Community

• Never re-use passwords. We all need dozens or hundreds of passwords, yet we can remember just a few. Nonetheless, this is a very important rule. Companies are hacked all the time, leaking passwords that bad guys then try at other systems/websites. This article, Credential stuffing explained: How to prevent, detect and defend against it (Lucian Constantin Oct 2019) notes that the automated use of stolen usernames and passwords to access accounts is low risk, high reward for cybercriminals.
• Almost every computer nerd recommends password management software. I disagree. Techies that say this are thinking inside the box and over valuing the need for randomness in passwords. They also underestimate the hassle of new software for non techies. 
• Try using a formula to generate your passwords. A simple formula is to start every password with the same string of characters. Then, you can chose very simple passwords to append to the constant beginning. For example, a baseball fan might start every password with "BaseballRules!" Then, if "jungle" was their password for Amazon.com, the actual password is "BaseballRules!jungle" And, all you would have to remember would be that your Amazon password is "jungle". Pretty easy. Amazon. Jungle. And, the miserable password "book" for Barnes and Noble, becomes a good password ("BaseballRules!book") when run through the formula. Perhaps the worst password is the word password. But, as Leo Notenboom points out, "1234 password 1234" is a pretty good password. It's also easy to remember. There's a formula: start and end every password with "1234". I expanded on the use of formulas in my Aug. 2019 blog The world's BEST password advice.
• You can check if any of your passwords have leaked in a data breach at haveibeenpwned.com/Passwords. Of course, someone else may have been using the same password. The best passwords have never leaked and a formula (above) should produce globally unique passwords fairly easily.
• Storing passwords: Using a formula lets you write down just the easy/right part of the password and still be secure. If someone saw your password list and read that "book" was your Barnes and Noble password, it would be useless without the formula. Passwords written on paper can not be hacked; just be sure to xerox the list every now and then in case you lose it.
• Traveling passwords: Paper passwords work everywhere, no matter the device, the Operating System or the software being used. I use a password manager and its useless on a Chromebook running in Guest mode which is where I do my sensitive transactions.
• All that said, no single approach is appropriate for everyone.
• Some passwords are much more important than others. Which, of your many passwords, would be the worst for bad guys to obtain? Keep those passwords off your computers. Store them on multiple pieces of paper in multiple places. Or, store them on a USB flash drive which is rarely connected to a computer.

A SIM swap is Identity Theft in which bad guys steal your mobile phone number and get it assigned to one of their phones. They do this because a phone number is often used to prove identity, with forgotten passwords. Other terms for this are SIM Hijacking and a port-out scam.

