1) Call your cellphone carrier and ask to set up a password/PIN to be used for when you call into the customer service phone number.
2) Consider your phone number and SIM card insecure. The phone carriers are ignoring the SIM swap problem even though they know how much damage it's causing. Give your phone number to as few companies as possible. Phone services such as Google Voice work without a SIM card, so they are less prone to problems. Give out such a phone number if necessary.
3) Don't use text message verification codes as 2FA. Use an authentication app, such as Google Authenticator.
4) You can retake possession of your hacked Gmail account by providing one of the previously used passwords. No need to have a working phone.
5) Ask yourself, what will happen if you lose both your laptop and your phone at once? Do you have things set up in a way where you can get back into your digital life? Someone can break into your home while you're away, the government can confiscate them at the airport, etc.
6) Check what email addresses you have configured as backup auth methods for your Gmail. Those accounts can be used as a means of access by a hacker.
> 4) You can retake possession of your hacked Gmail account by providing one of the previously used passwords. No need to have a working phone.
That's possible?! I only ever change password if I suspect it might have been compromised. Now if a service allows to use old passwords, that's quite a bummer and makes password change meaningless.
> Call your cellphone carrier and ask to set up a password/PIN
Note that, at least for TMobile, AT&T, and Verizon, the password/PIN is presented to the CSR in plaintext (as they verify the pin over the phone verbally).
I'd assumed they'd transfer to some pin-capture applet to verify, but nope.
> Use an authentication app, such as Google Authenticator
If you decide on Google Authenticator, make sure you scan the barcode with 2 devices (say, your tablet and your phone) to back up that credential. Or just use Authy.
You can print out a copy of the barcode and keep it somewhere safe. It's a little bit scary as that barcode is a super powerful extra key but, you will have a key that will work and not be reliant on any device to store it.
There are plenty of TOTP apps (besides Authy) that support backing up the code generation keys. I use andOTP, for example, which supports backing up locally to the phone's internal storage (and optionally encrypting that backup with either AES + a passphrase or a PGP key if you've setup an OpenPGP provider on your device). 1Password's iOS (and Android?) app also supports TOTP.
> 2) Consider your phone number and SIM card insecure.
Your phone number is an obvious attack vector. I think having a dual sim phone with 2fa dedicated number that is not publicly associated with you, possibly with the carrier that has it's security in order, would decrease the odds of getting hacked.
> 4) You can retake possession of your hacked Gmail account by providing one of the previously used passwords. No need to have a working phone.
This is what I'm worried about, if I don't have a phone number on a gmail account, won't it make it harder to get access to that gmail account if I am locked out. Even though there's obviously a bad security loophole with just having a phone number on your account as a recovery option, is it not worse to be locked out of your account with no way to get in?
Even if you go through the g.co/advancedprotection onboarding process, they still say account recovery is possible and that it would take 3-5 days extra. Granted, it's not easy, but it's much easier to buy security keys and put one in a safe deposit box than it is to try to get every carrier to be nice to you and not SIM-swap your account.
1) Call your cellphone carrier and ask to set up a password/PIN to be used for when you call into the customer service phone number.
2) Consider your phone number and SIM card insecure. The phone carriers are ignoring the SIM swap problem even though they know how much damage it's causing. Give your phone number to as few companies as possible. Phone services such as Google Voice work without a SIM card, so they are less prone to problems. Give out such a phone number if necessary.
3) Don't use text message verification codes as 2FA. Use an authentication app, such as Google Authenticator.
4) You can retake possession of your hacked Gmail account by providing one of the previously used passwords. No need to have a working phone.
5) Ask yourself, what will happen if you lose both your laptop and your phone at once? Do you have things set up in a way where you can get back into your digital life? Someone can break into your home while you're away, the government can confiscate them at the airport, etc.
6) Check what email addresses you have configured as backup auth methods for your Gmail. Those accounts can be used as a means of access by a hacker.