In 2008, I was using an insecure operating system, Windows XP, on my laptop. I lacked knowledge about online security and may have accidentally clicked a suspicious link sent through Yahoo Messenger.
The next day, I received an email that $3000 had been transferred from my PayPal account to another account. The hacker also gained access to my Gmail, changing the password and preventing me from accessing my account.
I quickly contacted PayPal and froze the account, but it took several weeks to regain access to my funds. This experience taught me the importance of online security, and since then I have made it a priority. Here are some tips based on my personal experience and research to help you secure your accounts.
Two-factor authentication (2FA)
Two-factor authentication (2FA) should be your minimum security standard. 2FA adds an extra layer of protection by requiring not just a password but also a security code to access your accounts.
Even if a hacker gets hold of your password, they will not be able to access your accounts without the security code. However, 2FA has its own set of problems, and in this article, I will discuss some of them.
Don’t Use Phone SMS OTP
One method of 2FA is using One-Time Passwords (OTP) via SMS, which is offered by many websites and apps.
I do not recommend using mobile phone connections with SMS for 2FA, as a major problem is that not all websites provide SMS-based OTP due to the cost of setting it up with your mobile phone carrier. This can be frustrating as some websites have 2FA via SMS while others do not.
Another issue with 2FA via SMS is the unreliable delivery of SMS. While local banks may have more fail-safes to ensure SMS delivery, many websites do not deliver SMS on time, or they may arrive too late.
In some cases, the SMS may not arrive at all, requiring you to regenerate another OTP, which could lead to only one of the two OTP being delivered.
Your phone number is public and given to many websites, so if a hacker wants to access your accounts, they could steal your phone or activate a new SIM card with the help of a telecommunication company employee. Though the chances are low, they are still present.
To minimize the risk of someone accessing your SMS OTP for two-factor authentication, it is recommended to use a separate phone number that is not known to others. Security through obscurity. However, this means carrying an additional phone which is still inconvenient. And it might not be impossible to find your less used phone number if someone is really determined.
Moreover, international traveling can also pose a challenge as the phone service provider may not work in different countries.
It is advisable not to rely solely on SMS OTP for two-factor authentication as there are better ways to receive the 6-digit code.
Don’t Use Google Authenticator
When setting up two-factor authentication with a website or service, a QR code will be provided for you to scan with an app like Google Authenticator.
This will replace receiving a 6-digit code via SMS, and instead, you can access the latest code through the app for logging in. The security code changes every 30 seconds, and this is how two-factor authentication works.
Two-factor authentication through apps such as Google Authenticator has its own security concerns. One issue is that the app doesn’t require a password or face ID to access, so if someone gets hold of your phone and it’s not locked, they can easily open the app without any additional layers of security.
Another major risk of using Google Authenticator is the loss of access to all your two-factor authentication codes if you lose your phone.
Google Authenticator does not offer a way to back up the codes in an encrypted form, so your phone becomes the sole source of access to your accounts. This can be a major problem, especially if your phone is lost or stolen.
A workaround for this issue is to scan the QR code with both your main phone and backup phone at the same time, so even if one phone is lost, the other will have all the authentication codes.
However, this still isn’t a foolproof solution as it can become confusing to have some codes on one phone and not the other, leading to situations where you assume the code is on the other phone but it’s not.
Additionally, there’s a small chance that you could lose both phones at the same time, leaving you locked out of all your accounts. For these reasons, I would not recommend using Google Authenticator.
1Password, Microsoft Authenticator and Authy
While Google Authenticator is a widely used 2-factor authentication app, there are other, more secure options available.
One such app is Authy, which enables users to backup their 2FA codes online, ensuring that they are not lost even if their phone is. The other alternatives are 1Password and Microsoft Authenticator.
If you opt to backup your 2FA codes using email, it is crucial to ensure that the email account itself is secured with 2FA. There is no point in having 2FA for all your accounts while the email account that stores a backup of your 2FA doesn’t have 2FA.
It is important to have a separate, non-public email account to store backups of your two-factor authentication codes. This email should not be one that is commonly used, as it contains sensitive information.
