Protecting Personal and Private Information

Primary e-mail account and mobile phone number key to privacy

Sensitive Information Policy - PrivacyThere have been cases where hackers were able to convince a major carrier to issue a replacement SIM that gave them hacker access to a user’s primary mobile phone number. That in turn allowed them to reset passwords on the user’s Gmail or other free e-mail accounts, which gave them unimpeded access to the user's entire identity.   There have been cases where hackers have shut down Twitter accounts, wiped out everything associated with a free email account, and even eliminated access on-line banking accounts or transfered out funds.

The lessons from these types of breaches is that a primary phone number and a primary email address are far more valuable than most individuals realize. As our reliance upon on-line services grows, these two data points are extremely common means of authentication.

If either one is compromised, an attacker can do extensive damages. And if those two factors are tied too closely together, it's game over for an individual’s on-line identity.

Don't trust your important email to free consumer-grade services

Google and Microsoft are the world's two largest email providers, with have both consumer and business-grade subscriptions. With a free Gmail or Outlook.com account, there are almost no support options except to fill out an on-line form and pray that someone handles it. (Note -  the fact that you pay for storage upgrades doesn't mean you have a business-class account.)

Purchase for a business account.

A G Suite Basic account looks exactly like the free Gmail product, but it comes with 24/7 support from a real person is included with a paid subscription to G Suite. A Microsoft's Office 365 Business Essentials subscription, which includes a 50 GB mailbox, a custom email domain address, and 1 TB of OneDrive for Business cloud storage.

You can get those services as part of an Office 365 Business Premium subscription, which includes Office applications for 5 Windows PCs or Macs and five tablets. Support is available 24/7, with a one-hour response time commitment.

A hacker who manages to crack your business email account doesn't have access to your administrative console; they might be able to change your password, but they can't delete your account. In fact, using those administrative tools, you can lock down a compromised account immediately, preventing any further damage.

Improve security on your primary mobile account

Minimize purchases and registrations that depend on mobile devices. Do them on a desktop if at all possible.

Utilize a seconday SIM card(s) for common purchasing tasks.  That way hackers are not able to learn enough about you to social engineer their way through the normal security checks that keep your account from being compromised. Also tell your mobile provider that you want them to be extremely cautious, even paranoid, about the security of your account.

Every U.S. mobile provider has the option to add a separate security PIN or password to your account. This is different from a SIM password/PIN, which prevents your physical SIM card from being removed and automatically activated in another device.
Finally, ask your mobile provider if there's a way to flag your account for extra security to prevent unauthorized number porting or SIM-swapping. The most inconvenient scenario is you'll have to show up personally at a local office, with photo ID, to recover from a damaged device.

It is interesting to note that T-Mobile customers are disproportionately affected by SIM-swapping.

Don't save passwords in your browser

A third-party password manager is one of the most valuable security precautions you can take. Having a unique, impossible-to-guess password for every service you use is an excellent way to prevent most common forms of attack.

Security goes right out the window if those passwords are stored with your Google or Microsoft account and can be unlocked by anyone who compromises that account.  This is significantly minimized with a well-designed third-party password manager.

If you've got passwords saved in Google Chrome, Internet Explorer, Mozilla Firefox, or Microsoft Edge, delete them after you've set up a third-party password manager.

Of course, you want to make sure that whatever third-party password manager application you've chosen can't be compromised by someone who has access to your mobile account or email.

Disconnect your telephone number from crucial authentication scenarios

The reason SIM-swapping has such a devastating impact on your identity is that your phone is typically the first device that a service will use to help you reset your password.

Whenever possible, remove the option to use that phone as proof of identity and use an authenticator application or a saved code you previously generated. This strategy forces you to use a trusted device as an authenticator. A hacker who has a SIM-swapped phone number or an email password doesn't have a trusted device and is thus locked out.

For Allowed 2-Step Verification Methods, choose Any except verification codes via text, phone call.

Backup and sync your devices frequently

Ensure that a single point of failure doesn't cause you to lose data. A cloud-based service is an excellent way to prevent fire or flood from destroying your local copies, but human error or a configuration mistake (or forgetting to pay the annual subscription fee) can cause some or all those files to disappear.

Save the really important stuff, like family photos, in at least two cloud locations: iCloud and OneDrive, for example. And yes, keep a local backup of those files, just in case.

Read On Order Sensitive Information Policy Download Selected Pages Privacy Compliance Policy