Subscribe to ethernally online
Share Dialog
Share Dialog
Within less than a week, I saw 2 sim-swapping attacks in my feed. Most notably, what br1an went through because they locked him out of Twitter AND Telegram.
I'm no security expert but I am the most paranoid amongst my friends. So I know most of these security settings aren't common practice (heck, it's even hard to get people to set up 2FA!).
Although my enemies aren't sending agents from the future to hack me anytime soon, I'm giving exploiters a run for their money by making it as difficult as possible to lock me out. Here's (mostly) everything you need to do to make them regret picking you as a target.
Remove your phone number.
X/Twitter requires you to have a phone number linked to your account to subscribe to Premium but you may remove it once you're verified.
Settings > Your Account > Account Information > Phone > "Delete my number"
I've also seen some saying that some carriers have a SIM transfer lock code that you can set. It's worth checking with yours.
Use a private email address.
Use a platform-specific, private email address (like 1yh7ogdown@duck.com) instead of the obvious name@website.com which is easily inferred and brute-forced.
Settings > Your Account > Account Information > Email
Changing either your phone number, email, or password will activate a cooling period (typically 24 hours) before you change another one of these again.
Another perk of doing this is if you get a legit-looking email but it was sent to your generic/public email address and not to the private, platform-specific address you created then you know it's a phishing scam!
Services like iCloud Hide My Email, DuckDuckGo's Private Duck Address, Proton Mail's Hide-my-email Aliases, and SurfShark's Alt Email are the ones I know that have this feature to forward private address emails to your main address.
Turn on password reset protection.
On top of the above step, this step conceals your email in case someone tries the Forgot Password method to find out which email you used.
Settings > Security and account access > Security > Additional password protection > Check the box
Enable 2FA.
This has been preached a lot so I won't elaborate on why this is so important.
Settings > Security and account access > Security > Two-factor authentication > Check Authentication app and/or Security key > Uncheck text message
Which 2FA app to use? Ranked by security and reliability:
- Yubikey: when set up properly, probably the most secure authentication app because you need the physical security key to access it.
- Raivo (my top recommendation): encrypted backup on iCloud backup accessible on iOS/Mac, open-sourced, and lets you export TOTP seeds (the QR code you scanned to activate the 2FA).
- Authy: weak due to SMS 2FA to login, and centralized ownership (Twilio). If you use this, disable "Allow Multi-device" so nobody who gains access to your SIM can log into your Authy account.
- Google: don't bother, this is F tier.
(Optional) Hide the likes tab on your profile. Only available to Premium users.
To me, likes feel kinda personal. Letting the public scroll through my (sometimes unhinged) likes is the equivalent of walking around barebutt.
Settings > Premium > Profile customization > Check whichever you want to keep private
Hide your phone number.
Don't let strangers see what phone number your account logs in with (visible, alongside your username, when clicking on your profile).
Settings > Privacy and Security > Under Privacy, Phone Number > Set "who can see my phone number" to Nobody
Set up two-step verification.
This prompts a long password any time you log in from a new device, or if someone else attempts to.
Settings > Privacy and Security > Two Step Verification > Enable & set recovery email
Pro tip: Set a private, app-specific email address as your recovery email so it's harder to guess which email account to target.
Review active sessions.
It's always good practice to review who (still) has access to your accounts, even if there's no clear malicious intent. For example, you sold your device without resetting it or your phone got stolen.
Telegram does not allow newly added devices to terminate older sessions for approximately 24 hours.
Settings > Devices > Swipe to terminate any unused or unrecognized sessions
Disable media auto-download.
If you're concerned about someone sending a dangerous file via text, accidentally downloading one in a crowded group chat, or d*ck pics, then this setting is for you.
Settings > Data and Storage > Under Automatic Media Download, toggle off "Auto-Download Media" for both cellular and Wi-Fi
Bonus, I disable Save to Photos for all my chats so my gallery doesn't explode.
Set up passcode lock on mobile and desktop.
As a precaution for when you're out and about, create another layer of security so nobody can access your chats or change your settings (if they happen to get your device unlocked).
Settings > Privacy and Security > Passcode & Face ID (Passcode Lock on Mac)
Now you'll be on the bottom of a hacker's list of people to exploit because of how much they'd need to break to gain full access.
Let me know if you want me to do a piece on iPhone security (iOS 17.4 introduced some settings that defend against pickpockets resetting your iCloud password), staying safe when reading emails & not getting impersonated, privacy & password security, or anything else.
Until next time, stay safe! It's a crazy world we live in.
Within less than a week, I saw 2 sim-swapping attacks in my feed. Most notably, what br1an went through because they locked him out of Twitter AND Telegram.
I'm no security expert but I am the most paranoid amongst my friends. So I know most of these security settings aren't common practice (heck, it's even hard to get people to set up 2FA!).