Additionally, if the email account is protected by two-factor authentication, make sure the code is stored elsewhere and not with the other authentication codes.
This is to avoid the situation where you lose access to all your accounts, including the email with the backups, if you forget the two-factor authentication code required to access the email.
It is important to keep the backup codes for your two-factor authentication safe. Most email providers offer backup codes when setting up 2FA. Store these codes in a secure location, such as a locked cabinet, to ensure that you do not lose access to your email, which contains a backup of all your 2FA codes, in the event that you lose your phone.
What If You Cannot Access Your Email?
It is important to also have a backup of two-factor authentication codes and have access to a secondary phone, such as a family member’s phone or a backup phone, in case your primary phone is lost and you are unable to access your email account.
This ensures that you have a secondary option for accessing your accounts in the rare event of a loss or email service provider malfunction.
Hardware Security Keys
If you’re concerned about the security of using a two-factor authentication app on your phone, due to the possibility of hacking, consider upgrading to a hardware security key.
Many email providers, including Gmail, now support the use of hardware security keys for login.
One popular option is the Yubikey, which comes in various forms including an NFC version for accessing websites without hardware security support. To use a hardware security key, simply insert it into your laptop via USB, and press a button to access your account.
With an NFC-enabled hardware security key, you can generate two-factor authentication codes even for websites that don’t support hardware security keys. Simply tap the key on your phone to receive a one-time password for logging into the website.
Biometric Authentication with Hardware Security Keys
If you’re concerned that someone might gain access to your physical hardware key, even if they already know your password, you might consider a hardware security key with fingerprint recognition.
This provides an additional layer of security, ensuring that it is indeed you who is using the key, even though there is still a chance that your fingerprint could be obtained.
For now, hardware security keys with multiple biometric authentication, like retina and face recognition, are not an option.
Unless you have a pressing need for such high levels of security, like running a country, it might not be necessary 😛
The $5 Wrench Attack
Online security measures are only effective against virtual threats, but not physical ones such as kidnapping. Currently, there is no foolproof way to protect oneself from physical threats, apart from trusting your government and the law enforcement.
The “5 dollar wrench” phrase refers to a tactic of using physical force or violence to coerce someone into giving information or access to assets. It suggests that even the strongest security measures can be overcome through physical threats.
In addition to physical threats, financial threats such as ransomware attacks can also pose a risk to sensitive information. In these attacks, hackers gain control of a system or data and demand a ransom payment for its release.
Use Strong Passwords, Duh
The use of strong passwords and a password manager is a given for anyone interested in secure two-factor authentication. There are many resources available for finding the best password manager, including open-source options that can be audited for security and paid options such as 1Password.
A strong password should be at least 12 characters long and include a mix of numbers, special characters, and capital letters. Most websites now require the use of strong passwords, and it’s important to make sure to have backups of your password manager to avoid being locked out of your accounts.
Keep Your Devices Updated, Clean and Light
Outdated software is a common vulnerability for hackers to gain access to your devices like laptops and mobile phones. Keeping your operating system updated helps prevent unauthorized access.
Using a separate, updated laptop or phone specifically for accessing digital assets, such as databases, domain names, and cryptocurrency, is also recommended to minimize the risk of vulnerabilities from other software.
The Risk of Getting Locked Out
While implementing strong security measures reduces the likelihood of someone else gaining access to your accounts, it also opens the possibility of you being locked out of your own accounts.
Balancing the need for security with ease of access can be a delicate task, and it’s important to be aware of the risk of being locked out of your accounts in the pursuit of securing them.
What If You Die
If you have ultra-secure digital assets that only you can access, there is a risk that they may be lost if you pass suddenly. Digital assets lack the same passing on capabilities as traditional assets like real estate and bank accounts.
To ensure your digital wealth is properly transferred after you pass, it is recommended to write down your access instructions and store them in a bank locker with a nomination for someone to access it in case of your death.
I hope this article provides you with insights on how to safeguard your digital assets, giving you the confidence to build them for the future.
By following all the recommended security measures, the likelihood of losing your digital assets to hacking is greatly reduced.
In the unlikely event that your digital assets are still lost, there may be ways to recover them with the help of law enforcement.