Now is a good time to prepare for your phone and computer getting hacked
I think that the risk of a major cybersecurity threat - of similar economic magnitude to COVID - is under-appreciated.
My friend recently got hacked and this highlighted how easily we can lose access to our email, documents and bank account if our computers and phones.
It's good to take steps to avoid being hacked, but, it's equally - if not more - important to be prepared to recover from a hack.
Last week, one of my friends got seriously hacked and lost control over their phone, computer and internet router. They have made good progress in resolving the issue, but it was a reminder for me to revisit my own preparedness for a computer and phone hack. In particular, it made me realise how much security is now dependent on our phone.
I think that a major global cyber hack is likely over the next decades and will arrive unexpected, much like COVID-19. I've taken some time to review the security of my information and am presenting my approach here. I'm not a cyber or software expert, and this approach is imperfect, but I hope that it serves as a reminder to you to check if you could survive a hack.
Plan to survive, not just avoid, a hack
Yes, it's good to take measures to avoid getting hacked (i.e. someone getting control of your computers and digital information) - and I'll cover some of those. However, I don't believe any system can be 100% protected from hacks, so it is best to assume you will get hacked and think about how you can cope in that scenario. (I highly recommend the movie Zero Days as an eye-opening insight into how easy computers are to hack).
0. Simulate a Hack
Even if you don't read any of the rest of this article, I recommend doing the following:
a. Open up a browser in private mode.
b. Navigate to the website of an important service (e.g. your bank or email provider).
c. Assume that you no longer have i) your password/or it has been changed, and ii) your phone.
d. Try to log in to your account.
If you can't find a way to log in, then you probably are vulnerable if your phone and computer get fully hacked.
Oftentimes, the only ways to avoid this are i) having back-up codes on paper - if the service allows that, ii) having a backup e-mail to recover your password, iii) calling the company (often a slow and painful option).
1. Two Factor Authentication
For important accounts, I always turn on two factor authentication (2FA). I use an authentication app like Google Authenticator where possible. Sometimes SMS/text messages to my phone are the only option for 2FA. SMS is better than nothing, but text messages can be intercepted, so two factor using an authentication app is preferable.
2. I use a VPN (virtual private network)
I always use a VPN on my laptops. A VPN helps to hide your IP address (the address of your computer when accessing the internet). This helps to stop your computer from being targeted - especially if on a public wifi network.
For a computer, there are many VPN services available like Proton VPN or Nord VPN or Express VPN that you can buy for a few euro per month.
There are also services that provide VPN for mobile phones. These are less common but becoming more common. Brave VPN is one new option for iOS that I use.
3. Consider putting the most important passwords on paper
Yes, there is a risk that somebody could find/steal these passwords and that risk is worth considering. However, it's always possible that i) your password gets stolen by hackers if you've stored it on your computer or phone, ii) you forget your password, or iii) you just die. Writing your password on a piece of paper opens you up to the risk that someone finds the piece of paper, but it does a good job addressing risks i-iii. My view is that there are many more hackers that can steal stuff from my computer than there are thieves that can find a piece of paper.
The risk of someone finding the piece of paper can also be partially mitigated by setting up the app/service so that you are notified - to your e-mail and/or phone - if your password is updated or if there is a sign-in from a new device. If someone finds your piece of paper, you can - in theory - take action right away once you are notified that they are trying to log in.
4. Save passwords to a password manager
There are many options for password managers - from web browsers to Keepass to OnePass. These are not perfect but are often better than an unprotected Excel or Word document.
The benefit is that you can use different passwords for every website. This is important because it is highly likely that some of the services you use will get hacked and passwords will get exposed to the public. Of the 200+ services that I have passwords for, I know of at least three that have been compromised. If I had used the same password for all services, then the password for all of my services would be compromised!
Of course, holding all of your passwords in one password protected database isn't perfect. There is the risk that your password database gets hacked - especially if you hold the database on a device that is online. This is why two factor authentication is important to use for critical accounts.
There is also the risk that your password database gets damaged and the passwords can't be recovered. One way to provide some protection for this is to regularly back up your database to a hard drive that you store disconnected from the internet.
5. I do regular offline back ups of my password database, email account, website/blog and documents
One outcome of a hack is that the hacker uses your personal information to steal money or make use of your identity. Another possibility is that you are drawn into a large scale hack where an attacker gains control of your accounts but their ultimate target is someone else in the larger group being hacked. They may not care about your information, but you may still lose it or be denied access to your accounts. In other words, it's possible you will simply be collateral damage.
If you do lose access to your accounts and/or information, then you need a backup copy - ideally one or two offline hard drives. I try not to be in a position where my most important information is only stored online.
6. Create a Backup E-mail with a different service than your main e-mail
For example, if your main email is iCloud, use Gmail as a secondary email; if your main email is Protonmail, maybe use iCloud as your backup. The key point is that I don't want to have your backup e-mail being managed by the same service as my primary e-mail - that's a recipe for disaster if my main email service is hacked.
7. Prioritise and try to keep things simple
We all have so much information that security can seem overwhelming. Try to prioritise what is most important to you. Maybe that's your e-mail. Maybe it's your bank account. Maybe it's your cryptocurrency.
Work through the exercise of trying to recover your accounts and critical documents if you lose your password, your computer and your phone.
8. Wildcard measures
Take some additional precautions that aren't disclosed on a public blog :)
Invitation for Comments
What further tips do you have on avoiding and surviving hacks? Do you have any concerns with any of the approaches above? Please do comment below.