The Reason Your Antivirus Missed That Malware

The Reason Your Antivirus Missed That Malware

You ran a full scan. Clean. Then two weeks later, someone drained your bank account or locked every file on your laptop with a ransom note. The antivirus sat there, quiet, having missed the whole thing.

This isn't a story about bad luck. It's a story about a fundamental mismatch between what antivirus software was built to do and what modern malware actually does.

The Bouncer Who Only Knows Old Criminals

Traditional antivirus works like a nightclub bouncer with a photo album of known troublemakers. When a file tries to enter your system, the software compares it against a database of malware "signatures" — essentially digital fingerprints of known threats.

The problem is obvious once you see it: the bouncer can't stop someone whose photo isn't in the album yet. And attackers know this. They routinely repackage the same malicious code with minor tweaks — changing a few bytes, recompressing the file, running it through an obfuscator — until the signature no longer matches anything in the database. This takes a skilled attacker about ten minutes.

According to AV-TEST Institute, over 450,000 new malware samples are registered every single day. Signature databases are always chasing, never catching.

The Trick That Makes Malware Invisible in Plain Sight

Here's the counterintuitive part that most security articles skip entirely: your antivirus probably isn't failing because it's weak — it's failing because the malware isn't really there when the scan runs.

Modern malware increasingly operates "fileless." Instead of landing on your hard drive as a suspicious .exe, it injects itself directly into legitimate system processes already running in memory — things like PowerShell or Windows Management Instrumentation that your computer uses every day. When the antivirus scan sweeps through your files, there's nothing to find. The malware lives in RAM, does its damage, and often evaporates on reboot, leaving only the consequences behind.

This technique has exploded in sophistication. According to Malwarebytes' State of Malware report, fileless and memory-resident attack techniques have become standard components of attacks targeting both consumers and businesses. You're not being paranoid when the scan comes back clean and something still feels wrong.

The 72-Hour Window Nobody Talks About

Even when malware does leave files on your disk, there's a gap that rarely gets discussed: the time between a new threat appearing in the wild and the moment your antivirus vendor adds it to their database.

During that window — sometimes hours, sometimes days — your signature-based scanner is functionally blind to that specific threat. Attackers who are serious about a campaign deliberately time their releases to exploit this gap. They distribute the malware hard and fast during those first hours, knowing defenses are down.

This is why "zero-day" attacks get their name and their fear. The day the exploit is used is the day nobody has a defense for it yet.

So What Actually Works?

You need layers, not replacements. No single tool catches everything, and anyone selling you a product that claims otherwise is lying.

What you should actually do:

  • Enable behavior-based detection in your security software if the option exists. This watches what programs do rather than what they look like — a document that suddenly starts reaching out to a Russian IP address gets flagged regardless of whether it matches any known signature.
  • Keep your operating system updated obsessively. Most successful malware exploits vulnerabilities that already have patches available. The malware didn't outsmart your antivirus; you handed it an unlocked door.
  • Use a DNS-level blocker like Cloudflare's 1.1.1.1 with filtering, or NextDNS. These stop your computer from even communicating with known malicious servers, which cuts off a huge percentage of malware before it can do anything useful.

There's also one behavioral change that defeats more malware than any software: don't run as an administrator by default. Set up a standard user account for daily use. Most malware, when it executes, inherits only the permissions of the account that launched it. An attack that would've owned your entire system gets contained to a standard user's limited access instead.

The Uncomfortable Truth About Your Security Software

Here's something the industry doesn't want to say plainly: consumer antivirus products are, at this point, more useful as psychological comfort than as comprehensive protection. That's not nothing — comfort lowers the chance you'll do something reckless — but you should understand what you actually have.

According to MITRE's ATT&CK framework documentation, sophisticated attackers routinely assume that endpoint antivirus is present and design their techniques specifically to evade it. The tools you're up against weren't built by someone who forgot that antivirus exists; they were built by someone who tested against it extensively before deployment.

This doesn't mean uninstall your antivirus. It means treat it like a seatbelt: essential, genuinely life-saving in the right circumstances, but not a reason to drive carelessly.

What Happens After the Scan Comes Back Clean

If your machine is acting strange — slow, making unusual network connections, fans spinning at idle, browser redirecting you — don't trust a clean scan result. Open your task manager and look for processes you don't recognize. Run a second-opinion scan with a different tool (Malwarebytes Free is good for this; it uses different detection logic than most bundled antivirus).

