Mark told me that a buddy of his was SIM cloned and lost access to everything from his credit cards to bank to phone account, so be warned, they are out there. It looks like it might have been at a public WiFi, but from the description either a Zero-day attack (so he had less chance with out-of-data software but zero-day by definition means that the attack is in the wild, and there is no fix for it.), or he’s a spook or he hit OK on a link he got. For context, there are about 200-300 zero-day vulnerabilities discovered across all software every month! And for things like Chrome and iOS, there have been 70 zero-days discovered so far this year. So here is what to do:
- Keep all your machines up to date. This is the most common problem. I can’t stress this enough, but you do need to check regularly in System Settings > General Software Update on the Mac regularly at least every month.
- 1Password (and Apple keychain) for passwords. Most importantly make sure you randomize all passwords. And turn the watchdog on to see which sites are hacked. This is very painful but the most common vector. It also will tell by you which of your passwords are already in the hacker corpus. Nearly all my handmade passwords from 10 years ago are hacked and in there.
- Authy for 2-factor authentication. It’s a huge pain but your buddy works have been much safer. Another pain in the ass but passwords are the problem. You really want to add a second factor to everything, so if your phone gets hacked, they will still have some trouble
- Credit freeze. Turn on all your credit card transaction notifications and set them to instant. Another painful thing but you want an immediate text for all transactions a monumental pain to have to go to Equifax, Experian, and TransUnion, but at least you only have to do it once.
Note on onto device protections
- NordVPN is great. Note there are huge discounts on stuff like this. Use cashbackmonitor.com to find them. I normally get 50% off. The main issue is you have to use them. Turn that protection on. Be aware for your family that some sites do not work with it. They need either to plant horrible sensors to actually run (looking at you BofA) or the egress points are on blocklists since spammers use the same services.
- Use all the safari privacy and I use Ghostery on top. This prevents evil websites from loading stuff on your machine. Really common spyware vector. Note this will break certain websites. NBC.com instance detects these and refuses to display them because it cuts out horrible ad services. Also, certain sites are so evil that NordVPN will block them and refuse to display them.
- If you are using UniFi routers turn on its spam and site blocking. This gives minimal protection to your house.
- For antivirus, I’ve used AVG because it’s free. Note this is not anti-spam for email. But if you are using Google or Apple Mail they are doing a decent job of filtering although it is definitely not perfect
- Mac Firewall. Turn on your firewall local to Mac. I also turn on FileVault. This is dangerous as you can’t see your disk contents if you lose the key. Put that into 1Password.
- Turn on screen time passcode and disallow account changes. This prevents another common hack. Social engineering to get your pin.
- Use a six-digit PIN at least and really you probably use the alphanumeric entry. Four digits are too low and turn on Face ID so you never type it. The nice thing about alphanumeric is that the buttons are smaller which makes it harder for someone to look over your shoulder.
- Subscribe to haveibeenpwned.com as that will tell you if you have been hacked, they will send you an email and let you know. Also, 1Password has the same feature called Watchtower so I have both on
- Physical security is another topic but AirTags and Find Me are your friends. With the latest version of iOS, each person can have up to 16 AirTags and you can now share them with your family, but I would put them in anything you care about.