As part of our estate planning, I noted that I’m not particularly happy with two-factor authentication (2FA) via text message. I’m displeased with options provided by banks, and dubious of claims by any company, especially those not in the security business, claiming to protect my sensitive information – most recently protecting information meant for a Digital Executor. However, I should probably add a bit more context about why and my approach.
A Security Adjacent Career
I spent my entire professional career working in software sales to government customers. Mainly the federal government but some state and local governments as well. I spent time in mobile communications, encrypted voice apps, and cloud services.
I wouldn’t call myself a security “expert” but I do consider myself reasonably well versed in what can go wrong. Poorly implemented cryptography, lack of security controls applied by engineers, hacks targeting the federal government, synthetic identities, and social engineering using LinkedIn to name but a few. If you want some sense for yourself, have a listen to Darknet Diaries.
My view is that the internet is still the wild, wild, west and not getting much better. I believe most companies on the internet focus on speed to market with a product first, and security features being added as a distant afterthought and only if pushed. All too many think they can implement security features themselves including, unfortunately, rolling their own cryptography.
My Own Identity Theft Experience
I think most people have had their credit card number stolen at one point or another. This is just par for the course in our modern economy. And far too many companies have had security breaches where a database full of credentials have been stolen. In my case, I feel like I’ve experienced more than most (though much less than a very unlucky few). I’ve had my data stolen in two specific instances that caused me to zero in on security.
2015 OPM Breach
During my time supporting the federal government I carried a clearance. This information was, at the time, collected and secured by the Office of Personnel Management (OPM). There is a ton of information about you stored in this process. Years of prior address and phone number data, information about your immediate and extended family, social security numbers, and lots more. In 2015 OPM had a very large breach with millions of records taken, including my own. As a result, I had government paid-for, identity monitoring for over 10 years.
Was this information sold or used against me? Does it simply sit with a state actor, or it might have been sold on the dark-web, I’m not sure.
2019 Capital One Data Breach
In 2019, a misconfiguration at Capital One left a massive amount of customer data at risk. This information, stored on Amazon Web Services, was attacked and stolen by a former AWS employee. This theft was particularly damaging as it contained credit application data from 100 million people! Again, I was a victim of another large data breach. The data included my name, email, address, and phone number. This data theft absolutely impacted me.
In this case, someone walked into a Verizon Store (or authorized reseller, I don’t know which), having my phone number, address, email address, and more. They convinced the clerk that they were me and had lost their phone. The rep was “kind” enough to port my phone number over to the new phone that the thief had brought with them. This is the classic SIM swap attack. Now the thief had control of my calls and text messages. They then proceeded to try to take over my credit cards and who knows what else they would have tried. They tried to change email addresses, and were able to change the mailing address. I caught it relatively quickly when I realized I could no longer make phone calls and drove to my local Verizon store.
I’ve been living with the fallout for years since. I’m paranoid every time my phone appears not to voice or data service. And, every so often someone attempts to takeover my SIM again and/or open new accounts in my name. I worry more about a thief somehow gaining access to bank or IRA accounts.
How I Approach Security Now
I generally don’t trust anyone, corporate or government alike. However, I do realize that getting off the internet isn’t an option. Even if I don’t use online accounts, these companies or governments will have my information online. That’s just how the world works these days.
- I’ve changed mobile carriers and abandoned the phone number I had for 20+ years. Yes, this was a huge pain, but the phone number exposed in so many data breaches doesn’t connect to me or my accounts any longer.
- I limit where I give out my new phone number and use a Google Voice number for everything else.
- I’ve got a separate email address for important financial accounts. Not my primary email that I’ve used for years. I only use it for about 6 accounts total and this email is locked down hard including multi-factor authentication that does not allow SMS for the second factor.
- I use a password vault and always use as complex a password as I can. Up to 99 characters if supported.
- Where possible I’ll use an entirely random username too.
- Our credit is frozen with all the major credit agencies, as well as the secondary ones you’ve likely never heard of, and every year I flag my credit file for suspected fraud.
It’s like the joke/saying: “How do you outrun a bear? You don’t, you just run faster than the guy next to you.”
In my case, the hope is these steps have made me a significantly harder target than most of the population, encouraging a hacker/thief to move on to someone else. Note, these steps do come with downsides though. While it increases the friction for a hacker or thief, it also increases the friction for us. We’ve had problems establishing new bank accounts online without physically showing up and providing multiple identity documents. We also periodically have to unlock our credit files for short periods to make changes or prove identity. It’s not just the banks that utilize the credit agencies for vetting identity.