I live in an authoritarian country. I have a group of friends & acquaintances from a political organization who have asked me to deliver a presentation on security & privacy (specifically for activists). Although I’m somewhat well-wersed in tech, I’m not so confident and there may be things that I might miss. What are some of the things that are often overlooked and I must mention? Thank you.
Two factor auth should be a whole section, and tell people not to use SMS. Mention SIM swap attacks and stingray devices
Tell people setting up 2FA with SMS usually makes their accounts less secure, and only to use TOTP or hardware tokens.
My most important issue is that phone number is a deanon - your main phone number has to be tied to your ID, so the only option would be a longtime rental, which would get expensive, especially if it is one number per each service.
When I do these trainings I tell them never to enter a phone number into an account because its a huge risk
Ideally just don’t have a phone number at all