My Tech Stack for Staying Safe on the Metaverse

By Garrett Mickley •  Updated: 01/18/22 •  15 min read

The internet is a dangerous place.

The metaverse is, too.

It would be best to do everything you can to keep yourself safe.

There’s no way to be 100% safe.

Over the years, this tech stack I have curated will make it harder for someone to steal my cryptocurrency or credit card numbers or show up at my front door to harass me.

You already know that your data is out there.

Just do a Google search for your favorite stores and “data breach,” and you’ll see: your data is already out there on the internet.

With this tech stack, you can sleep a little easier knowing you’ve done everything you can.

Most of this stuff is more focused on “privacy” than “security,” and that is because I believe privacy is security.

Two disclaimers for you:

  1. I consider myself a pretty wise hobbyist in the cyber security realm, but I’m certainly no expert. If you’re concerned for your safety, please seek a professional who can help you.
  2. Some of the links in this article will lead to the site with a referral code. If you purchase through these links, I will get a small benefit (money, sometimes ‘store credit,’ etc.) at no extra cost to you.

I use these two definitions to differentiate:

  1. Affiliate – this means I get straight-up money deposited into my account, which goes towards maintaining this blog.
  2. Referral – this means I get a discount or store credit or something like that.
  3. Bonus Disclaimer! I’m not responsible for anything you do, even if it’s something I said in a blog post.

Let’s go!

Asian architect talking on the phone from his bureau

Protecting My Phone Number(s)

When you sign up for your cell phone service, you give up a lot of your privacy and thus security.

This video shows how easy it is for someone to get into your cell phone account:

How do we prevent this?

Don’t tell anyone your phone number.

I am serious, and this is easier than you might think.

First off, you have to settle that you need to give up your old phone number(s).

I know, it’s tough.

I own a cell phone number that has been my phone number my entire cell-using life.

I’ve had this number for at least 20 years.

And before that, it was my mom’s first cell phone number.

But that number is all over the web and pretty easy to find (we’ll cover how to fix that later in this post).

If someone can find your phone number, they can find out what company your service is on, and then they can call that company like in the video above and get into your account.

The best way to avoid this is to go to AT&T or Verizon or whoever, cancel your account, and make a new one.

If you’ve wanted to switch companies, this is a great time to do it.

When they ask, do not take your old number with you.

New number; new account.

Next, on your smartphone, download a phone number app.

I like MySudo, personally.

It’s available on both iPhone and Android, and plans start at USD 0.99 per month.

Easily worth it for the security you’ll be getting.

Create the numbers you need and give those numbers out.

I recommend creating at least these three:

  1. Personal number for friends and family only (don’t put it on the internet).
  2. Business line for anything work-related (you may put on the internet).
  3. Multi-Factor Authentication number (more on that later).

You may find more that you need in the future, and it’s inexpensive to add them.

You can also use MySudo to create email addresses and hide your credit card numbers, which is the next topic.

Photograph of the corner of a white credit card on a yellow background.

Protecting My Credit Card Number(s)

I already mentioned that you could use MySudo to protect your credit card numbers, so it may just be easier to handle this in there.

Before MySudo had that function, I signed up for a different app to do it, called Blur.

Blur (ref) is a great app that does many things, like MySudo.

The way it works is that you put your actual credit cards into your Blur (or MySudo) account, and it spits out a “fake” credit card number (that works).

When you use the credit card number they give you, they’re buying the product or service for you, and then they charge your credit card to reimburse them.

There’s a small fee for each transaction, but I find it worth the safety considering all the data leaks over the last few years.

If the data gets leaked on your fake credit card, you can go into your account, burn (delete) the phony credit card number, and get another one.

The reason I bring up Blur, even though you can handle hiding your credit cards in MySudo, is because there’s another reason to have Blur.

It can protect your email address(es).

User removing spam in the inbox and checking mails using an e-mail reader, collage and paper cut composition

Protecting My Email Addresses

Just like hiding your credit card numbers in Blur (ref), you can obscure email addresses.

It gives you a dummy email address and forwards anything from there to your actual email address.

The websites are none the wiser.

Thus, if your data gets leaked, no one else will know either.

If that happens, burn the email address and get another one.

You can set up many of these, so I usually compartmentalize them based on what I need them to do.

I have one email address for banks, one for cryptocurrency wallets, one for social media, and so on.

I do give out my actual email addresses to people, but I have addresses expressly set up for that, too.

But with all these randomly generated gibberish credit cards and email addresses, how do I keep track of them all?

Asian woman at a computer with brow furrowed. She forgot her login information.

Remembering My Login Information

There are several ways to do this that range from more convenient but less safe to safer but less convenient.

