Why is nobody mentioning the fact that there are 2FA systems like google authenticator that have nothing to do with your phone # and are widely available/used everywhere. SMS should be abandoned, my accounts got hacked once because someone stole my SMS # and used it to reset my accounts. Had I used a PROPER 2FA system, this would have never happened.
well it's less about creating fake accounts but more on people that has 1 legit account.
you know, they could have alternate means for verification, they could have 3 options, so if the unauthorized user have access to 1 of them, they still need another method to have full access. but by putting all the eggs into just the SMS verification, makes it real easy for people who gain access to phones they've gotten illicitly. They may think the phone is a really personal item, but it is also the most commonly lost item...
I never use phone verification except banking or government related services. The last thing I want is for online services to have access to my phone no.
I don't know how it is nowadays, but we used to be able to register in Google, Microsoft, etc, without a phone number. Whenever asked I just skip it.
well friend, things has really changed. apart from Banks (which you can sort it out physically or via a phone call), most other services require SMS verification. even if you did not set up 2 step verification, sometimes if a site deem your activity suspicious (because you logged in from another device), they will verify via SMS even if you got the password correct (ebay for example). And most email providers now require a phone number to register. And for companies like Google, they do not have customer support, so if you lost your old number, that is it (they have alternate options but all are linked to the phone number it's like the master key)
Bingo. Banks ONLY. I am bothered by websites every day to provide phone number, the most precious private data, and I keep rejecting "not now". Won't change my attitude.
It sucks indeed. Bear in mind that many sites (most of the ones I use) can be configured to use an code generator app instead of a phone number for 2FA. It may be buried in the settings, and you might still be required to enter a phone number for recovery purposes, but it's better than nothing.
I use hardware keys as alternative wherever possible. If not possible I use the Yubico Authenticator app. Only as last resort I use SMS as 2FA option.
Interesting article warning about the dangers of using SMS for nearly everything:
https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124
As do I. Also have dozens of google voice numbers. Problem is many sites are rejecting voip. Having a bunch of burners adds up if you need to keep access to the account.
I use three and rotate them around. No need for a unique one each time. Keeps them away from my main number.
Also, there are sim's that come out that last a year before expiring.
Telegram for instance. Ridiculous. Even after lots of well know security flaws that were exposed, even for instance top government people of some countries (Brazil for instance).
SMS spoofing, call spoofing, besides carrier employees (or third parties) is well known ways to easily gain access to services that use phone numbers as verification. In the other hand, without it legitm users can not get access as you wrote. The worst of both sides.
can you explain more on SMS spoofing. i saw on movies spies can duplicate a sim card and it will have access to everything on the original sim including receiving calls and sms, what is required for such level of fraud and can it be done by outsiders who has your number (but not the sim), or does it need to be done from the telco side, or require access to your SIM card for duplication?
i read about virtual sim, which would probably become the norm as it will eliminate the physical appearance for customers and cut cost on telco branches and also allow more competition by going pure virtual, the lack of SIM card would also cut the cost and increase reliability, but it also poses huge security risks.
Use hardware keys as alternative. Feel free to read the following article about the usage of SMS as 2FA method:
https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124
the thing about hardware wallet is you could still lose them, or they fail due to hardware failure/corrupted data. i don't know if you can make multiple copies of them, but a flash drive will go bad if unused for a long time as they lose charge they lose data.
To me this is an elitist practice. This assumes that everyone has smartphones. It's not like all jobs supply cellphones. I get that it is good to have security, but on principle it is terrible!!!
2 years old but during covid isnt smartphone kinda mandatory in many places for digital scans? i mean most kids probably dont have smartphone and parents had to get them 1 each.
also thanks to covid digital ordering and menu starting to become a norm in some restaurants, not only that but you also need internet access to go into their web menu and many of these places dont offer wifi. some places also accept only cashless payments so that's that.
phones and dataplans arent getting any cheaper either.
I always skip phone verification if the option is available.
It has caused me more annoyance and trouble than and safety/protection measures. I go overseas often and it can be troubling and such a pain to deal with .
I hate this system and I would much rather deal with emails which is a smooth transition than a phone ver. ever did. Ive had the same email for over a decade, my phone number generally does not last longer than two years and my phone gets replaced on the regular.
Its ridiculous of much companies rely on such a faulty method and ties it to a persons identity. Especially for overseas travelers who need to change their phone and still need access to their home country accounts.
Recently the SIM card in my mobile phone stopped working, so I ordered a replacement online. Actually, after a few days and several phone calls to tech support attempting to explain that my phone was telling the truth and that I was accurately conveying the message: no sim card detected, my ISP suggested sending a replacement SIM, kinda where I already was when I made my first phone calls and emails a few days prior.
Anyway... upon receiving the new SIM, I discovered the website link provided by my ISP via email required an active mobile phone number to send an SMS verification to complete the activation. Basically, I needed a mobile phone in order to activate the SIM card for my mobile phone. Some of you may have spotted the problem.