Check your network connections. On Windows, open Command Prompt and type netstat -ano to see every active network connection your computer is making right now. You shouldn't need to understand all of it — just look for connections to foreign IP addresses you didn't initiate and Google what's making them.

The clean scan isn't the end of the investigation. It's the beginning.

The Honest Caveat

None of this fully solves the problem. A sufficiently well-funded, targeted attacker will get through layers that would stop commodity malware cold. Nation-state level attacks and sophisticated ransomware groups have dedicated teams specifically testing their tools against exactly the defenses you're using.

The goal of layered security isn't to become impenetrable — it's to be harder to breach than the next target, and to catch the attack before the damage becomes unrecoverable. That's a realistic goal. Invincibility isn't.

Sources:

  • AV-TEST Institute 
  • Malwarebytes 2024 State of Malware Report 
  • MITRE ATT&CK Framework 

What Hackers Can Do With Just Your Phone Number

What Hackers Can Do With Just Your Phone Number

Your friend's mom got a call last year from her "bank." The caller knew her name, her city, the last four digits of her account. She stayed on the line for forty minutes before wiring $3,200 to someone she'd never meet. The call came from her bank's actual phone number — the one printed on the back of her debit card.

The number she saw on her caller ID wasn't her bank's. It was yours.

That's the part most people don't expect: your phone number can be weaponized against complete strangers, and you'll never know it happened. But before we get to that, let's talk about what someone can do directly to you with just ten digits.

The Attack You've Never Heard Of (But Should Fear Most)

The biggest threat hiding behind your phone number isn't a virus or a hacked password. It's a scam called SIM swapping, and it's deceptively low-tech. A criminal calls your mobile carrier, pretends to be you, and convinces a customer service rep to transfer your phone number to a SIM card the attacker controls. That's it. No hacking required — just social engineering and a few pieces of your personal data scraped from old breaches.

Once they control your number, they control your identity. Every bank that texts you a verification code. Every app that sends a "reset your password" link via SMS. Every account protected by two-factor authentication through your phone. All of it now routes to the attacker's device.

According to the FBI's Internet Crime Complaint Center, in 2021 alone there were over 1,600 SIM swapping complaints with losses exceeding $68 million FBI — up from just $12 million across the prior three years combined. That's not a slow-burning trend. That's an explosion.

The average victim doesn't realize anything is wrong until their phone goes dead. Security experts say that if your phone suddenly stops working or you're unable to make calls or send texts, that may be exactly what's happening to you. Bokf By the time you notice, your email, bank, and crypto accounts may already be gone.

Your Number as a Weapon Against Others

Here's the counterintuitive part most articles skip entirely: you don't have to be the target for your phone number to be exploited.

Scammers use technology called VoIP — basically internet-based calling — to display any phone number they want on a victim's caller ID. According to the FCC, caller ID spoofing is when a caller deliberately falsifies the information transmitted to disguise their identity, often as part of an attempt to trick someone into giving away personal information. Federal Communications Commission Your number gets picked, sometimes randomly, sometimes because you answered a scam call once and they flagged you as a live number. Suddenly your elderly neighbor is getting calls from "you" demanding gift card payments.

You'll know this happened when your voicemail fills up with angry strangers. There's almost nothing you can do about it — because the calls aren't coming from your phone, they just look like they are.

What Else a Number Unlocks

Phone numbers are stitched into more accounts than most people realize:

  • Password resets. Gmail, Facebook, your bank — many will send a reset link or code to "your" number by default. Own the number, own the account.
  • Identity verification. Services like Venmo and PayPal use your number as a trust signal. Attackers who control it can pass basic identity checks.
  • Targeted phishing. With your number, attackers know your carrier, rough geographic area, and sometimes your name from public records. That's enough to craft a convincing fake text from "Verizon" or "AT&T."
  • Account takeovers at scale. Once inside your email via your hijacked number, attackers can reset every other account attached to that email address. One number. Total collapse.

What You Can Actually Do

Vague advice like "be careful online" is useless. Here's what works:

Call your carrier today and ask for a SIM lock or port freeze. Most carriers (AT&T, Verizon, T-Mobile) will let you add a PIN or passcode required before any SIM change can happen. This is not automatic — you have to ask. Do it now, before you need it.

