June 18, 2019
What happened to my ZDNet colleague Matthew Miller this month is the stuff nightmares are made of. The title pretty much says it all: "SIM swap horror story: I've lost decades of data and Google won't lift a finger."
In Matthew's case, hackers were able to convince T-Mobile to issue a replacement SIM that gave them access to his primary phone number. That in turn allowed them to reset passwords on his Gmail account, which pretty much gave them unfettered access to his entire identity. They then proceeded to shut down his Twitter account, wipe out everything associated with his Google account, and even access his online banking accounts. As I read Matthew's story, I had flashbacks to a similar incident that happened to Mat Honan back in 2012. Honan, who's now San Francisco Bureau Chief for Buzzfeed, documented his excruciating experience at the time in a memorable Wired article: "How Apple and Amazon Security Flaws Led to My Epic Hacking." The lesson from both of these horrifying experiences is that your primary phone number and your primary email address are far more valuable than you think. As our reliance upon online services grows, these two data points are extremely common means of authentication. If either one is compromised, an attacker can do bad things. And if those two factors are tied too closely together, it's game over for your online identity. You don't have to be the next victim. With a little effort (and, yes, a little expense), you can lock down the security of crucial online services. Follow these five guidelines and you can make life extremely difficult for a would-be identity thief. 1. Ratchet up the security on your mobile account SIM-swapping tricks work because hackers are able to learn enough about you to social-engineer their way through the normal security checks that keep your account from being compromised. Accordingly, your first line of defense is to tell your mobile provider that you want them to be extremely cautious, even paranoid, about the security of your account. Every U.S. mobile provider has the option to add a separate security PIN or password to your account. Do it. (This is different from a SIM password/PIN, which prevents your physical SIM card from being removed and automatically activated in another device.) Finally, ask your mobile provider if there's a way to flag your account for extra security to prevent unauthorized number porting or SIM-swapping. The most inconvenient scenario is you'll have to show up personally at a local office, with photo ID, to recover from a damaged device. I'm not surprised this happened to a T-Mobile account, either. This extremely thorough Reddit post, "How to protect your T-Mobile account from hackers," argues that T-Mobile customers are disproportionately affected by SIM-swapping. If you're a T-Mobile customer, it's worth reading. 2. Don't trust your important email to a free consumer-grade service Google and Microsoft are the world's two largest email providers, with both consumer and business-grade subscriptions. The two types of products are superficially similar, so it's easy to just set up a free Gmail or Outlook.com account and save the money, right? I mean, what do you really get with the for-pay business-grade account? The critical difference, as Miller discovered, is ready access to support. With a free Gmail or Outlook.com account, you have almost no support options except to fill out an online form and pray that someone handles it. (And no, the fact that you pay for storage upgrades doesn't mean you have a business-class account.) You really deserve better. So open your wallet and pay for a business account. A G Suite Basic account costs $6 a month and looks exactly like the free Gmail product. But as Google's G Suite support page notes, "24/7 support from a real person is included with your paid subscription to G Suite." Microsoft's Office 365 Business Essentials subscription, which includes a 50 GB mailbox, a custom email domain address, and 1 TB of OneDrive for Business cloud storage, is an even better deal at $5 per month. Or you can get those services as part of an Office 365 Business Premium subscription for $12.50 per month, which includes Office apps for 5 Windows PCs or Macs and five tablets. For any of those Office 365 plans, phone support for Critical issues (a category that includes "events that prevent you from accessing or using your services or data," which seems apropos here) is available 24/7, with a one-hour response time commitment. Oh, and one more crucial step? A miscreant who manages to crack your business email account doesn't have access to your administrative console; they might be able to change your password, but they can't delete your account. In fact, using those admin tools, you can lock down a compromised account immediately, preventing any further damage. 