In light of the celebrity photo hacking debacle over the weekend, we sent an email to some of our investors, partners, and friends this morning. The more we thought about it, the more we realized that a broader audience could benefit. So here is a version…
Dear Friends,
We saw how ugly it can be when hackers get into your private pictures and emails. In addition to having very long passwords/passphrases, here are five concrete things you can do to make sure this kind of privacy invasion is less likely to happen to you or any of your pals/family:
1) Email – It goes without saying, use Gmail. Turn on what’s called “Two Factor Authentication” for your Gmail account. With that in place, when you want to log in to Gmail, you enter both a password and a secret code generated by an app on your phone. No hacker can get past that, even if they guess your password. (Well, other than the NSA.) Go here for directions on how to set it up: google.com/landing/2step/ If your business isn’t already using Gmail/Google Apps, it is time to make the switch. It’s the most secure platform.
2) iPhone – turn on “Two-Step Verification” for Apple as well. Same idea. Whenever you need to enter your iTunes password, Apple will also send you a text message in that moment with a secret code. Type that in and you will get access to Apple. This matters because so many of your photos are in iCloud and Photostream, though researchers have revealed that Apple doesn’t actually protect photo backups using two factor authentication. That is disastrous and will hopefully be fixed ASAP. Meanwhile, you can still follow the steps here: support.apple.com/kb/HT5570 (If you use an Android phone, be sure to install Lookout: https://www.lookout.com/android)
3) Dropbox – If you use Dropbox to back up photos and documents, they have the same feature. Log in to your account and click on your name in the upper right to open your account menu. Then go to “Settings.” From there, select “Security.” Under “Two-Step Verification” click “Enable.” Then “Get Started” and follow the instructions.
4) Twitter – Instructions on setting up Twitter’s “Login Verification” are here: https://blog.twitter.com/2013/getting-started-with-login-verification
5) Facebook – Here is their “Login Approvals”: https://www.facebook.com/note.php?note_id=10150172618258920
Please note: each of these solutions will provide you with some backup codes just in case you lose your phone or phone settings. It is crucial to print them out and keep a paper copy of these (not a digital copy) in your safe at home. If you get locked out of your services, you may need these paper codes to manually get back in. Please print these out and store them safely. You will be sad if you don’t.
Also, consider using a two-factor authentication app like Authy or Google Authenticator to keep all of these profiles organized. They can also sync across devices if you have multiple phones or might be on a tablet without text messaging service.
All told, there are a bunch of other services that enable this kind of extra security now. WordPress, Yahoo Mail, Microsoft Accounts, LinkedIn, and Stripe are some big ones. But the five listed above tend to cover where all of our most sensitive data and content reside. The most complete list of other services using two factor authentication I have seen is here: https://twofactorauth.org/.
As I am sure you know, it’s not really about whether you have steamy photos on your phones. It’s about maintaining maximum privacy and control over your life. So much information lives on these devices now. Personal addresses, bank information, family matters, kids’ stuff, passwords to other sites, medical questions, etc. Skilled hackers can be relentless and their genius at devising new ways or breaking security features is almost eerily impressive. Using very strong passwords and taking the steps above will be a very strong step toward making sure your private stuff stays private. However, above all, please be smart about what you put in the cloud and realize there is always a chance it ends up in the wrong hands.
(Note: all security geeks, nitpickers, whitehats, etc. I love and admire you. You make all of this stuff work so well. You find the ridiculous corner cases and engineer against them so that we can stay safe. Thank you. However, this post is not intended to be an all-encompassing treatise on security. I just think we can agree that if more good people take these reasonable steps they will likely be in much better shape. Cool?)