• First signs: A few people have noted that the first sign of trouble was no cell reception on their phone. For one person, the first hint of trouble was a text message from T-Mobile about a call to them that he did not make.
• Defense: A phone number from TextNow is a safer way to use a phone number for 2FA. For more see the Phone Number Hiding topic. This is my idea, I have not seen anyone else suggest it.
• Defense: Have the customer service number(s) for your cell company saved on your phone. Also save other information that could prove your identity to the cell company such as the credit card used to pay the bill, the date the account was opened, etc. And, save everything you need to logon to their website.
• Defense: To defend against SIM swaps, you can create a security code with your cellphone provider. This code needs to be provided over the phone, or in person at a store, before account changes are made. T-Mobile sometimes calls it an Account PIN, sometimes they call it a Port Validation feature (see Protect against phone number port-out scams). Verizon calls it both an Account PIN and a Billing Password. AT&T calls it a Security Passcode. How to Protect Yourself Against a SIM Swap Attack by Brian Barrett in Wired (Aug. 2018) has details on how to setup the extra PIN code for each cellphone company.
• Defense: How to Stop Your Mobile Number from Being Hijacked by Paul Wagenseil (March 2018). Most victims seem to use T-Mobile. AT&T has two defenses: both a passcode and Extra Security to enforce the use of the passcode.
• T-Mobile Defense: T-Mobile Has a Secret Setting to Protect Your Account From Hackers That It Refuses to Talk About by Lorenzo Franceschi-Bicchierai for Vice (Sept 2019). A feature called NOPORT requires customers to physically come to a store and present a photo ID in order to request their number to be ported out to a different carrier or a new SIM card. This is separate and distinct from their Port Validation.
• Verizon Defense: Call *611 and ask for a Port Freeze on your account (from here. Their website offers Two Factor Authentication which they also call Enhanced authentication. But it is only SMS. And even when its off, it is on (personal experience). I tried to turn it on (Jan 2020) and it broke the Verizon wireless website.
• Poor defense: The PIN code defense is far from perfect. Brian Krebs wrote (Nov. 2018) that there is no defense against malicious employees of the cellphone company. He also wrote about lazy employees who ignore the system. Matthew Miller had his T-Mobile phone number stolen from him twice, despite having a PIN code on file. He writes that T-Mobile has two PIN codes, one for when you call into customer service, and another port validation PIN (6 -15 digits). After reading his story, you might want to avoid T-Mobile entirely. Then too, the TrickBot malware is known to modify the signon page for cellphone companies to steal these pin codes. (Secureworks Aug. 2019)
• Defense: If you use either AT&T or T-Mobile, and your PIN(s) were set prior to August 2018, change the PIN(s). In August 2018 were learned that T-Mobile was hacked and bad guys stole their customer billing information. In the same month, we learned that both AT&T and T-Mobile had their customer PINS exposed to the world.
• Defense: Use a land line for two factor authentication rather than a cellphone number, if possible. Rather than a text, the company calls you and speaks the temporary code. Apple supports this. A similar option, championed by Lorenzo Franceschi-Bicchierai (July 2018) is a Google Voice phone number.
• Defense: In Nov. 2018, Joseph Cox of Vice, suggested dedicating an iPod Touch to using Signal for secure phone calls. It's Wi-Fi only, and you can add a VPN for still more security. See How to Use an iPod Touch as a Secure Device Instead of a Phone.
• Immediately Afterwards: check that you still have access to your most important accounts. Email, bank, credit cards, etc.
• Afterwards: The US Federal Trade Commission runs identitytheft.gov where you can both report the identity theft and learn how to recover from it.
• Defending email from password resets: ProtonMail can block all password resets. In the web interface, click Settings and there is an option to "Allow password reset". Tutanota does not allow two factor authorization with text messages, they only support the stronger options: Time Based Onetime Passwords (TOTP) and physical keys like Yubikey. In the Email section, I discuss using multiple email addresses. This avoids having too many eggs in any one basket, should an email account get hacked. Consider that email may well be important enough to pay for, if for no other reason than to get tech support when things go bad. I suggest ProtonMail, Mailbox.org or Tutanota.
• Background: Much of the world has fixed this problem, but the US remains vulnerable. Why Phone Numbers Stink As Identity Proof by Brian Krebs (March 2019). Wave of SIM swapping attacks hit US cryptocurrency users by Catalin Cimpanu for ZDNet (June 2019).
• Lawsuits: AT&T Faces New $1.8 Million Lawsuit Over Sim Hijacking Attack by Karl Bode (Oct 2019). This is just the latest in a series of lawsuits attempting to hold cellphone carriers accountable. A subscriber had both his identity and life savings stolen via SIM swap. A different subscriber sued AT&T last year for $220 million. T-Mobile was also sued last year.
• Things are bad: Lawmakers Prod FCC to Act on SIM Swapping (Brian Krebs Jan 2020). The Republican FCC protects the cell companies, not consumers. Some Democrats in Congress are mad. Other countries protect consumers.
• Things are bad: A study by researchers at Princeton University: An Empirical Study of Wireless Carrier Authentication for SIM Swaps (Jan 2020). Quoting: "We examined the authentication procedures used by five prepaid wireless carriers when a customer attempts to change their SIM card, or SIM swap. We found that all five carriers use insecure authentication challenges that can easily be subverted by attackers." See also a Twitter thread by Arvind Narayanan.
• Things will only get worse: Hackers Are Breaking Directly Into Telecom Companies to Take Over Customer Phone Numbers by Joseph Cox (Jan 2020). Bad guys are using RDP to directly access the internal systems of T-Mobile, AT&T and Sprint to do their own SIM swaps. Bribing employees is so last year.
• One guys story: SIM swap horror story: I've lost decades of data and Google won't lift a finger By Matthew Miller of ZDNet (June 2019). This should convince people to take defensive steps. After getting control of his phone number, bad guys used it change the password on his Google and Twitter accounts and used his bank account to buy $25,000 of Bitcoin.
• Another guys story: How Twitter CEO Jack Dorsey's Account Was Hacked (Wired Aug. 2019) A SIM swap gave the bad guys access to his phone number. Then, they sent texts to his Twitter account, which appeared as Tweets, without needing to know his Twitter password.
• Big picture. As a rule, adding two factor authentication (2FA) makes an account more secure. But, in mid-2019 a couple techies wrote about being victimized by SIM swaps (articles are linked above), which, in turn, made it possible for bad guys to change many of their passwords. In these cases, the use of 2FA made them vulnerable. For more on the pros/cons of 2FA see the Two Factor Authentication section.
• What to expect: In June 2019, I tried to add Extra Security to an AT&T mobile phone number. The web page explaining exactly what this does was broken, so I don't know what it really does. Also, the system is poorly designed. When I first signed in to the AT&T website it sent a text with a one-time code to the phone. Had I been a victim of SIM swapping, this would have locked me out of the website. Dealing with AT&T is hard, you need to keep track of a userid (for which there are two definitions) a password, an Access ID (beats me), an email address, a security passcode and two security questions. When I got in to the website, it forced me to pick two new security questions even though I had already set this up long ago. Why? It didn't say. To add the mythical Extra Security: click on your first name is the top menu bar (on the right), then Profile, then Sign-in Info. Perhaps chose a particular phone number. Then, click on Manage Extra Security in the Wireless passcode section. Then turn on the checkbox for Add Extra Security to my account. Then enter your passcode. Whew.
• What to expect: In July 2019, I changed the passcode on an AT&T mobile phone number. The process starts by logging in to www.att.com/wireless/ which includes entering a code sent to the phone via a text message. Then, click on the account holder's first name in the upper right corner -> Profile -> Big box for SignIn Info -> click on the "Get a new passcode" link -> enter the last 4 digits of the social security number and the zip code -> then get a text message with another temporary code -> enter this code -> then, finally enter the new passcode. What is a valid passcode? They don't say. Must it be numeric? How long can it be? None of your business. At the end, you get another text message that the code was changed.
• Defense: The SIM Swapping Bible: What To Do When SIM-Swapping Happens To You by CipherBlade and MyCrypto (June 2019). Overwhelming article.