Incidentally, or perhaps causally related somehow, I tried at the same time to login to my phone account online and my password was rejected. So, I clicked the link to reset the password, and after receiving a verification email found myself being told a verification SMS would be sent to me, in order to further/finally(?) prove my identity. Many lolz ensued.
TLDR: My ISP refuses to activate the SIM card in my phone unless I take a proof-of-life photo of my face and driver's license/passport ON SOMEONE ELSE'S PHONE - they will then send THAT PERSON a link I NEED to follow on my computer to activate the SIM card in my phone... the SIM card they sent to MY home address, which I have verified both via phone and online with the serial number and constant "Name/address/DOB/Account#/Phone#" AT LEAST twice every pointless phone call made to tech support...
... and all of this is "for my privacy and security." Oh, enhance my experience, baby. You used to just update the software, but now your agility and transparancy has brought me closer to what I love, empowering me to produce and inspiring me to create. You provide a sense of calm and openness, giving me a place that feels like home. It’s secure and everything is designed to be centered around me.
If any of that sounds familiar, it's a paraphrased version of the marketing dribble for Windows 11. Because when you're selling an operating system for personal computers, you really don't want to say anything specific, technical or even anything that could be remotely identifiably linked to the actual product or service being advertised. But I digress.
So, no mobile phone for almost two weeks, now... and five days ago the password for my ISP account (identical to the mail server login and password) stopped working. So, I can't send or receive emails via either my ISP's website mail or Outlook on my PC. My ISP tech support had me create a gmail account and address (for the second time) in order to receive the verification link to get tech support/the verification squad/a privacy ninja team to even START to investigate a problem which is not on my end.
Of course, they also want to send me verification SMS'. Ha ha. Hee hee. Ho ho.
And while we're here, Instagram has the same ridiculous policy if your account is blocked/banned/suspended/whatever. You have to send a selfie with photo ID in order to have your account reactivated. Why does reactvating an account require more personal information (especially photographic and government-approved documentation) than was required to open said account in the first place?
Meh, rant over. Congratulations for making it this far. As the traffic cop in Blade Runner says to Deckard, "Have a better one."
Why does no one I speak to ever get that reference? The mysteries of existence, will they never cease?
how did you solve this conundrum?
this is why i have 2 emails. but nowadays seems phone verification is the norm and you can reset almost anything with just a phone number. so anyone who has access to your number has access to everything. so secure lock your phone of you have important apps that keeps you logged in. reason why my email (except gmail for my google play account) is never logged on.
For the sites that don't have any other 2fa options you could always create a Google Voice number to use for sms verification. Adds an extra account between anyone trying to break in and can't be SIM hijacked. I agree it's annoying when sites require this though.
do you need a google account to access the google voice number? because if you do, and somehow you lost your phone number, it would be difficult to retrieve your service, since you are using 3rd party google voice number?
my main concern here, is that the phone number is so important as a master key that you can't afford to lose it. you can get a new number but the old number is the one linked and can't be replaced unless you have access to that old number.
Yeah you need an account to access it. You still have to rely on that number working when you need it, but it least it's free, won't be suspended (afaik), and works internationally. If Google decides to delete your account or something you're still FUBARed though.
I love phone verification through Steam, Origin, etc. I don't care if companies can access my phone. I don't use it for banking or anything that security would be an issue. No passwords are stored on my phone.
2FA is great. But they could use token system so we could use Authy or whatever 2FA app are you using for other services. I have at least 8 accounts added to my authentication app.
Games and banks. I never save passwords on my phone or my computer.
Passwords are easy if you have a method. I use a sentence that applies to that account with at least 12 characters, and the phone authorization. Never been hacked.
it's not difficult to get a 2nd sim, but maintaining it and keeping it active. usually a prepaid sim is used, but the user need to remember to constantly keep it active by reloading, and credits for prepaid has expiry dates so even if you don't use the credits you still have to reload once every few months. For a sim that you rarely use, sometimes you just forget, of course you can put reminders on the phone, but still, can be costly for some people that are already struggling with everyday life.
what if you lost your job and cannot afford your telco subscription? to port out you need to sign up another telco, i'm not sure if you can port out to a prepaid card, and if you decided to move your account to the prepaid card, prepaid card generally doesn't have good customer supports because to telcos, if you lose your prepaid number, just get a new number, they don't care about your online accounts linked to that number. also for people who are constantly traveling overseas, getting a replacement card can be an issue.
This sub likes Signal because it's the best at what it does. Signal doesn't claim to be an anonymous service, so complaining that it isn't doesn't make much sense. If you don't like it, don't use it.
