Hacks for not getting hacked

After seeing some fellow digital marketers talk about how their accounts were taken over by hackers and scammers, I thought it would be a nice gesture to lay out how I handle my account security.

I came to this method after losing my hotmail account. Remember when hotmail was a thing? That account was the recovery account for my first Google email address.

Long story short, Hotmail became inactive, I forgot my Gmail password and if I remember correctly I changed my phone number as well so there was absolutely zero chance to recover my accounts.

Later in life, I inherited an advertising account that was previously hacked for a rather large sum and I didn’t want that happening to my future clients. With the addition of many types of 2FA, this method got more involved.

So without further ado, let’s just get into it.

(1) The Backend Accounts : Think of this step as a digital chastity belt, where only one tyrannical father has the key and it’s never  known to the world that his daughter is wearing it.

You’ll need two email accounts, [email protected] and [email protected] for example. Set these up and make Backend1 the recovery email for Backend2 and vice versa.

The existence of these accounts should never ever, under any circumstances, be given out and known to anyone except you and maybe your mom.

If these accounts begin receiving emails from external sources then I will be very disappointed in you.

 

 

 

(2) The MiddleMan Account : Think of this step as a digital gatekeeper, he doesn’t need to know what’s behind the wall but he’s the man who guards the inner sanctum from the wilderness.

The MiddleMan account is used to hide the existence of the two backend accounts from the front-facing accounts. It’s not completely necessary but is advisable if you’re an agency and you’re handing responsibility of the front-facing accounts and its recovery over to an employee. If you are just a one-man operation, you don’t have to do this step but it is advisable and will make expanding your future operations easier.

Make one of the backend accounts the recovery for this MiddleMan account.

 

(3) Front-facing accounts : These are your foot soldiers and if you have to lose a few then so be it, but they wear armor just in case.

Set your MiddleMan account to be the recovery account for your front-facing accounts, if you’ve opted to not have a MiddleMan, then select one of the backend accounts.

These can be your personal email address, your employees’ addresses and the email addresses connected to high value platforms such as your advertising and social profiles.

 

 

Now that the structure is set up, you can tailor your security and access protocols according to your needs. The below should be seen as must do’s even though they’re listed as tips.

Tip 1 – Way too much 2FA :

The success of this method is entirely hinged on 2FA. You can use an Authy App, or Mobile texts, or In-App 2FA or the unadvisable Email 2FA. This is where you’d need to think about who’s using the accounts, perhaps you’re in meetings all the time and your paid media specialist has to constantly interrupt you to get the code.

So just consider your agency, your operations and other factors.

That being said, you can add multiple mobile numbers and Authy App users to an account, just remember, keep the backend to yourself and the most most trusted partners in your agency.

Personally I use Authy Apps for the backend and MiddleMan accounts, and In-App 2FA for the front-facing accounts which are quicker.

Sometimes text messages take a while to come through and there’s nothing more annoying than opening the Authy App and now I have to wait because there’s only 5 or 6 seconds left of the code and my fingers aren’t up to the challenge.

Tip 2 – Notifications :

For all of your accounts it’s advisable to also add a recovery mobile number, and then activate notifications for email and mobile, as well as In-app notifications if you want to go the extra mile.

The idea here is that if someone gains access and changes any info, for example, the recovery mobile number, you’ll get an email, and if they change the recovery email you’ll get a mobile notification. I use the same premise for my banking, 3 notifications for every transaction, logins and any other activity.

 

Tip 3A – Password Keychains :

Passwords suck right? Right! So pick your keychain of choice, I use two password keychains but whichever works best with your phone is normally the best choice. If you use an iPhone then good, it’s the most secure option, if you use Huawei, then sorry, Beijing knows all about you so just avoid calling Taiwan a country and you should be fine.

 

Tip 3B – Auto-generated Passwords :

Only ever use auto-generated passwords. There have been so many large scale hacks that your password is on a list somewhere, guaranteed. Hackers aren’t the mavericks seen in the movies, in reality they just buy or download lists of previous hacked accounts and run those passwords against accounts until they get a hit.

If you want your passwords to be completely unhackable, generate two passwords and paste them back to back for a password that’s longer than 30 characters. This is too much for brute force hacking software, but just remember to manually update your password keychain.


Tip 4 – How I learned to stop worrying and love the notifications :

Get used to the notifications, security comes with the minor inconvenience of too many notifications.

It’s just how it has to be if you want to stay completely clear of those pesky hackers nuking your accounts.

 

 

 

Tip 5 – Try not to lose your phone :

As someone who has lost many phones, try not to lose yours too.

Maintain facial recognition, regular backups and make sure thieves can’t turn off your data or phone while it’s locked via the control panels and other menus that can work against you.

Phone security might need its own guide at a later stage.

If you have a spare phone consider setting it up as a dedicated security device that never leaves your office which has access to your Authy Apps and In-App 2FA.

Mobile text 2FA wouldn’t work in this instance unless you clone your SIM but that’s really going an extra 2 miles.

 

Tyrone Murphy
+ posts