3. Don't save passwords in your browser I'm of the firm belief that using a third-party password manager is one of the most valuable security precautions you can take. Having a unique, impossible-to-guess password for every service you use is an excellent way to prevent most common forms of attack. (For more specific advice, see "Forgot password? Five reasons why you need a password manager.") But all that security goes right out the window if those passwords are stored with your Google or Microsoft account and can be unlocked by anyone who compromises that account. That's what happened to Miller. When the hackers compromised his Google account, they gained access to all his passwords, including a banking account that they used to buy $25,000 worth of Bitcoin. (Thankfully, his bank's fraud checks prevented the ACH transaction from going through.) This nightmare isn't possible with a well-designed third-party password manager. My utility of choice, 1Password, requires a unique security key in addition to a username and password before allowing access to passwords on a new device. Even if a hacker managed to steal my 1Password login credentials, he wouldn't have my private security key, a 32-character alphanumeric string that's stored on a piece of paper in a locked file cabinet in my office and on a card in my wallet. No security key, no passwords. If you've got passwords saved in Google Chrome, Internet Explorer, Mozilla Firefox, or Microsoft Edge, delete them after you've set up a third-party password manager. (Every browser has the option to export saved passwords before you take this irrevocable step, an option that could be valuable as long as you save those exported credentials in a safe place that isn't tied to your cloud storage.) In Chrome (or in the Chromium-based Edge browser), press Ctrl+Shift+Delete to open the Clear Browsing Data dialog box. Click the Advanced tab, choose All Time for the Time Range, select the Passwords And Other Sign-in Data option, and then click Clear Data. In Microsoft Edge, press Alt+X to open the Settings And More menu, then click Settings. Select the Privacy & Security tab and click Clear Browsing Data. Select Passwords and then click Clear. Unlike its rivals, Firefox includes an option to protect your saved passwords with a unique Master Password that's not tied to your Mozilla account. That might make this option acceptable to you, but if you're not comfortable and you want to delete all saved passwords, click the menu button, click Logins And Passwords, and click Remove All. Of course, you want to make sure that whatever third-party password manager app you've chosen can't be compromised by someone who has access to your mobile account or email. That's inconvenient for you, no doubt, but an absolutely essential precaution. 4. Disconnect your telephone number from crucial authentication scenarios The reason SIM-swapping has such a devastating impact on your identity is that your phone is typically the first device that a service will use to help you reset your password. Whenever possible, remove the option to use that phone as proof of identity and use an authenticator app or a saved code you previously generated. This strategy forces you to use a trusted device as an authenticator. A hacker who has a SIM-swapped phone number or an email password doesn't have a trusted device and is thus locked out. In the G Suite admin console, go to Advanced Security Settings, turn on 2-step verification, and then, under Allowed 2-Step Verification Methods, choose Any except verification codes via text, phone call. For an Office 365 Business or Enterprise subscription, go to the Additional Security Verification page (https://account.activedirectory.windowsazure.com/Proofup.aspx) and remove your primary phone as an authentication method. In both services, you can and should set up the Google Authenticator or Microsoft Authenticator on at least one and preferably two or more trusted devices. For online services that require SMS-based authentication, consider using a Google Voice number (or another alternate SMS option) tied to an email account that's completely separate from your primary address. I use this technique and can receive SMS codes in the Google Voice app on my primary devices; those codes would not be available to an identity thief even if he had stolen my primary phone number. 5. Backup, backup, backup (and sync, sync, sync) Probably the most heartbreaking part of Matthew's story is the possibility that he'll lose not just tax returns and other important documents stored in Google Drive but also "thousands of photos that may be lost forever if Google won't work with me to get my account back." The most important part of any backup strategy is ensuring that a single point of failure doesn't cause you to lose data. A cloud-based service is an excellent way to prevent fire or flood from destroying your local copies, but human error or a configuration mistake (or forgetting to pay the annual subscription fee) can cause some or all of those files to disappear. Save the really important stuff, like family photos, in at least two cloud locations: iCloud and OneDrive, for example. And yes, keep a local backup of those files, just in case.