Jameson brother. How you doing man?
Not bad keeping busy. Yeah, especially now. It's like the second mini bull markets back
That's always good for business when you're in the business of security, of course security is always a good business
Which is the reason why you and I are talking today?
Because there's two things number one
I've been noticing lately that a lot of people have been getting fished and
specifically getting fish from social engineering and having their
Login or so-called security feature as a text message
And I know you've had personal experience and you wrote an excellent medium post about this
going through what happened to you and and
what you took in order to make sure that your privacy stays intact and
Obviously privacy means security and safety for for your well-being
however
What I want to talk about today is
What are things that people have to look out for and what are things that people can do today?
Like what are some small simple security measures? Obviously not bulletproof, but it can greatly help them out
In keeping their their safety
Well, it depends on how how much do you want to focus on the crypto side of things versus just cyber
Security in general. I think we can do it like a little bit both. I think you know since
You know, we're both in the crypto space
I think a lot of people like I mentioned earlier having issues or getting fishing on exchanges or they're getting
Manipulated or people are doing social engineering with their cell phone providers
So we can touch base on that and I think it's a great overlap into
This general security. It's you know, your web browsing history with Gmail Chrome, etc
Yeah, I mean, it's all kind of related. Basically the advent of these crypto assets have
Exposed flaws in these systems that have been there all along
but there was never quite the same level of incentive for people to exploit them and
and so, you know, we're especially we're seeing these
Issues with the various mobile phone providers at least in the United States
Where it's very easy for someone to take over your account with very little information
Apparently, this is not a big issue at least in Europe because they have
more strict lockdown on your mobile accounts for whatever reason and
So
If people are familiar, can you kind of just briefly describe how people are?
Porting or getting other people's access to their cell phone
Basically, the issue seems to be that
we are, you know, very customer service oriented in the United States and the
The customer service agents at all these telephone companies are more than happy to help people
Move their phone numbers around, you know transition between different
providers and
As a result, they they make it very easy for an attacker to
Do the same thing, but of course pose as a user give a little bit of personal information
Which in many cases can be easily found online and then they
Transport the number over to the attacker's phone and now the attacker can basically
assume the mobile phone identity of that person and that becomes an issue if you're using your mobile phone as
a two-factor authentication for various online services
It's actually it's even worse than that
Because many services use your mobile phone for account recovery
so basically
The the attacker may not even have your username and password or or much other information on you
But if they can get your phone number, there's usually several services they can go around to
Including your email service in many cases and they can say hey
I'm I am you but I forgot my my login information
But I can do an account recovery because I have my my phone here, right? And so
The the service will then send a link or or some other information to that phone number
The attacker can then take over your email and other accounts and then
Little by little work their way through your entire service
Your accounts and then little by little work their way through your entire online life and and try to get as much information as much
valuable
Assets out of you as possible
And so basically one I just want to kind of recap
So once they have your phone, they'll go to your whatever gmail say
I've lost my stuff and most people have their phones as like their backup
and I guess they send a code to the phone which they use to access your gmail and i'm pretty sure then they can do the
Same process for a crypto exchange where they can go to the crypto exchange and say hey, I forgot my password
But now they have access to your email and your phone
Yep
Yeah, and uh, and really
The best way to to figure out if you're susceptible to this is to just try it yourself
Log out of your email account log out of your your exchange accounts
And then go through their processes of account recovery and see you know
What would it actually take for a a random attacker to to get into your account?
And so what are kind of some simple strategies people can do today to kind of mitigate what's what the security flaws?