I’ll go through several options here (including what I do), and you can decide which level is right for you.

This tool is called a password manager, but you can manage more than that in most of them.

I use a physical hardware password manager called a Mooltipass.

A hardware wallet is the least convenient but safest option there is.

To get into any of my accounts, I need to have this physical device.

If it gets lost, I have a backup that is kept secret and safe.

I only really keep my most important and life-changing stuff in there.

You can use multiple password managers for different things if you see it as a benefit.

Without going physical but still wanting to be highly secure, you can use KeePassXC.

KeePassXC is an open-source and free tool that saves a file as a “key” to let you into the database (which stores all the data).

You can then hide that key somewhere separate from your database.

This way, someone needs both the database and key files to open and get the data out.

Less convenient for you, but very safe.

The next safest option is to use an app we’re already using: Blur (ref).

Blur will store the info for you that you can then access via smartphone apps and in-browser add-ons for your computer.

Password managers are incredibly convenient and still relatively safe.

Remember that you will want to log out of this account every time you are not using your computer.

If you log in on your browser and someone hacks your computer while you’re sleeping, they’ll have access to it.

One more option, which I recommend for businesses, is LastPass.

LastPass makes it extremely easy to share passwords with employees, even without letting them see the actual password.

The employees install LastPass, and you share it with them.

Then when they go to the site, the LastPass browser add-on will automatically put the login information into the form without seeing the password.

Then, if something happens and they leave or become untrustworthy, you can revoke access in LastPass, and they can no longer access it.

You don’t need to worry about changing passwords any time an employee comes or goes.

I’m sure all password managers (except Mooltipass, KeePassXC, and others like those) have this capability now, but I prefer LastPass.

Bonus PRO TIP:

It would be best to use your password manager to generate your passwords for you randomly.

You need randomly generated passwords for each website and account.

You don’t need to know your passwords.

You only need to know one password, which is the password you use to get into the password manager.

Or, if you use a physical one like the Mooltipass, you don’t even need that because it requires a literal key to operate.

Side note: Something else I do sometimes is randomly generate my usernames, too.

There are many sites where I don’t need people to know who I am.

For example, several of my banks have asked me to choose a username for logging in.

Why not email? I don’t know.

But for those sites, I don’t want to use my real name or even “megabyteGhost,” as most people on the web know me.

So, I randomly generate a username just like I would a password.

USB key sitting on top of a paper covered in binary code.

Protecting My Accounts

Now, your emails, usernames (sometimes), and passwords for logins are all randomly generated and mostly untraceable in the event of a data leak.

There’s still more to do to protect your accounts.

Even though your email and password for anyone site will be different from every other site, if both leak, then someone can log in to them and wreak havoc.

And if you think, “well, I’m a nobody, and there are 300,000 lines in that leaked database, so what are the chances they will pick me” I have an answer for you:

They will use software to try every single line in that database.

The criminal actors don’t even need to sit at their computers to check them.

The software runs and checks every single one while they’re sleeping.

They wake up the next day with a list of ones that work.

Then they log in and do whatever they want.

There is a way to stop this: multi-factor authentication (sometimes called two-factor authentication).

MFA works by generating a one-time code that changes every 30 seconds.

You’ll need to put in that temporary code when you log in, along with your username (or email) and password.

You’ve already experienced this before in your life.

Most websites do this every once in a while.

Especially banks.

Sometimes they send the code to your phone via text message, which isn’t exceptionally safe.

Even worse, they might send it to your email, which is less safe.

If someone gets into your email account, they can use the MFA to log in to other accounts.

And if someone gets ahold of your cellphone account, they can do the same.

Again, I’ll go through a list of options you can choose from the most secure to the least safe (but still very secure).

I wouldn’t recommend anything I don’t or haven’t used.

A Physical MFA Key

I’ve discussed the power of having a physical key for a password manager, and I’m again going to recommend a physical option: the YubiKey.

The YubiKey is a physical USB key that you can plugin (or, in some cases, use wirelessly like on your phone) that handles the MFA for you.

Once you’ve set it up that way, the only way to get into an account is to have that key physically on you.

I keep one hidden on me at all times, plus a backup in another secret and safe location.

If that’s too inconvenient for you, there’s an app for that.

An MFA Phone App

Not all websites allow something like a YubiKey, so an app on your smartphone is the next option.

There are tons of options out there.

My favorite is from world-renown security company Sophos.

It’s called Sophos Authenticator, and you can find it on both iOS and Google Play Store.

Multi-factor authentication apps are the lowest security that you should use by choice.

But, some sites still won’t allow a physical key or an app.

They require a phone number.

