Skip to content
  • There are no suggestions because the search field is empty.

Best practices for keeping your account secure

Here are some suggestions for keeping your Botkeeper account (and really, any account) secure.

 

  1. Schemes designed to defeat two-factor authentication (2FA)
  2. Basic (but still essential) practices
  3. Lesser-known (but powerful) tips

Botkeeper's two-factor authentication is required because it provides a strong extra layer of protection, even if your password is stolen. But that doesn't mean you shouldn't remain vigilant.

Schemes designed to defeat 2FA

SIM Swapping (SIM Hijacking)

  • What it is: An attacker convinces your mobile carrier to transfer your phone number to their SIM card.

  • Impact: Once they have your number, they can intercept 2FA codes sent via SMS.

  • Prevention:

    • Set a PIN or password on your mobile carrier account.

    • Avoid using SMS for 2FA—use an app like Authy, Google Authenticator, or a hardware key instead.

Phishing for 2FA Codes

  • What it is: You’re tricked into entering both your password and your 2FA code into a fake website.

  • Impact: The attacker immediately uses those credentials to log in before the code expires.

  • Prevention:

    • Never enter your login on a page you reached through an email, DM, or text link—go directly to the site.

    • Use a password manager; it won’t autofill on spoofed domains.

    • Consider browser extensions like uBlock Origin or DuckDuckGo Privacy Essentials to block shady scripts.

Real-Time Phishing with Reverse Proxies

  • What it is: Tools like Evilginx act as a middleman between you and the real site, capturing login data and 2FA tokens.

  • Impact: The attacker can log in live as you, and in some cases even hijack your session cookies.

  • Prevention:

    • Use hardware keys (like YubiKey), which are resistant to phishing and proxy attacks.

    • Sites with FIDO2/WebAuthn support (like Google, GitHub) are ideal for these.

Malware on Your Device

  • What it is: Malware (e.g., keyloggers, screen readers, clipboard hijackers) can read your 2FA codes as you type or paste them.

  • Prevention:

    • Don’t install software from unknown sources.

    • Use antivirus or endpoint protection.

    • Keep your OS and apps updated.

OAuth Token Hijacking

  • What it is: If you approve a malicious third-party app via OAuth (like “Sign in with Google”), it might not require your 2FA again.

  • Prevention:

    • Regularly audit your connected apps and authorized devices.

    • Revoke permissions you don’t recognize or use anymore.

Basic (but still essential) practices

  • Use strong, unique passwords for your account—avoid reusing passwords across platforms.

  • Never share your password, even with people you trust.

  • Don’t click login links in emails, even if they appear to come from Botkeeper—navigate to the website manually instead.

  • Keep your device and browser up to date to patch security vulnerabilities.

Lesser-known (but powerful) tips

  • Use a password manager to store and generate strong, random passwords—this eliminates the temptation to reuse passwords. (While Botkeeper's Password Manager acts in this capacity, you can only access it if you're logged in. So logically, storing your Botkeeper login there won't do you much good).

  • Review account activity logs (if available) to check for unfamiliar logins or sessions.

  • Turn off autofill for passwords and payment info in your browser—use your password manager instead.

  • Use a custom DNS provider, like Cloudflare (1.1.1.1) or Google (8.8.8.8), to improve protection against malicious sites.

  • Avoid logging into accounts on public or shared computers, even with incognito mode.

  • Be skeptical of unexpected pop-ups or login prompts, even on legitimate sites—these can be cleverly disguised phishing attempts to steal your Botkeeper credentials.

  • Create a digital security audit schedule—check your passwords, devices, and permissions every few months.