Switch from SMS-based two-factor authentication to an authenticator app. Google Authenticator, Authy, and similar apps generate codes on your actual device — not through your phone number. A SIM swap does nothing against them. Go into every account that matters and change the 2FA method in settings.

Set up a Google Voice or similar secondary number for public use. Use that for restaurant reservations, online forms, loyalty apps — anything that doesn't need your real number. Keep your actual number for banking and healthcare only. Your real number becomes harder to find, harder to target.

Check your carrier account for unknown devices or recent SIM activity. Log into your carrier's app and look at what's listed. If you see a device you don't recognize, call immediately.

If you suspect you've already been hit: call your carrier, not from your own phone if possible, and demand an emergency SIM lock. Then go to a different device to start changing passwords on your email and bank accounts before the attacker gets there first.

The Part Nobody Talks About

Here's what most cybersecurity writing glosses over: two-factor authentication through SMS isn't security — it's a false sense of security for people who haven't been targeted yet. The entire banking and tech industry has trained you to trust a system that transfers all its security to the weakest link: a customer service rep who can be talked into a SIM swap.

A 2020 Princeton University study found that all five major carriers tested — AT&T, T-Mobile, TracFone, US Mobile, and Verizon — used authentication challenges that were vulnerable to SIM swapping attempts, with attackers succeeding even when they only had limited information about the victim. PIRG The problem isn't just criminals. The architecture is broken.

When you add your phone number to an account "for security," you may actually be creating a single point of failure that a determined attacker can exploit with a phone call and a bit of patience.

One Honest Caveat

If your number has already been heavily exposed — shared publicly, tied to old data breaches, or scraped by data brokers — the advice above reduces your risk but doesn't eliminate it. Carrier PINs can be bypassed through insider threats or especially persistent social engineering. Authenticator apps protect your accounts but don't stop someone from spoofing your number to scam others. There's no perfect defense here. What these steps do is make you a harder, less profitable target — which, for most attackers running at scale, is enough to move on to someone else.

That's not satisfying. But it's true.

Sources:

  • FBI Internet Crime Complaint Center (IC3) — SIM Swap PSA
  • Federal Communications Commission — Caller ID Spoofing
  • BOKF / The Statement — SIM Swapping on the Rise
  • PIRG Education Fund — SIM Swap Scams Can Be Devastating

Your Old Accounts Are A Security Risk — Here Is How To Clean Them Up

Your Old Accounts Are A Security Risk — Here Is How To Clean Them Up

A friend of mine found out his email had been compromised not through his main Gmail, not through his bank, but through a gaming forum he'd signed up for in 2011 and completely forgotten about. The attackers used his recycled password from that dead account to get into his email. From there, they reset his PayPal password and drained it. The whole chain started with a website he hadn't visited in over a decade.

This is not a freak occurrence. It's the default outcome when you leave digital debris scattered across the internet.

The Problem Isn't the Accounts You Remember

Most people think about security in terms of their active accounts. But the real exposure lives in the graveyard — the food delivery app you used once, the news site you registered for to read one article, the startup that pivoted three times and probably sold its user database to cover costs.

According to Have I Been Pwned, over 14 billion accounts have been exposed in data breaches catalogued by their service alone. A meaningful portion of those are dormant accounts nobody is actively monitoring.

When those sites get breached — and they will — your email and password get bundled into a list and sold. If you reused that password anywhere, someone will try it.

Start by Finding What's Out There

Before you can delete anything, you need to know what exists. Open your email client and search for terms like "welcome to," "confirm your email," "verify your account," and "thank you for registering." You'll find accounts you haven't thought about in years.

Do this for every email address you've ever used. The old Hotmail address from high school counts. So does the one you made for a job that didn't work out.

A password manager with breach alerts — 1Password, Bitwarden, or even Apple's built-in Keychain — will flag if your credentials appear in known breaches. Run that audit now, not after something goes wrong.

The Counterintuitive Part Most Articles Skip

Here's what nobody tells you: deleting an account is often more dangerous than keeping it if you do it wrong.

When you request account deletion through a company's process, most platforms require you to log in first. That means you need to reset a forgotten password, which sends a link to your email. Fine. But some platforms — especially older ones — don't actually delete your data. They "deactivate" you. Your email, your password hash, your personal info are still sitting in their database.

