Step 1: Lock your SIM.
Call your provider and ask them for the SIM pin code for your current SIM, if it has a PIN code. If not, set your own PIN code. This will require any new SIM to have that code. You can also put a code/passphrase on your account. Anytime changes need to be made to your account, this passphrase will be necessary. This will prevent hackers from phishing or tricking your network provider into delivering a new SIM to them. This has personally saved me a couple times now when someone tried to buy a bunch of iPhones with my account and another time when someone was trying to swim swap me. In the end I was able to help authorities located the person who tried this and send them to his house. This happened recently to Vitalik.
Step 2: Get a password provider
but not just any password provider. LastPass has been hacked and leaked multiple times, although they haven't actually leaked your actual password. They have leaked a hashed version or a salted version of all the passwords. This means someone could spend an insane amount of time trying to decipher these passwords. The salted version is a version that has some semblance to the actual final password, but it's not the exact password. With strong computers, you could probably figure it out at some point. And it is happening already around us.
So why is this important? It's been disclosed recently that those salted versions have been leading to a lot of the biggest hacks in the last 18 months.
Then on Aug. 28, Monahan said she’d concluded that the common thread among nearly every victim was that they’d previously used LastPass to store their “seed phrase,” the private key needed to unlock access to their cryptocurrency investments.
So, definitely protect yourself. Open-source community projects allow you to review the code, and other people can review the code. They have bounties and all that. I usually recommend Bitwarden or KeePass. KeePass is an interesting one because it's all localized. You could use something like SyncThing or some other tool and manually move your vault across different devices so the passwords are synced. This is pretty interesting stuff. Read the below on the recent last pass
Step 3: would be to get a YubiKey.
Why would you want a YubiKey? The biggest reason is it's a more secure two-factor method. The attack vector for someone potentially trying to hack or impersonate you would require them to know your name, password, and some details. Additionally, they would need your physical key. They would have to be someone you know, has access to you in real life, to get ownership over your account.
Hopefully, you don't hang out with shady individuals. This should make it a little harder. Definitely enable it on all available websites. Twitter is one of them. I wish more banking apps supported YubiKey, but it is what it is.
Step 4: I would get a secondary phone number
maybe not even a VoIP number, but an actual physical phone number. One that you only use for banking and pretty high-level stuff because most banking apps don't accept YubiKeys. For step 4, if you have to use SMS for very secure services, acquire a secondary phone number, a real phone number with cash not tied to your credit card.
If you want to add another layer, you can have someone else buy that phone for you, in case an ID is required, or get a pay-as-you-go phone. One that you don't need to show an ID for and then have someone else refill it for you. But you want to disassociate this number from you as much as possible. You don't want to use this number for random things. You want to keep it separate as much as possible from your real identity tied to your emails. This will help so that the number is not tied to you when the data leaks.
This is not advocating for this from a state attacker's perspective. This is more about having an extra piece of information that isn't tied to you and keeping it a secret because certain banking apps just don't accept YubiKeys or Authenticator apps, which is unfortunate. So use that to your advantage.
Step 5: Using an Authenticator app
is the easy layup kind of thing, but the more intermediate advance is choosing the right Authenticator app. Choose an open-source one when it's trusted. Another thing to think about, and I bring this up because I've had to do this now multiple times, and it's been painful experiences, is not using an Authenticator app that connects to the internet. Unless that's what you want, but that means you'd be trusting someone else with those keys. I would use one that's locally hosted and can do encrypted backups.
If it can do encrypted backups, then you can use something like Cryptomator to back it up in the cloud if you really need to back it up in the cloud. But if you have a really good Authenticator app, you should be able to do an encrypted backup to a USB stick or an SD card slot. These are the ones you want to d
You want to do that every six months or so, as you're adding new accounts. Typically, you're not adding too many new accounts once you've done the bulk at the beginning. It becomes easy, so definitely choose the right Authenticator app.
I personally have an iPhone, so I use OTP Auth. Aegis is a good one if you're on Android. I've used that one before when I had an Android phone. Ravio is also another good one on iPhone and Android. So, choose a good Authenticator app.
Final Thoughts
Look, you don’t have to do any of these things. At minimum do the easy steps, this all more work and inconvenient. Will it stop an attack 100%, no. But do I sleep better at night that I gave it my all, yes. If you want help you can reach out to me via Twitter or Converse. If you like this or think this will help someone, please share.