🤬Post hack/SIM swap checklist

Follow this checklist after one or more of your critical accounts have been compromised. 

Important: It’s difficult to configure cybersecurity on panic brain. When you’re scared, your prefrontal cortex shuts down and in this state, you’re more likely to skip steps or make mistakes. Find a quiet space and block interruptions for 3-4 hours. Take a few deep breaths 4s in, 5s hold, 6s out. Consider calling a trusted friend and asking them just to be with you for emotional support while you deal with the situation. Gather your devices, a pen and notepad, and follow a checklist. Be sure to carefully document each change you make as you go.

Phase 1: Assessment

1. Gather evidence: Determine the scope and extent of the problem and make a list. How did you learn of the hack? Did a friend reach out about strange posts, texts, or emails coming from your account? Phone no longer receiving texts or calls? Suspicious bank transactions? Unrecognized Amazon or subscription purchases?
2. Develop a strategy: Based on your gathered evidence, build a targeted action plan that addresses the most urgent issues first. For instance, if only your Amazon account appears affected, concentrate your immediate efforts there. Avoid the common trap of panicking and attempting to reset every password at once; rushing through such a broad response often leads to accidental lockouts from essential accounts. Stay focused on the actual scope of the breach to prevent making a stressful situation even worse.

Phase 2: Take action

1. Consider getting a new number: If you were SIM swapped, consider working with your carrier to obtain a new telephone number and ensure they disconnect your old number. This will ensure the old number cannot be used, assigned, or transferred for the next 45-90 days (depending on the carrier).
2. Prevent new SIM Swaps: Request your carrier (e.g. Verizon, T-Mobile, AT&T) to activate “Number Transfer Lock” or “Port-Out Protection” on your new phone number. This will help prevent your new number from being SIM swapped without a secondary, higher-level verification. 
3. Protect your phone carrier account: Set up a complex password, a passkey (if possible), and phish-resistant Multi-Factor Authentication (MFA) for your carrier’s management account. This is one of your critical accounts.
4. Limit the damage: Contact your banks and credit card providers and place immediate freezes on your credit/debit cards or ask them to issue new cards. Check your bank(s) for login activity and fraudulent transactions. Sometimes this can be done conveniently within the Bank’s app (Chase, BofA, Wells Fargo).
5. Freeze your credit: Place a credit freeze with each of the credit bureaus to stop threat actors from opening new credit in your name (Transunion, Equifax, Experian) with stolen identity information. 
6. Make a list: Identify your critical accounts. These are the kind of accounts that are tied to your phone, bank, mortgage, auto loan, work, healthcare, etc. Examples are:

Critical:

1. Apple ID or Android account
2. Gmail, Hotmail, Yahoo, Aol, Gmx, or Outlook Account
3. Verizon, T-Mobile, AT&T, Mint, Spectrum Account
4. Paychex, Insperity, ADP Account
5. Banks, Loans, Healthcare, Benefit Accounts

Important:

6. Social media accounts
7. Shopping, subscriptions

7. Add security: Each critical account should be secured with a unique complex password and phish-resistant factor such as an app based authenticator or a biometric enabled passkey. If possible replace passwords with passkeys or a phish resistant login method such as push notifications (e.g. Microsoft Authenticator). Be on the lookout for notifications from critical account providers about recent changes such as a new device or new login location. These may indicate a threat actor still has access to these accounts.
8. CONSIDER: Using a password manager to generate and help you remember your complex passwords such as:
   1. Apple Passwords
   2. Bitwarden
   3. LastPass
   4. OnePassword
   5. Google Passwords
9. OPTIONAL: Enable Advanced account protection for your Apple ID and/or Google account. 
10. Add a friend or spouse: Set up a recovery contact (if possible) for your critical accounts.
11. Print out codes: Create and print out recovery codes (if possible) for your critical accounts and keep them in a safe place.
12. Remain vigilant: Be on the look out for notifications of new login activity on any of your critical accounts. This may indicate that a threat actor can still control some of your critical accounts and more work may be needed to eject them.

🛡️ Cybersecurity fortification checklist

Follow this checklist to fortify your personal cybersecurity posture.