The smarter move before deletion: change the email address on the account to a throwaway (something like a temp-mail address), change the password to a random 30-character string, and then request deletion. That way, even if the "deletion" is fake, the data on file is garbage.

The Actual Process, Step by Step

For accounts you want to close, JustDeleteMe is a directory that rates how difficult each service makes it to delete your account and links you directly to the deletion page. It removes the guesswork.

Work through accounts in priority order:

  • High-risk first: Any account that has your credit card, bank info, home address, or government ID. These are the ones that cause real financial damage if compromised.
  • Email-linked accounts second: Anything that can trigger a password reset to an email you still use.
  • Everything else: Forums, old social media, loyalty programs, streaming trials.

For accounts you want to keep but rarely use, enable two-factor authentication (2FA) and generate a unique password. A hardware key like a YubiKey is the strongest option for sensitive accounts. An authenticator app like Authy or Google Authenticator is a solid second choice. SMS-based 2FA is better than nothing but is the weakest of the three — SIM swapping attacks have made it unreliable.

What to Do About Breached Credentials Right Now

If your email shows up in a breach, don't just change the password on the breached site. Assume that password is permanently compromised and do a full audit of everywhere you used it.

According to the Identity Theft Resource Center's 2023 Annual Data Breach Report, data breach notices are being sent later and to fewer victims than in previous years, meaning you often can't rely on companies to tell you when your data has been exposed. The assumption should be that any account older than a few years, at a site that isn't a major platform, has probably already been caught in something.

Use a breach-checking tool, change passwords proactively, and stop treating old accounts as harmless.

One Honest Caveat

This process is tedious. Actually tedious. You will hit dead sites that no longer have functioning deletion flows, companies that send you in circles, and services that technically "comply" with your request while retaining your data in backups for years. The GDPR gives European users the right to erasure, but enforcement is inconsistent, and most Americans have no equivalent legal lever. You can reduce your exposure significantly — but you cannot scrub yourself from every database that already has your information. The goal is damage containment, not perfection.

Sources:

  • Have I Been Pwned
  • JustDeleteMe
  • Identity Theft Resource Center 2023 Annual Data Breach Report

How To Tell If That "Security Alert" Email Is Real Or A Trap

How To Tell If That "Security Alert" Email Is Real Or A Trap

Your phone buzzes. It's an email from Apple — or at least, it says it is. Your account has been locked due to suspicious activity. There's a big red banner, an Apple logo, and a link to "verify your identity immediately." Your heart rate ticks up. You click.

That moment of mild panic is exactly what the person who sent that email was counting on.

This isn't hypothetical. Phishing emails that impersonate security alerts are among the most effective scams running right now, precisely because they weaponize the same instinct that good security advice has drilled into you: take threats seriously and act fast. The urgency is the trap.

The Trick Is That Legitimate Alerts Look Exactly Like Fake Ones

Here's the counterintuitive part most articles skip: real security alerts from Apple, Google, and your bank are often just as alarmist and visually dramatic as fake ones. Both use red banners. Both say "immediate action required." Both have polished logos. Assuming the scary-looking email is fake doesn't help you — and assuming the polished one is real will get you burned.

What actually separates them isn't how the email looks. It's where it's trying to send you.

Check the Link Before You Click Anything

Hover over any link in the email — don't click, just hover. On a phone, press and hold the link until a preview URL appears. Look at the actual domain, not the display text. The display text can say apple.com while the underlying link goes to apple-support-login.ru.

The real domain is the part immediately before the first single slash. So in secure.apple-verify.com/login, the domain is apple-verify.com — not Apple. Scammers are very good at making the fake domain sound plausible.

According to the Anti-Phishing Working Group, phishing attacks set a record in 2023 with over 1.3 million unique phishing sites detected in a single quarter — most of them impersonating financial and technology brands. The volume means attackers can register new lookalike domains faster than any blocklist can catch them.

The Sender Address Is Evidence, Not Proof

People are told to check the sender's email address, and you should — but it's not the whole story. A legitimate-looking address like security@appleid-alerts.com is still fake. And some sophisticated attacks can even spoof the display name to show no-reply@apple.com in your inbox while the actual sending address is something entirely different.

To see the real sending address in Gmail, click the three dots on the email and select "Show original." In Outlook, open the email properties. What you're looking for is the Return-Path header — that's where replies actually go and it's much harder to fake convincingly.

