We have spent a fair bit of time over the past year working on security at USV and across the USV portfolio. Anyone who has spent time working on personal or corporate security -- and in particular information security, knows that there are a million ways in, and you're never "finished". Fred wrote a bit about his experience last year, and we had an issue yesterday with Albert's phone:
Thanks to everyone who has been helping me recover from a Twitter account takeover based on an unauthorized SIM switch on my phone
— Albert Wenger (@albertwenger) January 11, 2018
The way we have been thinking about it is in terms of "the weakest link". It is critical to have your most important accounts (primary email, banking, crypto, etc) secured well, but it's also important to work your way down the line to other accounts and entry points. The lesson being that attackers will seek the weakest point and work from there. One of weakest points in personal security is the phone -- cell carriers are notoriously bad at security, and attacks like phone porting and SIM swapping are common. For that reason, it's important to move away from using SMS as a second factor backup wherever possible, and instead moving to apps like Google Authenticator, or to hardware-based 2FA using Yubikeys or similar. Another weak point is personal email, or old email accounts. It's easy to forget about old accounts that you used back in the day, but those can be problematic, especially if they are linked to other accounts, and if 2fA is non-existent or tied to SMS. So, by all means, start with the most important accounts. But don't stop there -- keep sussing out weakest link. For more resources on personal information security, see this excellent guide by EFF (written in the context of surveillance, but applicable to all attack vectors).