Don’t Trust Your Phone: The Attack Vector Hackers Are Increasingly Using

• Disable iCloud, especially for your passwords. While encrypted for outside traffic, it is the easiest way to provide carte blanche to every account and horrifyingly be able to see clear text passwords.
• Avoid SMS-based two-factor authentication (2FA) for any online accounts. This is especially important for your cryptocurrency exchanges and wallet services. Other 2FA methods like Google Authenticator are OK but consider obtaining a universal second-factor (U2F) device like YubiKey, Google Titan Key, Thetis, or Kensington for greater safety.
• Set up an account PIN with your carrier. This will be required to set up a new SIM on any phone, though there does seem to be ways around this as well.
• Set up a SIM PIN with your mobile carrier. This will lock bad actors from using your SIM when they steal it. They get three chances to guess your code. SIM PPIN is found under your cellular section in your phone, and is completely different than your normal passcode to access your phone. When setting your SIM PIN note that your SIM will come with a default PIN set by your mobile carrier. This will vary by carrier, but for Sprint and T-Mobile, it should be 1234, for AT&T and Verizon, try 1111. If you guess the wrong one, you could end up locking yourself out of your phone and need to call support. I’ve also heard 0000 is the number for some carriers.
• Consider switching to Google Fi or Google Voice for 2FA. You can set up a phone number which will forward to the one provided by your cellular carrier. If you publish this number and use this number for accounts, it makes it impossible for bad actors to identify your number to steal.
• Disable your phone number as a tool for account recovery. Use a different way.
• Reduce your online footprint by leaving as little personal information online as possible. Strangers do not need to know your birth date or other personally identifiable information. Most importantly, don’t brag about your crypto holdings. Hard to do if it is your job, but no one can target you for attacks if they can’t identify you as a target in the first place.
• Create a secondary email for 2FA. Use this for critical online identities only such as bank accounts, social media, crypto exchanges, and similar services.
• Use multi signature or offline wallet to store your private keys. In “hot”, or online wallets keep only those funds that are needed for your daily activities. The most popular cold wallets include devices by Ledgeror Trezor.
• Use an app to block spam calls. You can also download an app like AT&T Call Protect, that blocks callers from phishing you as a valid number. And of course, an independent 2FA like Google Authenticator where it is an option is ideal. But if you lose your phone, its non-recoverable, so you’ll have to go through a manual review to get back into your account again and set up a new one.