Staying safe online beyond national cybersecurity awareness month

Last week, we talked about access management and its role in securing businesses from cyber threats as part of our National Cybersecurity Awareness Month (NCSAM) campaign. Today, we will take you through what’s putting your personal accounts at risk, and share tips from our partners on how to stay better protected.

So let’s start by identifying some of the biggest threats to personal accounts —  phishing, SIM swapping, and database leaks.

Phishing

By using fake websites and emails that look genuine, attackers lure you into providing your login credentials, personally identifiable information (PII), and other private data, such as banking and credit card numbers. This is called phishing. These stolen credentials are used to take over your account. From there, an attacker can lock you out and even compromise your other accounts through password reset flows.

Last year, 51% of respondents in our 2019 State of Password and Authentication Security Behaviors Report said they have experienced a phishing attack on their personal accounts, while 44% experienced one at work.

SIM Swapping

SIM swap attacks are becoming increasingly more common, particularly for individuals with a lot to lose financially. In these scenarios, the attacker poses as the account holder (usually through various pieces of PII they’ve gathered elsewhere) and convinces your mobile service provider that you are switching from your current phone to another phone. Once complete, the attacker can intercept one-time passcodes (OTP) sent to your mobile phone number now associated with the phone in their possession.

Once this is achieved, the attacker can essentially perform password resets on any of your accounts that leverage text-based (SMS) 2FA. In most cases, if you’re using the same email address for all your accounts, then the attacker really only needs access to your email account after the SIM swap. Here’s a real-life example that cost one individual $100,000.

Database Leaks

A database leak occurs when a service provider is breached and the attacker accesses the database of stored user credentials. The information from those databases often end up on the black market for other attackers to use. There are countless examples of data breaches we could reference (hackers stole one billion Yahoo! login credentials in 2016, the Equifax breach affecting 143 million American consumers in 2017). There’s really nothing you can do as the account holder to ensure the service provider is properly storing your password.

You’ve probably been told that the longer and more complex you make your password, the stronger it will be. Sure, long passwords with numbers and symbols are hard to guess, but even the most complex and unique passwords won’t stop attackers when they’ve stolen the account password itself from a poorly protected database. That’s why it’s a good idea to use a different password for each and every account you have. Doing so can limit your risk and exposure in the event a password database of a service you use is breached.

Our Advice

You don’t have to feel defeated or helpless against these attacks, and you can still protect your accounts by simply enabling strong two-factor authentication (2FA) or multi-factor authentication (MFA) across the services you use. There are multiple types of 2FA and MFA — avoid SMS (we explain why here). We believe hardware is not only easy to use, but also stronger given that these attacks are all remote-based. Using hardware security keys, like YubiKeys, require physical possession. Since you’re here reading our blog, we recommend you check out the YubiKey and explore all the services that work with YubiKeys.

Most of us have friends or family members in need of basic account security advice. The trick is figuring out how to help without losing them in the details as you watch their eyes glaze over with boredom or confusion. Below, you’ll find 10 steps that any person can take to protect their personal accounts from the attacks we talked about today. If you feel your personal threat model isn’t addressed by this blog, hang tight! More tips are coming!

10 Steps from Yubico to Protect Your Personal Accounts 

1. Get a YubiKey (Hot Tip: We recommend a 2-pack so you have a backup!)

2. Register your YubiKeys with your personal email account(s) (e.g. gmail, Fastmail, Outlook.com or other supported email services)

3. Remove SMS 2FA from your email account(s)

4. Call your mobile service provider, and request a security PIN

5. Get a Password manager (Hot Tip: You can use your new password manager to store your security PIN from your mobile service provider!)

6. Register your YubiKeys as a second factor for your password manager

7. Store all of your account passwords in your password manager

8. Make sure you reset each account’s password to be unique (Hot Tip: Most password managers have a password generator feature!)