1. Address the SIM Swap Threat

The Risk: Attackers trick your mobile carrier into moving your phone number to their device. Once they have your number, they can intercept SMS security codes to reset your bank and email passwords.

• Action: Contact your carrier (Verizon, T-Mobile, AT&T – links will take you to the providers instructions for enabling this feature).
• Request: Enable “Number Transfer Lock” (sometimes called Port-Out Protection). This prevents your number from being moved without a secondary, high-level verification.

---

2. Upgrade Your Authentication and Knowledge

First ensure you have some kind of multi-factor authentication (MFA) enabled for all your critical accounts. Next, where possible replace SMS with Phish-Resistant MFA methods that require you to physically possess a device or a key.

• Passkeys: Add a passkey to your critical accounts and set passkey as your preferred login method. Passkeys are possession factors that cannot be easily phished because the “secret” never leaves your device. Backup your passkeys to a password vault if possible or add multiple passkeys in case one of your devices is lost. 
• Implement phish-resistant MFA over SMS: Phish-resistant Multi Factor Authentication refers to a possession factor that you cannot easily be tricked into giving away. A possession factor is something you have physical possession of at the time of sign-in. Examples of phish resistant factors are Time based One-Time Passwords (TOTP) or push notifications like those 6 digit codes or notifications from your Authenticator App. Hardware Keys such as YubiKey or TitanKey are the gold standard in authentication security, but if you plan on implementing them, get two. Use one as a daily driver and keep the other in your lock-box. App-based authenticators like Microsoft Authenticator or Google Authenticator are the next best option for security because they are posession factors that cannot be intercepted or phished like SMS.

---

3. High-Impact Hygiene

Small changes in habits create outsized barriers for hackers:

• Disable password autofill: While convenient, autofill can be “harvested” by malicious scripts websites before you even click “Login.” Set your password vault to require touchID or fingerprint before filling passwords. 
• The 5-day update rule: Apply critical OS and browser updates within 5 days. These updates usually patch “Zero-Day” vulnerabilities that are being actively exploited.
• Google security checkup: Perform the Google security checkup periodically to make sure your contact details are still up-to-date and your passwords have not been compromised.
• Sanitize shared devices: At school or a friends’ house, always use incognito/private mode on shared computers. Never leave “Browser Profiles” logged in, as they store session cookies that can allow someone to bypass your password entirely.
• Set socials to private: Revisit privacy settings on your social accounts. Many companies have implemented improved tools to help you find balance between your privacy and staying connected with friends & family through social media.
• Scrutinize login notifications: Be on the lookout for login activity notifications such as a new device or location that was used to log into a critical account. This may be an indication of an active threat.
• Beware of fake notifications: Threat actors often leverage realistic looking texts or emails to get you to take action. For example, you may receive an urgent sounding email from rnicrosoft about your M365 OneDrive subscription expiring. Notice that the message is trying to get you to visit RNicrosoft.com which can appear identical to microsoft.

---

4. Your “Emergency” Toolkit

Identify and secure your critical accounts and digitally fortify them.

1. Prevent new SIM Swaps: Request your carrier (e.g. Verizon, T-Mobile, AT&T) to activate “Number Transfer Lock” or “Port-Out Protection” on your new phone number. This will help prevent your new number from being SIM swapped without a secondary, higher-level verification.
2. Create Unique 16 Character Complex Passwords, Passkeys, and MFA: Secure your critical accounts with complex passwords or a passkey (if possible) and multifactor authentication (ideally phish-resistant MFA). Consider setting up a few different factors in case you don’t have access to your primary device (e.g. set up your iPad’s passkey).
3. Recovery Contacts: In Apple/Google settings, add a trusted friend or spouse as a “Recovery Contact.” They can help you verify your identity if you are locked out.
4. Recovery Codes: Most major accounts (Google, Apple, Microsoft) allow you to generate a one-time list of Recovery Codes. Print these out and store them in a physical safe or lockbox.
5. Credit Freeze: Unless you’re in the middle of purchasing a car or home, visit the websites of the three major bureaus (Equifax, Experian, TransUnion) and “Freeze” your credit. This prevents anyone from opening a new loan or credit card in your name, even if they have your Social Security number.

---