Although my enemies aren't sending agents from the future to hack me anytime soon, I'm giving exploiters a run for their money by making it as difficult as possible to lock me out. Here's (mostly) everything you need to do to make them regret picking you as a target.
Remove your phone number.
X/Twitter requires you to have a phone number linked to your account to subscribe to Premium but you may remove it once you're verified.
Settings > Your Account > Account Information > Phone > "Delete my number"
I've also seen some saying that some carriers have a SIM transfer lock code that you can set. It's worth checking with yours.
Use a private email address.
Use a platform-specific, private email address (like 1yh7ogdown@duck.com) instead of the obvious name@website.com which is easily inferred and brute-forced.
Settings > Your Account > Account Information > Email
Changing either your phone number, email, or password will activate a cooling period (typically 24 hours) before you change another one of these again.
Another perk of doing this is if you get a legit-looking email but it was sent to your generic/public email address and not to the private, platform-specific address you created then you know it's a phishing scam!
Services like iCloud Hide My Email, DuckDuckGo's Private Duck Address, Proton Mail's Hide-my-email Aliases, and SurfShark's Alt Email are the ones I know that have this feature to forward private address emails to your main address.
Turn on password reset protection.
On top of the above step, this step conceals your email in case someone tries the Forgot Password method to find out which email you used.
Settings > Security and account access > Security > Additional password protection > Check the box
Enable 2FA.
This has been preached a lot so I won't elaborate on why this is so important.
Settings > Security and account access > Security > Two-factor authentication > Check Authentication app and/or Security key > Uncheck text message
Which 2FA app to use? Ranked by security and reliability:
- Yubikey: when set up properly, probably the most secure authentication app because you need the physical security key to access it.
- Raivo (my top recommendation): encrypted backup on iCloud backup accessible on iOS/Mac, open-sourced, and lets you export TOTP seeds (the QR code you scanned to activate the 2FA).
- Authy: weak due to SMS 2FA to login, and centralized ownership (Twilio). If you use this, disable "Allow Multi-device" so nobody who gains access to your SIM can log into your Authy account.
- Google: don't bother, this is F tier.
(Optional) Hide the likes tab on your profile. Only available to Premium users.
To me, likes feel kinda personal. Letting the public scroll through my (sometimes unhinged) likes is the equivalent of walking around barebutt.
Settings > Premium > Profile customization > Check whichever you want to keep private
Hide your phone number.
Don't let strangers see what phone number your account logs in with (visible, alongside your username, when clicking on your profile).
Settings > Privacy and Security > Under Privacy, Phone Number > Set "who can see my phone number" to Nobody
Set up two-step verification.
This prompts a long password any time you log in from a new device, or if someone else attempts to.
Settings > Privacy and Security > Two Step Verification > Enable & set recovery email
Pro tip: Set a private, app-specific email address as your recovery email so it's harder to guess which email account to target.
Review active sessions.
It's always good practice to review who (still) has access to your accounts, even if there's no clear malicious intent. For example, you sold your device without resetting it or your phone got stolen.
Telegram does not allow newly added devices to terminate older sessions for approximately 24 hours.
Settings > Devices > Swipe to terminate any unused or unrecognized sessions
Disable media auto-download.
If you're concerned about someone sending a dangerous file via text, accidentally downloading one in a crowded group chat, or d*ck pics, then this setting is for you.
Settings > Data and Storage > Under Automatic Media Download, toggle off "Auto-Download Media" for both cellular and Wi-Fi
Bonus, I disable Save to Photos for all my chats so my gallery doesn't explode.
Set up passcode lock on mobile and desktop.
As a precaution for when you're out and about, create another layer of security so nobody can access your chats or change your settings (if they happen to get your device unlocked).
Settings > Privacy and Security > Passcode & Face ID (Passcode Lock on Mac)
Now you'll be on the bottom of a hacker's list of people to exploit because of how much they'd need to break to gain full access.
Let me know if you want me to do a piece on iPhone security (iOS 17.4 introduced some settings that defend against pickpockets resetting your iCloud password), staying safe when reading emails & not getting impersonated, privacy & password security, or anything else.
Until next time, stay safe! It's a crazy world we live in.
<100 subscribers
<100 subscribers
ernestkou.eth
ernestkou.eth
4 comments
seen a couple of people lose access to their social accounts this week so i made this list of settings to change so you don’t get locked out by hackers. hope it helps! https://paragraph.xyz/@ernestkou/dealing-with-hackers
we're so back (to dealing with hackers) made a super list of settings to change so you don't lose access to your twitter or telegram anything you haven't enabled?
Great info ty 22 $degen
my first paragraph post: we're so back (to dealing with hackers) made a super list of settings to change so you don't lose access to your twitter or telegram anything you haven't enabled?