Been reading a lot about folks getting SIM swapped lately. We posted this SIM-swap horror story a few days ago, and followed up with this story on the strategy that other countries are using but that the US is not.

Came across the headline linked post from Tony Sheng. An interesting read, wondering if it’s simply alarmist or insightful.

In a nutshell, Tony got SIM-swapped and went into great detail on the process and what he did to minimize harm. His highest priority:

Disassociated my phone number from my email address. If you connect your phone number to your email, then a hacker with your phone number can reset your password and take over your email address.

Once they have your email and your phone number, they can reset passwords on pretty much all your accounts for which you don’t have physical 2FA (like a Yubikey).

Step 1 is far and away the most important. If you haven’t done this yet. Stop reading and do it now.

Not sure how you do that. Do you use a secondary email address for verification? YubiKey is a hardware dongle. Secure, but not convenient.

Opinions on this? Please tweet at me with how you solve this problem.