[ad_1]
Caleb Sima,
chief security officer at
Robinhood
until he left the online brokerage in March, went through an onerous and time-consuming process to protect himself and his family from hacking threats and online stalkers. Sima said he realized he needed to lock down his online accounts when he saw suspicious activity targeting his wife, celebrity chef
Kathy Fang,
on social media.
Cybersecurity researchers are targets for hackers too, Sima said in an interview, noting that, “Attacking the security team might be the one thing they least expect.”
Sima wrote in a recent post on his website about the steps he took. They included setting up online aliases, opening limited-use credit cards and directing password recovery text messages for online accounts to an online phone service instead of his personal cellphone. Sima even used a different name to buy a car anonymously, hiding his real identity from the dealership.
This interview has been edited for style and clarity.
WSJ Pro: Why did you decide to go through such extensive steps to protect yourself?
Sima: The catalysts for this were two things that were happening. My wife, first of all, launching this TV show [Food Network’s “Chef Dynasty: House of Fang”] that includes myself and some of my family in it. My wife also in the past has been on Food Network, has an Instagram account, has all of these social-media things going on. We’ve seen very unsettling kinds of behaviors from people, like stalkers. I really dug deep and I think that was the one thing that lit the match.
WSJ Pro: Google’s Threat Analysis Group published details a few days ago about North Korean hackers targeting cybersecurity researchers and even communicating with them for months before sending them malware. Did you feel that you as a cybersecurity professional were also a target?
Sima: I do, and I actually think that a lot of chief information security officers are good potential targets for hackers. CISOs, by and large, are public, and everyone has a LinkedIn page. If you’re an attacker targeting an organization, being able to find and identify you makes you a target automatically. Every CISO is worried about things like SIM hijacking. If you rely on two-factor authentication that goes back to your actual real number that is publicly known, that’s mistake number one. [In SIM hijacking or SIM swapping attacks, hackers use personal information to impersonate a customer of a telecoms company, and convince the provider to port their number to a new SIM card they control. This enables hackers to receive text messages sent to that number, such as verification messages, which they often use to access other accounts.]
WSJ Pro: You went through a complex process of locking down all of your online accounts. What was the hardest part?
Sima: A good example of what we were talking about is for every website you should ensure that you have 2FA on it, you should ensure that your recovery email doesn’t go back to the same email that’s yours. The recovery goes to a security email, and if it forces SMS, it should go to a phone number that’s not yours.
You target your big ones, your financial accounts or insurance accounts, your utilities, all of these things, but then when you start going through that list, it’s long. When you start going through each of these saying, ‘How do I make sure that there’s some sort of second factor or making sure that this SMS goes to a secure place?’ It is just a grind and the long tail of this stuff is just horrendous.
WSJ Pro: Did you just do this for yourself or for your wife and your family too?
Sima: I did it for myself and my family. I highly recommend that everyone go sign up for an email address, separated from your own, that only has lost password, SMS and Google Voice on it. Always redirect password recovery, always redirect SMS, if it’s required, to there.
For any services that are not very important, create one simple alias and sign up for those under it, and have those things point to this account. I think what you’ll find is it helps in some of your anonymization, it helps in cyber breaches, it helps in anything along those lines.
WSJ Pro: You wrote on your website that going through these steps made you appreciate how important privacy is for security. Why did you want to create these different separate identities so that you couldn’t be tracked online?
Sima: You can’t have security without privacy. Privacy is a part of it. It’s not everything and it’s not what you depend upon, but ensuring that the attacker doesn’t even know the number to SIM swap makes the job much, much harder.
WSJ Pro: What are the limitations of all these extensive security measures you’ve put in place and what would you like to protect against but can’t?
Sima: The lesson that I learned through this is an individual shouldn’t have to go to these lengths for privacy. That really is the fundamental outcome out of this is, why do I have to sign up to these services under some alias because of a data breach or a paid-off customer support representative? That is just not something as a consumer I should have to worry about.
Write to Catherine Stupp at catherine.stupp@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
[ad_2]
Source link