What Real Security Alerts Actually Do (and Don't Do)

Legitimate security alerts from major services follow a pattern worth memorizing:

  • They tell you what happened (a new sign-in from Chicago at 3pm)
  • They give you a way to say "that was me"
  • They do not ask for your password, payment info, or two-factor code

The moment an "alert" email asks you to enter anything — especially a verification code or your current password — stop. No real security system asks you to prove your identity by handing over the keys. That's not how authentication works. That's how credential theft works.

According to Google's Transparency Report on Safe Browsing, deceptive pages are identified at a rate of millions per week — and the most common pattern is fake login pages that collect credentials under the guise of account recovery.

The Safer Move: Go Around the Email Entirely

If an alert seems urgent and plausible, don't use any link or phone number in the email. Open a new browser tab and go directly to the service — type the address yourself or use your saved bookmark. Log in there. If something is genuinely wrong with your account, you'll see it after logging in through the real site.

This sounds obvious but almost nobody does it in the heat of the moment. The email is designed to be the path of least resistance. Going around it feels like more work when you're anxious, which is why it works so well as a bypass.

The same rule applies to phone numbers. If the email has a support number, don't call it. Look up the company's official support line from their website independently.

Two-Factor Codes Are Not a Safe Fallback

Many people think: "I have two-factor authentication on, so even if I get phished, I'm protected." This is dangerously wrong. Modern phishing kits operate as real-time proxies — you enter your credentials on the fake site, the attacker immediately uses them on the real site, triggers a 2FA request, which gets forwarded to you on the fake page, you enter it, and the attacker is in. The whole exchange takes under 30 seconds.

According to Proofpoint's State of the Phish 2023 report, 70% of organizations experienced at least one successful phishing attack, with MFA-bypass techniques growing substantially year over year. Two-factor helps. It's not a ceiling.

One Honest Limitation

None of this is foolproof, and you should know that going in. Phishing kits have become sophisticated enough that even security professionals get caught. If an attacker has done their homework — knows your bank, your name, and the type of account you have — their fake alert may contain accurate details that make it nearly impossible to distinguish on first read.

The tools here tilt the odds in your favor. They don't make you immune. The most realistic protection is to build the habit of slowing down the moment an email tries to create urgency — because that feeling of pressure is the product. Someone engineered it. It isn't the situation telling you to hurry. It's them.

Sources:

  • Anti-Phishing Working Group
  • Google Safe Browsing Transparency Report
  • Proofpoint State of the Phish 2023

Why Two-Factor Authentication Is Not As Safe As You Think

Why Two-Factor Authentication Is Not As Safe As You Think

Two-Factor Authentication Won't Save You — Here's What Will

You probably set it up feeling smarter than the average person. An extra code sent to your phone, a little app that generates numbers every 30 seconds. You figured: even if someone gets my password, they still can't get in. That's the whole point, right?

That's exactly what an Uber contractor thought in September 2022. He had MFA enabled. Every login attempt triggered a push notification to his phone. He kept tapping "Deny." And the attacker — a teenager who bought stolen credentials off the dark web — just kept trying. Push after push after push. Forty notifications in thirty minutes. Then the attacker messaged the contractor on WhatsApp, pretending to be Uber IT support: "Just approve the next one and they'll stop." So he did. The attacker was inside Uber's entire corporate network within two hours.

Two-factor authentication didn't fail because it was bypassed technically. It failed because a tired human got harassed into opening the door himself.

The Part Nobody Tells You

Here's the uncomfortable truth: there's no such thing as a single layer of security. Two-factor authentication is a speed bump, not a wall. And the people trying to break into your accounts have already mapped every gap in it.

The biggest gap is SMS-based 2FA — the kind where a six-digit code gets texted to your phone. This is what most banks default to, what most people use, and what most people think is "secure enough." It isn't. According to the FBI's Internet Crime Complaint Center, SIM swapping attacks — where criminals convince your mobile carrier to transfer your phone number to a SIM card they control — resulted in nearly $26 million in reported losses in 2024 alone. VikingCloud

Once they have your number, every SMS code you were counting on now goes to them. They don't need your phone. They need one cooperative or bribable customer service rep at your carrier.

How Your Phone Number Gets Stolen Without Touching Your Phone

The attack is brutally simple. Someone collects details about you — your name, address, last four of your Social Security number, maybe your carrier account PIN — through a data breach, a phishing email, or just combing through your social media. Then they call your mobile carrier, pretend to be you, and say they lost their phone.