Well, the most important thing is to not have phone-based account recovery enabled on any services
So you're specifically talking about text-based recovery
Correct anything that is is sending information to a phone number. Okay. Um
It's also
A generally good idea not to do two-factor authentication via sms, you know sending those rotating
codes basically
If you're gonna do stuff with your phone
then you should be
using what's called uh
Time-based one-time passwords, which is like google authenticator, which is just an app that's running on your phone
But it's not actually tied to your phone number
That way, you know someone can take over your phone number
But they don't actually have the private information that's inside of that app that creates those rolling codes
Other than that, you know, like I said if you're if you're not in america, you might not have to worry about the phone porting option
but
The two things that you can do to really try to secure your mobile phone
The first
Would be to not have a phone number that's actually tied to your name
This can be a little tricky. But basically if you can go buy sim cards, you know anonymously and then use
That sim as your phone number, you know, then it's not tied to your name. There's there's
There's if the phone company doesn't know that you are this sim card user
Then there's no way for an attacker to call the phone company and say hey
I need to change the you know sim, uh for this phone number tied to this
person's name so
There's that and then there is just trying to find
Mobile phone companies that don't have these gaping holes where they're getting socially engineered all the time
the only one at least
that's available to americans that i'm aware of that has not had these attacks would be
google fi
and that's because
It's basically a google voice number and they don't have you know stores
They don't even really have a whole lot in the way of customer service for you to be able to port a phone number
It basically has a very hard
requirement on every google fi account that you have to know the pin
That you put in when you set up the account in order to be able to transfer the number over so there's there's no
means of socially engineering your way through that process
And then would you recommend for example your social media profiles and everything you're using online to use?
Um, obviously if you can get this, uh, you know separated burner phone, let's call it
Uh, but to implement a two fa within a google auth system as opposed to sms
Almost anything is better than sms the the best thing but of course a lot of services don't support it
the best thing is to have hardware based authentication, so
U2f
specifically the ubic keys
Even actually trezor and ledger devices support u2f
Uh, so you can you can use those as well as two-factor authentication
But if if the service you're using doesn't support that and really it's it's usually only the extremely popular services
Or the extremely sensitive services like crypto exchanges, then you'd probably end up having to go with something like the more
more popular
TOTP standard which is what google authenticator does
Is and beyond that, you know beyond just getting a burner phone and doing two of it, which is a massive upgrade in
existing systems and security
Do you have any recommendations when it comes to like vpns and browsers like what are things people can do to protect their privacy?
online
Yeah, just from a really high level of you know day-to-day internet use
um
I recommend installing a number of browser extensions like ublock origin and
privacy badger
and
HTTPS everywhere that will
You know help lock down your browser usage and help keep you more secure and help keep you from leaking too much data
Also, you want to use a password manager
Something like one password or last pass. I mean, there's a number of different password managers out there
And almost you know, they all have pros and cons
But almost anything is going to be better than using your brain if you're using your brain
If you're going to be reusing the same password all over the place and it's basically guaranteed
That over a long enough period of time
Your your passwords are going to get leaked
You're going to be putting a password into some service that has terrible
practices on their back end and they're going to get hacked and your password is going to get leaked at some point so
You can at least minimize the damage
of of the fallout when that does happen because
Every time this happens and some major provider gets all of its usernames and passwords compromised
then these dumps of of databases start being passed around on the dark web and
inevitably what we would see when we're running security services is
We see all these bots start hitting our login endpoints on
You know popular web-based services and they're just going through a list alphabetically of all of these usernames and passwords that got leaked
and trying to see if any any of them got reused and and so
It's it's basically an inevitability. And if you want to protect yourself from it, then you can ensure that
if
Your password does get leaked then it's not going to result in people being able to get into your other accounts
as well as the one that actually got compromised
Do you have any recommendations when it comes to stuff like ProtonMail?
I mean I am a fan of ProtonMail. You're going to be giving up some
Usability as a result. I mean, this is something I was just talking about
recently
is you know google as as terrible as it is because it's sucking up all our data and
And compromising our privacy. It is extremely user-friendly and it's great how like all the services integrate with one another
You know, like you get an email with a
calendar
invite that's like embedded in it and it automatically shows up on your calendar as soon as you accept it and
And you know integrates with their mapping system all this other stuff
and ProtonMail on the other hand
you know much more secure and
and theoretically, they don't even have access to your data because it's all getting encrypted on the back end and only decrypted when you're accessing it
but
You know even like the search function inside of ProtonMail is not very good
And so it's even hard to like navigate through some of your old emails and figure out what was going on
so like for me I
I tend not to use ProtonMail for everything
But I just use it for the more sensitive things that I would care more about if they got leaked
And what's your recommendations for like VPNs?
