I’m a YouTuber with a growing channel and want to take security seriously.
I have a unique strong password on my google account along with passkey, authenticator and google promt setup.
I’ve read horror stories of creators accounts getting hacked via 2 factor sms and through sponsorship phishing.
My question is, should I remove the 2 factor sms on my account? would only using a password along with passkey/authenticator be stronger/less vulnerable?
Also, any other suggestions are more than welcome. I do use my real name on my channel, I’m okay with that and can’t change it without starting over my channel. But I am working on removing any data on my location and other private data out there.
My only real advice would be to use a virtual machine when doing emails that is not logged in to any where else. Where most people get hacked is by opening a sponsor email while being logged in to their Youtube or other accounts.
I would personally use Kicksecure as you can use it with VirtualBox, it comes a bit harden security wise and you can use their Live function so nothing is saved.
What that means is if you open most malware then close it that the next time you open Kicksecure Live it won’t be there as it won’t be saved. This is not 100% proof as there are rare malware that can break out of a virtual machine, the majority can’t.
Suppose I have a second bit of advice, always log out of your main Youtube account when you are not directly working on it. Uploading, answering comments, checking information. Once that is done immediately logout.
It is not as quick or simple but for security? Can make a large difference.
Any other advice? Well check websites for their actual email and email the companies directly after getting an offer to double check. Example G-Fuel. Go to their real website and use their contact information there to verify.
If you do use Kicksecure you can install ClamTK which is a free lightweight and competent enough antivirus as Linux can get infected despite what most would think. You can scan any PDF with that once downloaded.
@Throwitaway Thanks so much the Advice. That makes sense to use a virtual machine. I do use MacOS and iOS for everything I do, but I know that still comes with potential risks.
I really like the idea of checking the companies website/email to verify it is real. Having some trying to get me like that is my biggest fear right now haha
Thanks again
@ph00lt0 Thanks! I understand that having a yubikey would have the added security of having a physical key that only I have. Would that be more secure than requiring a passkey of TouchID and/or FaceID?
You should be reminded of the usual OpSec of not taking pictures of the front of your house, or even neighborhood, cars, etc.
You should be aware of people doing GeoGessr with just a picture of the neighborhood with no hard identifiers. People’s location do get identified by the infrastructure around them by the combination of curbs, signages, lamp post, power post unique to their location. If your house is visible via Google Earth, you can bet someone can geolocate you by the picture of your neighborhood.
Yes more secure for sure as it keeps the password requirements so it is a better form of authentication.
I do however think that using non cloud synced passkeys is perfectly fine in most situations. Google will also still allow you to use that within the advanced protection program.
As someone who has played GeoGessr many times I’m fortunately I’m very away of those ricks haha. I’m in a large walkable urban area and will post sometimes when I’m out and about. But that’s a great reminder to be carful or just not do that. Thanks for the reminder
This step is okay but doesn’t add much security to your account that much as nowadays account hacks happen through stealing session cookies which would render such advanced security useless. ( People have actually lost their accounts even after securing it with a yubikey)
With increase in interest of crypto markets , these hacks have also been on rise recently.
I would suggest to log out of your youtube account desktop session frequently when not in use.
Possibly also keep a different email for your official contact than the gmail you use for your youtube account.
A mobile device would usually be safer for being logged into your account.
@pika Thanks for the info, I remember hearing about that happening to some big accounts. By habit, I typically check my email via mobile, I’ll make sure to keep that habit haha. Would disabling session cookies for YouTube.com and Google be a potential solution?
I actually disagree with your assessment.
Session cookies are a problem, but enrolling in advanced protection will actually help with that too.
Google takes your account much more in control and is more likely to request reauthentication when something suspicious happens like connection from unknown location.
Besides all that still the majority of people get hacked because of phishing and dataleaks.
@ph00lt0 I do like the overall projections of Googles advanced protection. I use Apple’s Private Relay feature on both my phone and computer, would that potentially cause google to request reauthentication with me everytime?
If you are in the US, maybe Apple is inclined to be more well behaved so I guess Apple Relay is ok enough. The issue I have is that I Apple will relay the user’s connection through the VPN but the underlying OS does not go through the VPN maybe because it thinks itself special.
The general advice is to use a router with a VPN. I am currently using a Protectli router with pfSense and Wireguard client addon for using with ProtonVPN. This way, even the iOS/Apple snowflakes within my network gets to enjoy VPN with no exceptions.