9. Download Yubico Authenticator to all of your devices to use with accounts that support authenticator apps (Hot Tip: Find registration instructions for your favorite services in our Works with YubiKey Catalog!)

10. Enable 2FA/MFA and enroll your YubiKeys on all of your accounts

Through the years, we’ve developed software and hardware 2FA solutions to better protect users online. We’ve been fortunate enough to forge partnerships with global leaders in password management, browsers and platforms, cloud services, and many more, as part of our Works with YubiKey Program. Check out some awesome tips from our partners below.

iPassword logo
“2FA, plus a password manager, is the best way to protect your data. If someone were to learn your password for an account, they’d need that second factor to access it, making account takeover much less likely.”  Jeff Shiner, CEO, 1Password

Dashlane logo
“Sensitive accounts like banking, email, and social media warrant an additional layer of protection. Having strong, unique passwords for every account is a necessary first step in securing our digital lives.”  Emmanuel Schalit, Co-Founder & CEO, Dashlane

DSX logo
“Cryptocurrency is built on the fundamental promises of security and freedom. To deliver on these promises, people need to be in control of their security, and have the opportunity to choose the measures that suit their needs.”Mike Rymanov, CEO, DSX

Fastmail logo
“Don’t give attackers a single target. Use a different password everywhere, a different email address or alias with subscriptions, and protect your accounts with a hardware authenticator. Your other accounts won’t be at risk in the event one account is compromised.”Ricardo Signes, CTO, Fastmail

Keeper logo
“It’s a great time to get cyber-checked. With data breaches becoming more frequent, one of the most basic precautions is to use strong, unique passwords for every account along with 2FA. That is the first step towards protecting yourself against account takeover.” – Craig Lurey, CTO, Keeper
If you don’t see the service you use on our catalog, ask them to implement strong authentication with the YubiKey by tweeting at them to add support.

Talk to our teamTalk to our team

Share this article:


  • Works with YubiKey Spotlight: Passkeys are here – are you ready?With 2025 at its midpoint, enterprises worldwide are grappling with how to protect their users and data against emerging challenges around user security. Since 2022, generative AI has fueled a 4,000% surge in phishing – exploiting human vulnerability in 68% of breaches. It’s no longer a question – the world has a password problem that […]Read morepartnerspasskeysWorks with YubiKeywwyk
  • Yubico LogoYubico liefert PIN-Verbesserungen mit dem neuen YubiKey 5 – Verbesserte PIN-SchlüsselUm sich auf die sich ständig weiterentwickelnden Cyber-Bedrohungen vorzubereiten, passen Regierungen weltweit die Authentifizierungsanforderungen für Online-Dienste an und aktualisieren sie, was direkte Auswirkungen auf viele Unternehmen und deren Mitarbeiter hat. Zwar gibt es derzeit keine universelle Regelung für eine robustere Multi-Faktor-Authentifizierung (MFA), doch wird deren Notwendigkeit in einer Reihe von Anforderungen hervorgehoben, darunter PSD2, DSGVO […]Read moreYubiKey
  • Yubico delivers PIN advancements with new YubiKey 5 – Enhanced PIN keysTo prepare for continuously evolving cyber threats, governments around the world are adapting and updating authentication requirements for online services which directly impact thousands of organizations and their employees. While there’s currently no universal regulation for more robust multi-factor authentication (MFA), the need is highlighted across a range of requirements including PSD2, GDPR, and the […]Read moreCompany NewsProduct NewsYubiKeyYubiKey 5 – Enhanced PINYubiKey 5 SeriesYubiKey as a Service
  • An inside look at Yubico’s transition to passwordlessBefore “passkey” became a familiar term in our industry, Yubico had long delivered hardware-backed and phishing-resistant FIDO2 based authentication. Today, the adoption of passkey usage is accelerating. However, it’s taken quite a bit longer to integrate passwordless authentication into the everyday, enterprise-grade authentication flows that are required for today’s businesses.  As long as it’s been […]Read moreOktapasswordless