A Princeton study found that researchers could successfully port a number at major North American prepaid telecom companies by answering just one security question correctly Phishlabs — information that's frequently already available from previous breaches or public records.

Your carrier deactivates your SIM. Their SIM activates with your number. Your phone shows "No Service." And you have maybe ten minutes before they're into your email, your bank, your crypto wallet — anything that can be reset via a text message.

The counterintuitive part: it doesn't matter whether those sites use SMS 2FA. If your email password can be reset through a text to your phone number, every account tied to that email is now accessible. One pivot point cascades everywhere.

The Attack That Doesn't Even Need Your Password

SIM swapping requires some setup. The other dominant bypass technique requires almost none.

It's called MFA fatigue, or push bombing. The attacker already has your username and password — not difficult, given that billions of credentials are sitting in breach databases available on the dark web. They log in repeatedly, triggering push notification after push notification on your phone. They do it at 11pm. At 2am. During your lunch break.

Most people, after 20 or 30 notifications, either assume it's a glitch and approve one to make it stop, or get socially engineered by someone calling them pretending to be tech support. According to a 2022 State of Passwordless Security report, this style of attack increased 33% year over year — and that data was collected before the Lapsus$ group made push bombing a mainstream tactic. Hypr

This isn't a niche attack. Microsoft, Cisco, Cloudflare, MGM Resorts — all hit with variations of this technique. The common thread isn't weak technology. It's exhausted people.

What Actually Works

The good news is that the fix is genuinely more secure, not just differently inconvenient.

Ditch SMS codes entirely. Replace them with an authenticator app — Google Authenticator, Authy, or Microsoft Authenticator. These apps generate codes locally on your device that never travel over any network. A SIM swap can't intercept them because there's no text to intercept.

Go further with a hardware key. Devices like a YubiKey plug into your computer's USB port or tap against your phone via NFC. You physically have to touch the device to authenticate. No push notification to bomb, no SMS to intercept, no code to phish. Cloudflare survived the same attack that breached Uber specifically because they'd already deployed hardware keys — the attacker's approved push notification produced nothing.

Lock your carrier account down. Call your mobile provider and set a port freeze or a number lock. Some carriers call it a "SIM lock" or "account takeover protection." This means your number cannot be transferred without an in-person visit to a store with a photo ID. T-Mobile, Verizon, and AT&T all offer some version of this — you just have to request it.

Use a unique email for security-critical accounts. Your banking email should not be the same address you use for newsletters, shopping, or anything that's likely been in a breach. A dedicated address that you never give out reduces your attack surface significantly.

Know what an attack feels like. If you suddenly get a flood of MFA push notifications you didn't initiate, that's not a glitch — someone has your password and is trying to get in. Don't approve anything. Change your password immediately (from a different device if possible), then report it to your account's security team.

The One Thing That Surprises People

Most articles assume you're the target of an opportunistic attacker running automated scripts. The scarier truth is that SIM swapping attacks are often deeply personal and manually researched.

In 2018, crypto investor Michael Terpin had $23.8 million stolen through SIM swapping by attackers who specifically targeted him after he publicly discussed his cryptocurrency holdings. Wikipedia The attackers spent time learning about him before making a single phone call.

If you talk about money, crypto, or financial assets publicly online, you're advertising to a very specific category of criminal. The attack starts long before the phone call to your carrier.

The Honest Limitation

Here's where I won't lie to you: even hardware keys can be circumvented if an attacker gains physical access to your device, or if a service falls back to SMS when you claim to have lost your key. That fallback option — built into most platforms to avoid locking users out permanently — is often the easiest path in. No security system is closed-ended. What you're doing is making yourself the hardest target in the room, not an impossible one. The goal is to ensure that breaching you costs more effort than an attacker is willing to spend.

Two-factor authentication is still worth having. But treating it as a finished solution is what gets people hurt.

Sources:

  • FBI IC3 / Viking Cloud 
  • Wikipedia (SIM swap attack)
  • PhishLabs (Princeton SIM swap study) 
  • 2022 State of Passwordless Security (via HYPR)

The One Security Setting Most People Never Turn On

The One Security Setting Most People Never Turn On

A friend of mine — smart, careful, not the type to click on weird links — had her email account taken over last year. The attacker didn't guess her password. They didn't need to. Her credentials had leaked in a breach from a site she'd forgotten she even used. They logged in from halfway around the world, reset her banking password, and were done before she woke up.

