How to defend yourself against targeted attacks
TLDR:
- Most people don’t need to follow this advice.
- I enrolled in Google Advanced Protection (with Titan and Passkeys), transferred my domains to Google Domains, and ported my phone numbers to Google Fi (which, alas, may not yet be immune to SIM swap attacks).
- I enrolled in Apple’s Lockdown Mode, Security Keys for Apple ID, Advanced Data Protection for iCloud, and Contact Key Verification.
- Unlike Google and Apple, Twitter doesn’t give a f*ck unless you’re a “celebrity.”
No, Google did not pay me to write this. In fact, I paid Google. Counterintuitively, putting more eggs in one basket can make you safer, especially if it is guarded by a motherf*cking dragon instead of sleeping gnomes.
You most likely don’t need this level of protection, but if you do, read on.
I guess by writing about this, I bring more targeted attacks against myself, but I wanted to write about it anyway to help people like me make decisions in these situations. Recently, Google sent me this email:
The Advanced Protection Program safeguards the personal Google Accounts of anyone at risk of targeted attacks — like journalists, activists, business leaders, and political campaign teams.
I had heard about this program before, but did not consider myself of sufficient interest, and I am honestly not stoked about being included in the likes of the above. Apparently, that has changed recently (although I believe these attacks are impersonal, for reasons I will not delve into).
I pinged friends at Google, who directed me to their colleagues in charge of this program. Funnily enough, they couldn’t tell me why the great Google machine learning bots thought I was under greater risk of targeted attacks, but they expressed interest in what I would do next.
Around the same time, some scam bot on Twitter decided to impersonate me:
I thought about it. I have no idea why, but clearly someone (even if bots) was after me, and I don’t consider myself a celebrity. I decided to listen to a simple heuristic from Nassim Nicholas Taleb’s Real World Risk Institute: “Only the hyperparanoid survive.”
I already had a YubiKey, but to enroll in Google’s Advanced Protection, you need at least one more different key, such as Titan. I ordered one, and played the waiting game. In the meantime, I removed my phone numbers from two-step verification, as Google recommended, to protect myself from SIM swapping attacks.
Titan finally arrived, and enrollment could have been smoother had I known the following facts:
- I only use Apple devices. The Google Smart Lock app did not have any useful tutorial (unlike even Stadia), and I had to figure out that I needed to use the microUSB / NFC / BLE key, not the USB-A / NFC key. (Although the latest iPhones support NFC, but the Smart Lock app does not yet.) I had to enroll and unenroll twice before I figured this out. When you enroll, Google silently deletes your TOTP seed, so you have to enable and delete that again in order to log into Smart Lock on your iPhone.
- The BLE key doesn’t work when it’s connected to and charging on your laptop.
I consider myself an expert, and even I had difficulty figuring this stuff out. Grandmas definitely cannot enroll in Advanced Protection on their own. Anyway, once I figured this out, enrollment was fairly seamless. The most recent update to Smart Lock lets you use not only Titan and YubiKeys, but also your smartphone, so that’s a pretty damned high level of redundancy.
Around the same time, I also decided to transfer my domains to Google Domains, and phone numbers to Google Fi. This should make it as hard for non-government-backed attackers to take over my domains and phone numbers as it is to break into my Google account, now protected by f*cking dragons.
(A friend who tested this years ago told me that it’s trivial for an insider to transfer your number away from any of the major providers, unlike MVNOs like Google, even Cricket Wireless, or Tracfone Wireless, who aggressively fight to get your number back within minutes.)
Notably, Twitter Support does not care about my impostors, although I have taken steps to make it harder to take over my account:
To be fair, Twitter’s security was such a joke, that even their CEO got hacked.
About the only thing I cannot bring myself to do is to switch to a Pixel (Android) instead of my iPhone, even though Android exploits are now apparently worth more than for iOS. However, I think that if government-backed attackers are after you, you are pretty much screwed. Hell, Jeff Bezos himself didn’t have a chance.
“TLDR: what should I do?”
Even if you don’t think you have targeted attackers right now, you should still prepare for them by enabling two-step verification with security keys, and disabling SMS / TOTP backup codes as much as possible. You should also call your cell phone provider and set a passcode / PIN to prevent lazy attackers from immediately taking over your account. Remember, “just because you’re paranoid, doesn’t mean they aren’t out to get you.”
I hope this helps someone else in my position. Counterintuitively, putting more eggs in one basket can make you safer, especially if it is guarded by a motherf*cking dragon, where others have sleeping gnomes on guard. Stay safe out there, and good luck!
Update: I received news that some Googlers are planning to print a T-shirt off a line printed here…
Sep 12th 2022: You should turn on Lockdown Mode on iOS 16, iPadOS 16, and macOS Ventura onwards.
Jan 23rd 2023: You should add Security Keys to your Apple ID, and turn on Advanced Data Protection for iCloud.
Feb 1st 2023: It turns out that Google Fi is susceptible to SIM swap attacks.
May 3rd 2023: You should use Passkeys for Google, and turn on “Skip password when possible”.
Dec 12th 2023: You should turn on Contact Key Verification.
