personal internet security
Do you have a low cost phone provider, that doesn't take security too seriously? Do you travel often and are away from "home base" for extended periods? This text discusses some specific recommendations on aspects of personal internet security that may be useful to you.
The security setup recommended here has two main goals:
goal #1: If a hacker steals (aka ports away) your phone number, we want it so they can't use SMS to log into your email account and then break into your bank, personal finance, shopping and social media accounts.
They are able to steal your number because of the 1000s of data breaches in the past ten years. Your "secret" information that "only you would know" is now available to hackers to use when they call up your mobile provider pretending to be you. Hackers know your mother's maiden name, social security number, addresses past and present, phone numbers and lots of other trivia, like "the name of your first pet". If a company has ever asked you for a piece of information online, you can be sure that information is now available to hackers.
goal #2: While traveling, especially out of the country, if you lose your phone and are not traveling with other technology as a backup, like a laptop, tablet, or spare phone, you'll need to be able to recover without begging various customer service reps to let you back into your accounts when you've now lost your 2 factor authentication (2fa).
How's it going to look to those reps when you are calling from some foreign country asking them to disable 2fa on your accounts because you've "lost" your phone? I would hope they wouldn't fall for that and let you in--even if it was true in your case! (Ideally, you'd be traveling with a second device that you'd always leave in your suitcase as a backup, but sometimes you may not.)
This recommended security setup uses two pieces of software: bitwarden for managing passwords and 2FAS for managing TOTP, (time-based one time passwords), for your 2fa, (2 factor authentication). The lowest paid level of premium bitwarden service is also recommended because that will allow you to store files in your vault in addition to passwords. These recommendations will work with any combination of iOS, Android, Windows, Linux, and MacOS devices you may own and use.
Set up your devices like this:
- install 2FAS on your phone with a pin and/or biometric lock (if you don't use a pin, or your face, or a fingerprint every time you use the app, you risk a bad guy grabbing your physical phone while its unlocked and being able to access your 2fa.)
- install bitwarden premium (which allows file storage) on your phone with a password you can memorize and a pin/biometric lock (if you don't use a pin, or your face, or a fingerprint every time you use the app, you risk a bad guy grabbing your physical phone while its unlocked and being able to access your bitwarden.)
- prevent your phone from displaying contents of new incoming messages on the screen when locked (you don't want your phone displaying 2 factor SMS codes to the bad guy who took your phone. Not all of your banks, and other logins will allow the use of authenticator app based 2fa and may still only be offering SMS.)
- activate your phone's "lost phone" handling feature for tracking and/or wiping a lost phone, this needs to be set up *before* your phone is lost.
- install bitwarden in your browser and log in using your memorized password
- optionally install 2FAS in your browser (since the 2FAS browser plugin still requires your phone to be in your presence to use, this is strictly for convenience and not necessary)
- use long random bitwarden generated passwords for all site logins
- activate 2FAS 2fa for all sites that support it. (at minimum: your email provider, and mobile phone account)
- when turning on 2FAS authentication for a site, save a copy of the setup qr code and any reset codes the site gives you to an offline location. Do not save these on your PC, and do not place any of this information inside of bitwarden. Only the password protected backup of your 2FAS data should be stored in bitwarden. (If a hacker ever gets into your bitwarden, having your 2 factor authentication data elsewhere (or separately encrypted) will be very important.)
- also periodically back up 2FAS data to bitwarden (premium) encrypted with a password you can memorize (that way, if a bad guy ever gets into your bitwarden somehow, they would also need a separate password to get your 2fa tokens.)
back up 2FAS to bitwarden one last time
remove 2fa from your bitwarden login if you've enabled it -- you may need access to bitwarden from a borrowed computer or phone during a travel emergency.
set your phone lock screen to have extremely quick timeouts. If the phone is out if your hands for more than 60 seconds, it should lock
double check that your phone's "lost phone" features are active
write down your phone's serial number and IMEI number and bring it with you. These may be needed to disable mobile access to the phone by your provider in case of phone loss
if you are traveling and you lose your phone
- borrow a phone or buy a new one that can access the internet (even if it has a different phone number, and/or a different brand/platform than you normally use) (note: you can't use a pc for this step, because 2FAS only works on iOS and Android)
- install bitwarden, and 2FAS
Of course, this is easier said than done. What happens when you go to set up a new Android or iOS, and try to install an app? You get prompted to log into your Google or Apple account. What do you need to do that? Access to your old phone number or access to your 2FAS 2fa tokens. A major chicken and egg problem. The solution is to set up a new account with your new (albeit temporary) phone number and using that to get into your new phone's app store.
- log into bitwarden from memory (this works because you've disabled 2fa before you left home if you have it on normally)
- download and import the 2FAS backup from bitwarden (enter the 2FAS backup password from memory)
- access your email using the password from bitwarden and 2fa from 2FAS
- log into your phone provider and report your phone as lost
- now you can recover access to any less critical websites, and work on getting a new phone with your old phone number at your leisure
if you don't have a phone
- install an Android emulator on your PC or Mac so that you can log into the Google Play Store and install 2FAS
- a free emulator you can try is BlueStacks. You can ignore all of the gaming nonsese, and just open to the "App Player"
- then go to the Google Play Store and create a new account using a friend's phone number.
- finally, install 2FAS and bitwarden inside of the emulated Android device.