Her password was fine. That wasn't the problem.

The problem was that a correct password was the only thing standing between a stranger and her entire digital life. And that's true for most people reading this right now.

The Setting Is Two-Factor Authentication — And You've Probably Dismissed It Already

Yes, you've heard of it. That doesn't mean you've turned it on everywhere that matters. Most people enable it on their bank and call it done, leaving their email, cloud storage, and social accounts wide open with password-only protection.

Here's why that's the wrong call: your email isn't just your email. It's the master key. Every "forgot my password?" link on every other site goes there. If someone owns your inbox, they own everything attached to it.

According to Google's Security Blog, simply adding a recovery phone number to a Google account blocks 100% of automated bot attacks and 99% of bulk phishing attacks. Two-factor authentication takes that protection further.

What It Actually Does (Without the Jargon)

When you log in somewhere, you currently prove who you are with one thing: something you know (your password). Two-factor authentication adds a second proof: something you have — usually your phone.

Even if a thief gets your password perfectly right, they're stopped cold without that second factor. The login just… fails. They're locked out, and you get an alert that someone tried.

It takes about three minutes to set up. You'll do it once and then barely notice it exists.

The Part Most Articles Get Wrong

Here's the counterintuitive thing almost nobody tells you: not all two-factor methods are equal, and the most popular one is also the weakest.

SMS text message codes — the "we just texted you a 6-digit code" approach — are better than nothing, but they have a real vulnerability called SIM swapping. An attacker calls your phone carrier, pretends to be you, and convinces them to transfer your number to a SIM card the attacker controls. Now those texts go to them.

According to the Federal Trade Commission, SIM swap scams have cost victims millions of dollars, often targeting people who thought they were protected by two-factor SMS.

The fix is to use an authenticator app instead of text messages. Google Authenticator, Authy, and Apple's built-in password manager all generate codes locally on your device, with no carrier involved. There's nothing to intercept. This is free, takes five extra minutes to set up versus SMS, and is dramatically more secure.

Where to Turn It On First

Not every account deserves the same urgency. Prioritize in this order:

  1. Your primary email account — Gmail, Outlook, Apple Mail. This is non-negotiable.
  2. Your password manager, if you use one. If someone gets in here, they get everything.
  3. Your phone carrier account itself — because of the SIM swap risk above.
  4. Financial accounts — bank, brokerage, PayPal, Venmo.
  5. Social media, especially if your accounts have large followings or are connected to business tools.

For each one: go to Settings → Security (or Privacy) → Two-Factor Authentication. Enable it. When given a choice, pick "Authenticator App" over "Text Message." Scan the QR code with your authenticator app. Done.

The Backup Codes Are Not Optional

Every service that offers two-factor will also give you a set of backup codes — a list of one-time-use numbers you can use if you lose your phone. Most people screenshot them, close the tab, and never think about them again.

Print them. Physically. Put them somewhere you'd look if your phone was stolen — a filing cabinet, a locked drawer, your wallet. This sounds paranoid until the day your phone dies overseas and you need to get into your email. A printed backup code is not paranoia; it's basic contingency planning.

The Honest Limitation

Two-factor authentication is not a magic shield. A sophisticated, targeted phishing attack can still defeat it — if you're tricked into typing both your password and your code into a fake site, the attacker can use both in real time before the code expires. This is called a real-time phishing relay, and it's happening more than most people realize.

The more durable solution is a physical security key (like a YubiKey), which is hardware-based and cryptographically tied to the actual website's domain — fakes can't use it. But that costs money and requires more setup, which puts it out of reach for casual users.

So: two-factor authentication via an authenticator app is the right move for almost everyone. It stops the vast majority of attacks. It just doesn't stop all of them. If you're a high-value target — journalist, activist, executive — the threat model is different and you should dig deeper.

For everyone else: turn it on today, use an app instead of texts, save your backup codes somewhere physical. That's it. You've just made yourself dramatically harder to compromise than 90% of people around you.

Sources:

  • Google Security Blog
  • Federal Trade Commission (SIM Swap Scams)

What Happens To Your Data After A Company Gets Hacked

What Happens To Your Data After A Company Gets Hacked

A few years ago, a friend of mine got a call from her bank about a fraudulent charge — $12.99 for a streaming service she'd never heard of. Small, easy to dispute. But it kicked off three months of chaos: a replacement card, a drained savings account linked to the old one, and eventually the discovery that her email address and password had been sold in a batch of 200 million credentials from a breach she had no idea she was part of.

