in terms of “the weakest link”. It is critical to have your most important accounts (primary email, banking, crypto, etc) secured well, but it’s also important to work your way down the line to other accounts and entry points. The lesson being that attackers will seek the weakest point and work from there.
One of weakest points in personal security is the phone — cell carriers are notoriously bad at security, and attacks like phone porting and SIM swapping are common. For that reason, it’s important to move away from using SMS as a second factor backup wherever possible, and instead moving to apps like Google Authenticator, or to hardware-based 2FA using Yubikeys or similar.
Another weak point is personal email, or old email accounts. It’s easy to forget about old accounts that you used back in the day, but those can be problematic, especially if they are linked to other accounts, and if 2fA is non-existent or tied to SMS.
So, by all means, start with the most important accounts. But don’t stop there — keep sussing out weakest link.
For more resources on personal information security, see this excellent guide by EFF (written in the context of surveillance, but applicable to all attack vectors).
good post.
thanks jason
One thing I was disappointed with google authenticator is that it’s non trivial to set it up on 2 cell phones. So it can be done but it’s not (last I checked anyway) simple to do. You can use the google app as an authentication method on a 2nd phone but I’ve found that to be funky in operation.
That said anyone who is using google or 2fa needs a ‘plan b’ in case their phone is lost, dropped, damaged or doesn’t work. You can use those backup numbers google provides but that is another can of worms. This is the reason I pay for two cell phones on two operating systems on two different carriers (and carry them everywhere to boot).
One last thing. If you are a high value target and money is not an object you should have another cell phone not under your name which would put an additional barrier to entry to someone trying to gain access to the jewels. Then use that cell phone and phone number for all of the authentication purposes and not for anything else.
yes, if you go the authenticator / no SMS route, you need a backup plan. Yubikeys are good for this. A second device w authenticator can work too. Backup codes as well. Different services offer different options & configurations
And yes, a second unlisted phone for SMS 2FA where it is required is definitely an approach