But if you set up your phone number and your data leaks, now your phone number is out on the internet.

So, how do you prevent this from becoming a problem?

MySudo MFA Phone Number

The answer is to set up a MySudo number exclusively for MFA.

That way, this number is only on the website for this one purpose.

If something happens and leaks, you can burn it and use another one.

Make sure you go in and change all your phone MFA numbers before you do this, or else the accounts lockdown, and you will not be able to access them.

Keep this phone number secret from anyone or anywhere else in the world.

It’s used only for this purpose.

Some websites will require email for MFA but no physical key, no app, no phone number.

Just email.

If that’s the case, it usually only does it to the email you use for the account, which is annoying.

If that’s the case, the best thing you can do is do everything you can to secure that email account.

The more secure that email account itself is, the less likely anyone will get in and then receive the MFA codes to get into your other accounts.

Close-up view of man opening safe with bitcoin cryptocurrency.

Protecting My Cryptocurrencies

To keep my cryptocurrencies safe from hackers, I use (yet again) a physical “key” for that.

It’s called KeepKey, and it’s a physical “hardware wallet” for all of my cryptocurrencies.

Because it stores blockchain data of many types, it can also hold my NFT contracts.

The only way to access them is to have my KeepKey plugged into my computer.

We’re dealing with money and valuables here.

I will not compromise on the safety of this.

I also never send anything directly to or from this wallet to a wallet I don’t own.

It does cost a little bit to move your cryptocurrencies around from wallet to wallet, but it’s much safer and IMHO very worth it.

Again, we’re talking about money and valuables—no compromise on safety.

Scene from Parks and Recreation where Ron Swanson yells into an iPad "delete all pictures of Ron!"

Erasing My Social Media Data

If you follow me on social media, you might notice that I only have about a month’s worth of posts.

That’s not because I joined social media a month ago.

It’s because I use an app called Jumbo to delete all of my posts older than a month.

I believe that social media should be ephemeral and not permanent.

Of course, sites are out there caching it.

Anyone familiar with Open Source Information (OSINT) will find the history of my posts.

If I ran for President of the United States, someone would dig up something stupid I said when I was 25.

Or yesterday.

We all say stupid things sometimes.

But I want to make that as difficult as possible.

So I set up Jumbo to delete all of my Instagram, Twitter, and Facebook (personal) posts over 30 days old.

Jumbo does some other great things, too.

I consider a reasonable fee, and it provides USD 1,000,000 in cyber security insurance.

If somehow someone gets through and messes up my stuff, the app ensures me for that much.

That helps me sleep at night.

It also pays attention to data leaks and notifies me if I’m in one.

For example, I just checked, and in the last week, there were 16 new reported data leaks, and none of my information is in any of them.

And it checks the WiFi I’m connected to and lets me know if I’m not safe in public.

You can also use it as an MFA app, but I don’t keep anything since I already use the Sophos one.

Cleaning up dangerous fungus from a wet wall after water pipe leak at home.

Erasing My Leaked Personal Data

There were 16 newly reported data leaks in the last week, and I was in none of them.

I used to be in many data leaks, and now I’m rarely notified that my information is in a leak.

That’s because of two things:

  1. I follow all of the protocols I’ve explained above.
  2. I use a service to delete all the old leaks and information.

From the same company that makes Blur, Abine, there is DeleteMe (ref).

DeleteMe scours the internet for your information and then sends removal requests to the websites to have it taken down.

If they can take it down themselves, they’ll do that, too.

Whatever they have to do, they’ll take the fastest route to get your information off the internet.

Anything they can’t remove, they will keep in a database you can download to see.

You can then try to remove them yourself or give them to a professional, which usually costs much more money.

So far, I haven’t had to do that.

DeleteMe has been great at getting rid of stuff.

It’s also fantastic that they send a report every quarter so you can see how much they’ve removed from the web.

In my first quarter, I think they found over 900 instances of my data and had already gotten rid of a large portion of that.

Of course, you have to pay for this service.

What do safety and security mean to you?

DeleteMe makes it much harder to find my phone number(s), email(s), the username(s), and even physical address.

It’s not perfect, but it’s substantially better than nothing.

Conclusion

As I stated in the introduction, nothing is 100% unhackable.

Even though I take all of these steps to protect myself, someone with enough determination and skills will figure it out.

They know who they are, and if you’re one of them: props to you. I am seriously impressed. That takes a profound amount of knowledge.

I’m not worth the effort, but I sleep better knowing that I’ve done all I can.

Garrett Mickley

I literally live your product as a guinea pig to show your customers that it just works. I call it "gonzo marketing."
%d bloggers like this: