Share this page!

zooko❤ⓩ🛡🦓🦓🦓 Profile picture
Twitter logo
Jun 12, 2019 22 tweets 5 min read
“‘I Lived a Nightmare:’ SIM Hijacking Victims Share Their Stories”—vice.com/en_us/article/… If you (like most people) have your phone number configured in account recovery (NOT 2FA! Account recovery! Not 2FA!) for your accounts, then you are currently vulnerable to this. …
Interesting detail: the victims described here lost huge amounts of money _not_ from cybercoins but from wire transfers, bank account transfers, Zelle, credit cards, etc. Even if you don't own any cybercoins, you are still at risk. …
Additionally, I am aware of numerous non-public stories of people being extorted (sextortion, death threats, etc.) by the attackers who take over their accounts this way. Even if your cybercoins and your bank account don't get compromised, you could be extorted. …
Here are several more stories like this to help you realize that this is _not_ a hypothetical or rare situation:

1.

2. krebsonsecurity.com/2018/11/bustin…

3. forbes.com/sites/laurashi…

Okay, I've convinced you that this is a real threat, right? You're paying attention now. But what can you do about it? ...
Well, there are a lot of instructional web pages basically describing all the different things you could do that might help. Here's a particularly well-organized one: medium.com/mycrypto/what-… Three problems: 1. You're not going to do all those things. …
2. You're not even going to actually read that whole document, are you? Admit it. 3. Even I — being a security expert and having read that whole document — am not sure that doing all those things would actually help. …
Fortunately there is a simple step that you can take right now, that you can understand, and that absolutely _does_ protect you against these attacks! The step is to remove your phone number from the account-recovery (not 2FA) settings on all of your accounts. I'll explain. …
I've done this with quite a few people now and iteratively improved the process. What you're going to do is go to one of your important accounts—like let's use your google/gmail account as an example—and do these three simple steps: …
1. remove your phone number from account recovery (not 2FA), 2. Configure a non-phone-number-based method of account recovery in case you lose your password, and 3. test it to make sure that steps 1 and 2 actually worked. …
Let's start with step 3! Log out of your account, then pretend that you are Ivan the Attacker, who has taken over your phone number and who has scouted you out and learned other pieces of information about you like your name, birthday, maybe the name of your first pet, etc. …
Now go to the service (e.g. google/gmail) and try to get into your account as Ivan, using nothing but Ivan's control of your phone number and his knowledge of your personal information. See how google will let Ivan into your account using that? Good. Now …
Now let's go to step 1: log into google and remove your phone number from account recovery. ACCOUNT RECOVERY IS NOT 2FA. 100% of the people I've done this with so far have, when I told them to remove their phone number from account recovery, instead gone and …
removed their phone number from 2FA, and then they thought that they were safe. Fortunately you don't have to understand the difference between account recovery and 2FA, all you have to do is remove your phone number, and then log out and …
… perform the "Ivan the Attacker" drill again and see if Ivan can still get in using your phone number. You're not done with step 1 until Ivan the Attacker can't get google to let him use his control of your phone number, no matter how many times he …
… clicks on the "let me regain access to my account a different way" link. Okay, once you've succeeded at that, and Ivan the Attacker can't get into your account even though he controls your phone number, then you're done with step 1. Step 2 is to make sure that _you_ can …
… get back into your account. I recommend that you store your password in a password manager like 1Password or LastPass, and then make sure you are able to get back into that password manager even if you lose your phone or forget the password to your password manager. …
… The way to ensure you can get back into your password manager is to write down the password or backup codes for your password manager on a piece of paper and put them in an envelope and put the envelope somewhere in your house. …
… Again, like with step 1, you can test this by logging out of your account and then seeing what happens if you try to get back in, this time not as Ivan the Attacker who controls your phone, but as you yourself who has lost your password and/or your phone. …
… Once your testing shows that Ivan can't get in even though he controls your phone number, but that you can get back in thanks to your piece of paper in the envelope, then you're done! Congratulations. …
Please do this now so that you don't wind up as one of those horror stories at the top of this thread. :-) ៚
P.S. There is an upgrade, which you shouldn't look at until after you've done the above, and it might not even be necessary for everyone, but it is to buy a hardware security key from Yubikey, Feitian, or Google. It's pretty easy. Go ahead and do it after you've done the above.៚

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with zooko❤ⓩ🛡🦓🦓🦓

zooko❤ⓩ🛡🦓🦓🦓 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @zooko

zooko❤ⓩ🛡🦓🦓🦓 Profile picture
Jan 29
“About Those Fauci Emails ...”—thebradentontimes.com/about-those-fa…
Read 38 tweets
zooko❤ⓩ🛡🦓🦓🦓 Profile picture
Jan 20
This makes me so angry. The arrogance and mendacity of Francis Collins and Anthony Fauci, thinking that they can lie to the public because they are the Great and the Good who know what's best for everyone else (and incidentally to protect their power).

mattridley.co.uk/10783
I've got a tip for you. When something like this turns up, the question is: are there consequences? If not, that means their boss is complicit. As long as Fauci still has his job, you can safely attribute arrogance and mendacity to his boss.
I suppose there are some people out there who think this is justified, that these are well-intentioned, trustworthy people. That being ruled by power-mongers and liars is what we need because the world is so dangerous. I've got a word of advice for you: bad long-term strategy.
Read 7 tweets
zooko❤ⓩ🛡🦓🦓🦓 Profile picture
Dec 15, 2021
Two tweets:
1.
2.
Read 6 tweets
zooko❤ⓩ🛡🦓🦓🦓 Profile picture
Dec 14, 2021
Oof. Good work! HT @str4d It's awesome that THORChain and other open source projects that depend on this cryptographer rewarded the discoverers with $500,000 worth of bounties!

eprint.iacr.org/2021/1621.pdf
Read this interesting backstory, which also mentions the BCTV14 flaw that led to CVE-2019-7167: hackmd.io/@omershlo/Sk_8…
Here's the full details on CVE-2019-7167: electriccoin.co/blog/zcash-cou…
Read 4 tweets
zooko❤ⓩ🛡🦓🦓🦓 Profile picture
Apr 10, 2021
I heard that Youtube (owned by Google/Alphabet) took down a video of Florida Gov DeSantis hosting a round-table retro on covid-19 with Scott Atlas, Jay Bhattacharya, and others. That interested me.
As I've previously tweeted, I'm profoundly concerned about censorship and other forms of thought-control beginning to be exercised by the Tech Titans like Google, among others.
Of course, they say that they're doing it for our own good! For good reasons. And honestly, I believe that they believe that. But that doesn't assuage my fear about its potentially deadly effects on our society.
Read 12 tweets
zooko❤ⓩ🛡🦓🦓🦓 Profile picture
Apr 10, 2021
When trying to learn about the state of the pandemic, I try avoid paying attention to the kinds of facts and data which are vulnerable to being manipulated and misrepresented and look for "harder data":
I'm convinced that the most effective tools for propaganda, panic-mongering, and thought-control are data that are *true facts* and *true data*, selected and framed to support a false narrative. True facts are more powerful tools for deception than falsehoods are.
Misinfo and disinfo are rampant. Media corporations, Tech Titans, governments, and probably other actors are running successful disinfo ops. Additionally, fear and anger are "cognitive pandemics" sweeping through populations and making people deceive themselves and their friends.
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @zooko has new unrolls!

Check out other threads from @zooko!

Read all threads by @zooko

:(