For what again? VPNs. Ah, yes, there is um, there's no like one size fits all VPN. Um
Because there's so many different factors that are involved if I can remember
uh
I haven't linked off of uh
The epic post that I made but there's this website
uh
I think it's called that that one privacy site dot net
And if you go on there, they have this epic VPN
comparison and I think it's got you know, probably
180 different VPNs on it and it shows you this breakdown of like all the different types of threat vectors that you might want to care about
And long story short, there's there's no like one single VPN that is uh perfect with regard to all of these different
privacy and security considerations, so you know it depends a lot on like what
Uh, jurisdiction you're in uh, what jurisdiction you would prefer the VPN company to be in
And like who you think they may be sharing data with how trustworthy they may be with regard to logging
you know, what type of uh of
Payments do they accept and you know, how private are those and so
I I generally I don't go around and tell people hey you should use this one VPN because there are just so many considered
Considerations, uh, if anything you probably want to have multiple VPNs available
Actually, I I have tried out, you know proton mail actually has proton VPN now and uh,
That seems to work pretty well
Nice and what's your take on uh, oprah and i've been hearing a lot of people talking about it
And I know they have a built-in VPN as well
Yeah, the the browser yeah, yeah
You know, I actually haven't used it in a number of years. So i'm not as as up-to-date on what they're doing
I have noticed that um
I think brave browser
Started having uh a tour
option as well
Uh, yeah, because I use brave on a number of computers
And and that uh is a pretty user-friendly way. I guess to to get on the tour which is
Just uh opening up a a special tab in the brave browser. Mm-hmm
And so what do you reckon yes, yeah actually on that topic
What do you like about the brave browser is it the ui ux is the simplicity like what would you say it stood out to you?
When you first used it
Just how fast it was because it has this native ad blocking built into it
I was also using it early on because they were integrating like automatic bitcoin payments to to various entities that signed up
And I thought that that was a novel idea of yeah. Sure. You know, i'm
I'm interested in blocking ads, but I would be interested in you know, making automatic micro payments to certain providers
To try to offset the fact that i'm
Trying to protect my privacy by blocking all these ads. I know they have their own token
But it'd be pretty cool if they had the option of like I can switch their token into into satoshis instantaneously
Yeah, well, I mean it started out as bitcoin and then they went with their own token and then I actually saw um
Just in the past few days an announcement that sounds like they are going to be adding support for a number of different crypto currencies
So not sure how that's going to relate to that
If it really will be something where you can just swap out, uh, whatever your favorite, uh, cryptocurrency is
Interesting. So besides what you mentioned with getting a burner phone
2fa with google auth or even better if you can use a hardware device such as a
A ub or even a trezor and a ledger and uh bpns. Is there anything else people should be looking at?
Well, the one thing that I tried to get by on the post that I made was that um
If you're going with the vpn route, you need to make sure that you're using your vpn all the time
Otherwise, you're going to be leaking data some of the time and when I started out with vpns
And I was just using them like configured on each computer. It, um
It basically doesn't matter if you're going to be using your vpn all the time
I figured on each computer it, um, it became a pain because I would like sometimes forget to turn on the vpn or like I would restart the computer
I can relate
and so
ultimately what I did was some experiments where I uh,
I tried setting the vpn actually at my router level
So that everything that was going through my home network would be on the vpn and that worked pretty well
But it also became a bit of a pain because then sometimes the vpn would screw up and the vpn connection would drop
And I wouldn't know
Um until I would notice, you know days or weeks later that I wasn't getting the same amount of um, like
uh, are you human, you know pop up questions and other types of
um
Of like blocking that some services do uh for vpns
Because of the abuse that they see through them and so then I realized well I need to go even
Further down the configuration hole and I need to change my router so that it blocks all traffic if the vpn client screws up
Uh, and then after doing that for a while
I started realizing how often the vpn was screwing up at least you know
Like every few weeks I had to go like yet another step and figure out how to set up multiple vpn clients
That would like automatically fail over and so like it became a bit of a chore to set up
And I imagine that you know people who don't have a lot of networking knowledge would give up on it pretty easily
No, I don't think so. I you know, that's why i'm a firm believer in
What are like small steps like?
Getting to a fade at google. That's a small step. You can do that within one minute, right?
uh
Getting a vpn. That's a small step. You can log in and you know, choose one or two vpn providers
Uh, even like other stuff like talking for privacy is uh, a lot of people use more and more messaging apps is you know
For me, I personally use
Signal there's other ones, you know people like telegram. I don't really use what's up for any
uh
Talk, you know
Security talking but uh, what's your take on like the messaging apps?
