Celebrity and CEO Guide To Security

Julian Cohen
5 min readMay 20, 2019
Image credit: Shutterstock

Everybody needs good security these days. Here’s some common advice that I recommend for high-risk individuals.

Account Security

Most folks are worried about their accounts. Their e-mail, which could allow password resets for all their other accounts. Their mobile device backup (iCloud or Google), which could contain intimate photos and location information. Their bank accounts and investment accounts, where their money is kept.

Password Manager

Use a password manager. A password manager is not a secure place to keep your passwords, but an easy place to generate and store unique and random passwords. The main goal here is to ensure that each password you use is unique, so it can’t be reused from a previous breach, and random, so it can’t be guessed. Here are some popular password managers: 1Password, LastPass, and Dashlane.

Make sure to use a strong and unique master password on your password manager. Use a long passphrase with numbers and punctuation or several random words strung together. Add two-factor authentication to your password manager and follow the two-factor authentication guidelines below.

Two-Factor Authentication

Turn on Two-Factor Authentication or Multi-Factor Authentication on all your sensitive accounts. Using a second factor makes it much more difficult for someone to access your accounts if they have guessed or stolen your password. You can typically turn on two-factor authentication (2FA) for many services by going to the security section of your account settings.

Don’t Use SMS for Two-Factor Authentication

SMS (text messaging) is an insecure second factor and an increasingly popular way to break into accounts (I describe an attack called SIM Swapping below).

Remove SMS (text messaging) as a second factor and a recovery option for your sensitive accounts. Instead use one of these secure second factors:

Increased Security for Sensitive Accounts

Use hardware tokens (U2F) instead of other two-factor authentication options. This helps protect your accounts against phishing.

Enroll in the Google Advanced Protection Program for your gmail.com account.

Preventing SIM Swapping

SIM Swapping is the name of an attack where someone steals a phone number by asking a cellular provider to port it to a new phone or a new SIM card.

Don’t Use SMS for Two-Factor Authentication

See above for other two-factor authentication options.

Add a PIN to Your Phone Number

A PIN is required when SIM swapping across carriers and sometimes when SIM swapping within a carrier. Use a unique and random PIN number. Store it in your password manager for safekeeping.

AT&T: On AT&T, you can set up a “wireless passcode” that’s four to eight digits long by going to your profile, then “Sign-in info”, then “Get a new passcode”. You should also add what the carrier calls “extra security,” which just means it’ll require the passcode to manage your account online or in a retail store. You can find that by going again to “Sign-in info”, then “Wireless passcode”, and checking “Manage extra security”.

Sprint: On Sprint, sign into your account, click on “My Sprint”, then go to “Profile and security”. Scroll to “Security information”, and update your PIN there.

T-Mobile: For T-Mobile, you have to call instead; dial 611 from your mobile phone and ask to add “Port Validation” to your account, which lets you choose a six to 15 digit PIN.

Verizon: Verizon actually requires a PIN, but to set yours up or change it, head to this site, then sign into your account. Enter the PIN of your choice twice, click “Submit”, and you’re done.

These guides are from this article.

Lock Your Number

You can call your carrier and ask them to lock your phone number. Some carriers will also allow you to request that they not allow your number to be unlocked or moved unless you show up in-store with identification.

Use a Safer Number

Some carriers like Google Voice have locked numbers by default and don’t allow employees to unlock those phone numbers. Using Google Voice for your cell phone number is good way to keep that number safe.

Prevent Identity Theft

Everyone is vulnerable to identity theft, but celebrities and directors and officers of organizations are even larger targets for account compromise, credential theft, doxxing, and more.

Private investigation websites collect personal information about US citizens via a number of ways, but US law allows you to opt-out of being including in their offerings.

Use the following list of links and follow their instructions to opt-out of these popular websites or use a service like DeleteMe to do it for you: BeenVerified, CheckPeople, Instant Checkmate, Intelius, LexisNexis, PeekYou, PeopleFinders, Pipl, PrivateEye, Radaris, Spokeo, USA People Search, TruthFinder.com, Nuwber, FamilyTreeNow.

A more complete list of websites is available here.


A good deterrent is better than strong security. A deterrent is anything that will make someone think twice before going after you.

  • Use services that cooperate with law enforcement during investigations like Google and Facebook.
  • Collect information that can be used in an investigation. Keep surveillance camera video (and make sure surveillance cameras are highly visible). Don’t delete threats or hate speech (and take screenshots). Don’t delete data (like e-mails and comments). Don’t throw away old phones and laptops (but keep them stored securely).
  • Make an example out of previous incidents. Don’t become labeled as an easy mark. If you are conned or hacked, file a police report and cooperate with the investigation.

Physical Harm

If you are at risk of physical harm or violence, call 911 or contact local law enforcement immediately.


Swatting is when someone deceives an emergency service dispatcher into sending an armed emergency service response team to another person’s address. If you are at risk of swatting, call your local police department or precinct and explain the situation to them. Typically, they can add you to a list of addresses that require verification before sending emergency services.


If you are getting threats, report them to your local law enforcement. If they are deemed credible, consider hiring an executive protection agent (commonly referred to as a bodyguard).



Julian Cohen

Risk philosopher. CISO. Team and program builder. Ex-vulnerability researcher. Ex-CTF organizer and competitor.