I wrote You Are Wrong About Your Stupid Account about eight years ago, and since then I have had more than a few friends use it as a guide to upgrade their account security, although a few of them turned to the posting after an exploit that could have been prevented. The world has changed a bit, and I thought it was time to post an update to address some of the newer attacks and ways to protect yourself from them.

If you just can’t make it through 1,194 words and are quitting here, the most important thing is protecting your email account and your phone number. These are usually easy pathways exploiting your other accounts, so invest in keeping them secure.

I start with the new things and then cover updates from the original (which is still a good posting and very relevant today, so check it out if you want more the basics of account security and more context for this update).

Bank and Credit Card Locking

The financial cards you keep in your wallet (Visa, ATM) almost always have a mobile app you can use to manage your account. One of the nicer features a lot of these apps offer is the ability to lock your card, effectively disabling all new transactions on it until you unlock the card, and this is generally instantaneous. So, if you’re like me and go to the ATM once every eight months, you can get extra security by locking these infrequently-used accounts until you need them.

Locking your cards can be particularly comforting if you’ve ever needed to use a sketchy ATM or worry about card skimmers… if your card number and code are stolen, it becomes relatively useless to the attacker.

Finally, most of these apps also offer the ability to add notifications to transactions, so turning this on for all transactions is a great way to detect unauthorized access on your account, which is later that ideal, but catching it fast minimizes the impact.

Phone SIM Protection

Unfortunately a lot of the technology that powers our cell phone systems was created when the world was a much different place, and the use cases were quite different. As a result, there are some exploitable aspects of the systems, like the ability to fraudulently take over someones phone number by having the carrier point it to a different device (SIM swapping). The SIM (Subscriber Identity Module) is basically an ID for your phone and these started off as physical chips, although a lot of phones now generate a Soft SIM (aka Virtual SIM) in software, no chip needed. If a carrier associates your phone number with a different SIM, your calls and text messages now go to the device with that SIM, and this exploit is more common than it really should be.

Most carriers offer some form of protection from this… Verizon and Google Fi refer to this as “Number Lock”, and it prevents the port or transfer of your number. Any popular carrier likely offers the same functionality… turn this on. Really. Really really.

The big risk here is your phone number is often associated as a way to reset your accounts, and in some cases, your phone number is your account, so an attacker taking over your number not only provides pathways to taking over your accounts, at the same time you will be blocked from recovering your accounts. Lock this down.

Note: to make this a little more confusing, many phones offer “SIM lock” on the phone (not from the carrier), which requires a code to enable usage of the SIM (e.g. connect to network, make calls, text). “SIM lock” does not protect you from SIM swapping, other than possible somebody stealing your physical SIM card. You probably do not want to turn this on.

Password Manager Update

Password managers continue to be great, although I’m a little more opinionated on which password manager to use, and generally recommend 1Password. While all password managers mostly do the same thing (you have a master password to get to all of your complex, impossible to remember passwords), that master password can be the achilles heel if anyone is able to get access. And here is where 1Password stands out… for a new device (computer, phone, tablet) to access your 1Password account, it needs to have a key that is only accessible from your unlocked account. So even if your credentials fall into malicious hands, they still can’t access your passwords.

1Password works across websites and mobile apps quite nicely, and also has pretty good group accounts and family plans, making it easy to share specific accounts with the family for things like Netflix, so that everyone has access when one person makes a password change.

One thing I am mixed on is 1Password also offering 2FA (two-factor authentication) on your accounts that support it. While this is very convenient, the whole point of 2FA is requiring two things to access your account (generally, something you know and something you have). If using both password and 2FA functionality for an account through 1Password, this reduces the efficacy (although it is still far better than not using 2FA at all). I have found a use case where this is incredibly useful, where I have an account that is password and 2FA and occasionally I need to share access with someone, and 1Password makes it easy to do temporary sharing and this works great. However, other than that use case, I use separate tools for two-factor authentication.

Two-factor Authentication Update

I’m a little shocked that 2FA (two-factor authentication) hasn’t advanced more over the past 8 years. On the bright side, it is far more common to see in sites, and I have seen more sites with sensitive or valuable data require 2FA. However, there is still an overwhelming number of sites, including banks, that only offer SMS for 2FA, where they text a code to your phone. A major problem with this is your phone number can be stolen through SIM swapping, and this can happen from thousands of, miles away, it does not require access to your phone.

YubiKey 5C NFC (not mine, and not my keys)

I adopted dedicated hardware 2FA for my more critical accounts (email, password manager, financial). These are generally USB keys that generate the necessary response when challenged, and can be used with computers, phones, tablets, etc. The YubiKey 5C NFC is a good example of one that supports modern authentication protocols and can also tap NFC readers instead of plugging in. The downside of hardware keys is they are slightly less convenient, and you really will want to make sure you have two of them and associate them with each account, so that if you lose your physical key, you have a backup and are not locked out and having to go through a likely time consuming process to recover your account.

For a general purpose 2FA app, I am still a fan of Google Authenticator and it has only gotten better, with huge improvements in migrating to a new phone / device, which was pretty painful before.