Well, there's also you know considerations there. Um,
You definitely want to use one that is end-to-end encrypted so that there's no third party sitting in the middle snooping on everything
But even like like you said with like what tap is and and encrypted but there are privacy considerations there because you know
That facebook is sucking up all of the metadata
They may not be able to see what you're actually saying
But yeah, they can see what other phone numbers you're talking to and what times you're talking to them
and how often
Uh, you know can extrapolate other things as a result of that and adding it in with other information
and
Interestingly enough. I'm
I was actually a big fan of signal
But I don't really use it anymore because it's still it requires you to expose your phone number
And yeah, one of the things that i've gotten
Into as a result of all this privacy stuff is using proxies for everything
So I don't even I don't even hand out my burner phone number anymore
I hand out proxy phone numbers that forward to my phone number
And the problem with signal is I can't I can't hand out those proxy phone numbers. It just won't work
You have to have the actual phone number that the the messages are fine like ending up at their final destination
So from from that perspective, I actually like uh stuff like telegram more because you can just have a username
You don't actually have to give someone your phone number or a key base is another good example
Yeah, key base is good, but their ui ux is horrendous
Hey, oh my god
If they can fix that i'll use key base, yeah
But I mean the the ultimate
Messaging app unfortunately is not that user-friendly. I'm a big fan of riot and matrix
But um these in order to to use them really well, you basically have to be connecting to your own custom identity server and you have to
be uh
Manually, you're checking public keys as you're adding people to your list of contacts
And and so once again, it's that privacy and convenience trade-off, but um, that's uh, what I I think
All of the the decent security companies in the space moved away from slack a while ago because it's just wide open
Um, and there there's too much risk there and have taken their communications in-house with stuff like riot matrix and uh
Spider oak is another one that that has some end-to-end encrypted apps, but it's not quite as user-friendly in my experience
Cool
Um any last words, I think we wrapped everything up pretty good
You know, I want to kind of make a summary is get your if you're using sms remove that asap use 2fa google auth or hardware key
Ideally, if you can get a burner phone a phone and attach your identity get that you know pick certain vpms vpns that you like
Um, you can use opera you can use brave for the browsers
And the proton mail has its pros and cons as you mentioned
Um, are we missing anything else? Um, I mean the the main thing is you can
You can learn a fair amount if you just do a few hours of research or if you read that that article that I wrote
I'll make sure I'll leave a search cut you off. I'll make sure for everyone listening
I'm going to leave that in the show notes and I highly recommend you read, uh that piece because
You really go into detail of what happened in the
Measures that you took yeah, and the hard thing though is that what we're really talking about here
Is a lifestyle change like you have to get into new habits. And so
What I found is it you know
Getting a new habit going can be a pain. It can take you like a few months basically
But once you get into that habit, then it just becomes second nature
Um, you know another thing for example, we didn't even talk about
financial privacy, but um, another simple way to get a lot of your financial privacy back is to just
Carry cash and not use uh cards that are creating more data trails that can get sucked up and analyzed
Yeah, hence why my uh, I'm interested to see what happens in libra. Is there going to know everything that you do?
Well, we won't know for at least a night or two
Well, we won't know for at least another year, I think uh people are getting upset prematurely about that
Yeah, yeah, I just look at like your actions speak louder than words and we've seen what facebook has been doing and for me it's
I understand why they're doing it. I get it. I'm not hating for them on doing it. It's just like
I just don't trust them enough. Let me put it that way
Well, yeah, and of course, you know facebook has become so huge. Uh, once again, like we we mentioned whatsapp
Uh, there's also I guess instagram
um, they're they're just uh
Their their tendrils are reaching out all over the place and and they've become a lot like google in that sense where it's just really hard to avoid them
Mm-hmm. Cool, man. All right. So if people want to find more information
Uh guys, please check out the uh blog post. It's in the show notes and jameson if they want to follow you and get to know
More information about where you're doing. What's the best resource?
Well, you can find pretty much everything about me on my website which is lop.net l-o-p-p dot net
Awesome. Well, thanks brother. Always a pleasure and i'll talk to you soon. Thanks talk to you later