My digital security setup
Y’all see that guy who got hacked recently? TL;DR: AT&T sent a hacker some dude’s SIM card, so all his 2FA defenses were useless.
Story shocked me into getting my operational security into shape. Here’s where I am right now.
Step 1: Secure my devices.
I’ve switched to 10+ character randomized alphanumeric passwords for my phone and work/personal laptop. In retrospect these devices were SPOF – if a malicious party had gotten access, they could have gained access to my password vault and any sensitive information on my hard drive.
To prevent the Mac login experience from taking too long, I’ve also purchased YubiKeys and Rohos Logon Key for Mac. This allows me to unlock my computer with physical YubiKeys. If someone got my computer and my YubiKey, I’d be screwed – I think it should be possible to add a PIN code to the YubiKey but I haven’t done this yet.
I’ve also ensured that my password managers require passwords be re-entered after new login.
Step 2. Secure my services.
The most involved part of this process was auditing Github, Google, Dropbox, and Facebook for settings, as well as deleting any apps/devices no longer being used. These services all support YubiKey as a 2FA option, so that coupled with Google Authenticator allowed me to drop SMS for 2FA entirely. Twitter requires use of SMS – a glaring weakness.
Surprisingly my financial institutions were least equipped to handle 2FA. Simple only supports text messages; Chase’s implementation is sporadic and also text only; and PNC has got literally nothing in the 2FA space. Despicable.
Update 10:27am Colin Howells pointed out on Twitter that PayPal’s SMS-based 2FA might be worst of all. He also noted some flaws with iCloud’s 2FA implementation, which uses any Apple devices previously authorized (including the device you might be physically using to access the service). So that iCloud protection is of questionable security value if the malicious actor has already gained access to your desktop.
Step 3. Secure my network access.
I got a lifetime subscription to VPN Unlimited as a general prophylactic. My main WordPress server has been running SSL for a minute now and I hardened my SSH settings. Pantheon doesn’t have its own 2FA technology, unfortunately, but I was able to apply 2FA through Google Authenticator to my administrator account.
Anything else I should be doing? Share your tips in the comments!