The company that got hacked? They never told her.

The first 48 hours nobody talks about

When a company gets breached, the clock that matters isn't the one they're using to notify you. It's the one the attacker started the moment they got in.

Most breaches aren't discovered the day they happen. According to IBM's Cost of a Data Breach Report, the average time to identify and contain a breach is around 258 days. That's eight months of your data potentially circulating before anyone sends you a "we take your privacy seriously" email.

In that window, here's what actually happens to your stolen data: it usually doesn't get used immediately. Attackers often sit on fresh data or sell it in bulk to brokers who specialize in sorting and validating it. Your email and password get tested against dozens of other sites automatically — a process called credential stuffing — before anything flashy happens.

Your data has a market price. It's probably lower than you think.

This is the counterintuitive part most breach articles skip: your individual data isn't worth much.

A full identity profile — name, SSN, date of birth, address — sells for roughly $10 to $25 on dark web markets, sometimes less if it's old or from an oversaturated breach. Your credit card number with CVV might fetch $5. According to Privacy Affairs' Dark Web Price Index, hacked social media accounts often sell for under $50.

What this means for you is that the threat isn't usually a targeted criminal who wants you specifically. It's automation — scripts running your credentials against thousands of sites at once, or bots probing for accounts tied to valuable services like cryptocurrency exchanges or airline miles.

Your data is commodity, not target. That changes what you should actually worry about.

The real danger is the chain reaction

The breach itself isn't the problem. The chain reaction it enables is.

Say your email and an old password leaked from a forum you signed up for in 2017 and forgot about. If that password is anywhere close to what you use now — same base word, different number at the end — automated tools will figure that out. They're built for it.

From your email, an attacker can trigger "forgot password" flows on your other accounts. From your other accounts, they can find financial information, real address data, or access to connected services. This is why the forum breach that seems irrelevant can become the thread that unravels everything.

What you should actually do, step by step

Stop thinking in terms of "was I in the breach" and start thinking about blast radius.

First, go to HaveIBeenPwned.com right now and enter your email. This site, maintained by security researcher Troy Hunt, indexes breach data and tells you specifically which data sets your email appeared in. It's free and doesn't store your search.

If you're in one, here's the sequence that actually matters:

  1. Change the password on that breached account — but only after you've changed your email account's password first. Email is the master key.
  2. Turn on two-factor authentication on your email, using an authenticator app (not SMS if you can avoid it — SIM swapping is a real attack).
  3. Search your inbox for the word "welcome" to surface every service you've ever signed up for. Change credentials for anything financial or health-related immediately.
  4. Freeze your credit at all three bureaus — Equifax, Experian, TransUnion. This is free and blocks anyone from opening new credit lines in your name. Unfreeze only when you need to apply for something, then refreeze.

A credit freeze is the one action that actually stops new-account fraud cold. Almost nobody does it until after something bad happens.

The notification you receive is not for your benefit

When a company sends you a breach notification email, it often arrives weeks or months after the incident. Legal teams have reviewed every word. The language is calibrated to minimize liability, not maximize your ability to respond quickly.

According to the Identity Theft Resource Center, many breach notices omit key details — like what specific fields were exposed, whether passwords were hashed or stored in plain text, or how long the breach window lasted. You are often getting the legally minimum viable disclosure.

Read the notification for what they don't say as much as what they do. "Encrypted passwords" with no mention of hashing algorithm means you don't actually know how exposed you are. "No financial data was accessed" sometimes means financial data wasn't stored there — not that it wasn't sought.

The honest caveat

None of this fully protects you, and pretending otherwise would be dishonest.

If a company stores your data in plain text, or gets breached by a sophisticated state-level actor, or if you've used the same password across accounts for years — there's no single action that reverses that exposure. The freeze helps. The password manager helps. The 2FA helps. But some of the data from old breaches is already out there, indexed, and will be for a long time.

What you're doing when you take these steps isn't eliminating risk. You're making yourself a harder target than the next person. In a world of automated, bulk attacks, that's often enough.

Sources:

  • IBM Security 
  • Privacy Affairs
  • Identity Theft Resource Center