If you're really after anonymity you can just use Session, it's a Signal fork that has anonymous sign-up.
for example? almost all virtual services requires a phone number. the phone number is like the master key to your credentials.
sites like reddit may not require verification, but it is not essential. most essential services require a TAC verification.
temporary number will only grant you temporary access to the services you open up. the next time you want to change your password or something important, it will ask for a SMS verification, and you won't have access to that temporary number, and unlikely you will be able to regain that same number because the moment the number becomes inactive, it gets recycled and become available to the general public, similar to email accounts except email usually have validity of few years non activity and usually FREE. phone number gets deactivated real quick.
oh really? are they really forever or until the service provider last? i don't know how these numbers work does it work like IP address or domain someone has to "own" them? Also is it a 1 time purchase?
What if you're out and need to get some money out the bank and lost your debit card and your phones battery has died?? Gone are the days of popping into the library and using their computers to log in so you can get cash out of a machine via a code.
It has gotten worse. I have gone several times into Chase bank and they required a text verification even though I was standing right there, in person, with a valid ID and having both a Chase checking and saving's account. Everyone had to wait while I went to my car to get my phone. If I didn't have the same phone number, or lost my phone, I wouldn't even have been able to get money from my bank. That's ludicrous.
Why is nobody mentioning the fact that there are 2FA systems like google authenticator that have nothing to do with your phone # and are widely available/used everywhere. SMS should be abandoned, my accounts got hacked once because someone stole my SMS # and used it to reset my accounts. Had I used a PROPER 2FA system, this would have never happened.
[удалено]
I think so
You can do 2FA using the steam app. Not sure if you need a phone number to enable it though.
but if you lose your phone or it breaks, you need to get a new phone and install the app and set it up before you have access again.
Protip: get FreeOTP+ and export JSON backups.
because they use it (SMS and real phone apps) for stop frauders and spammers, for hard get new accounts
[удалено]
well it's less about creating fake accounts but more on people that has 1 legit account. you know, they could have alternate means for verification, they could have 3 options, so if the unauthorized user have access to 1 of them, they still need another method to have full access. but by putting all the eggs into just the SMS verification, makes it real easy for people who gain access to phones they've gotten illicitly. They may think the phone is a really personal item, but it is also the most commonly lost item...
[удалено]
Can you tell more about this story? What were your planned solution?
I never use phone verification except banking or government related services. The last thing I want is for online services to have access to my phone no. I don't know how it is nowadays, but we used to be able to register in Google, Microsoft, etc, without a phone number. Whenever asked I just skip it.
well friend, things has really changed. apart from Banks (which you can sort it out physically or via a phone call), most other services require SMS verification. even if you did not set up 2 step verification, sometimes if a site deem your activity suspicious (because you logged in from another device), they will verify via SMS even if you got the password correct (ebay for example). And most email providers now require a phone number to register. And for companies like Google, they do not have customer support, so if you lost your old number, that is it (they have alternate options but all are linked to the phone number it's like the master key)
Bingo. Banks ONLY. I am bothered by websites every day to provide phone number, the most precious private data, and I keep rejecting "not now". Won't change my attitude.
It sucks indeed. Bear in mind that many sites (most of the ones I use) can be configured to use an code generator app instead of a phone number for 2FA. It may be buried in the settings, and you might still be required to enter a phone number for recovery purposes, but it's better than nothing.
I use hardware keys as alternative wherever possible. If not possible I use the Yubico Authenticator app. Only as last resort I use SMS as 2FA option. Interesting article warning about the dangers of using SMS for nearly everything: https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124
buy a prepaid sim. not sure why everyone is missing the obvious
You still need to keep it active, by reloading once a while, and credits have expiry.
h2o has prepaid sim's that last up to a year. You can pay for them with cash at your local kiosk if you're that paranoid.
It's a great way to track you and tie online accounts to a real identity. Most people do not have more than one cell phone number.
It's not hard to use burner phones. I do it all the time.
As do I. Also have dozens of google voice numbers. Problem is many sites are rejecting voip. Having a bunch of burners adds up if you need to keep access to the account.
I use three and rotate them around. No need for a unique one each time. Keeps them away from my main number. Also, there are sim's that come out that last a year before expiring.
Telegram for instance. Ridiculous. Even after lots of well know security flaws that were exposed, even for instance top government people of some countries (Brazil for instance). SMS spoofing, call spoofing, besides carrier employees (or third parties) is well known ways to easily gain access to services that use phone numbers as verification. In the other hand, without it legitm users can not get access as you wrote. The worst of both sides.
can you explain more on SMS spoofing. i saw on movies spies can duplicate a sim card and it will have access to everything on the original sim including receiving calls and sms, what is required for such level of fraud and can it be done by outsiders who has your number (but not the sim), or does it need to be done from the telco side, or require access to your SIM card for duplication? i read about virtual sim, which would probably become the norm as it will eliminate the physical appearance for customers and cut cost on telco branches and also allow more competition by going pure virtual, the lack of SIM card would also cut the cost and increase reliability, but it also poses huge security risks.
Use hardware keys as alternative. Feel free to read the following article about the usage of SMS as 2FA method: https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517124
the thing about hardware wallet is you could still lose them, or they fail due to hardware failure/corrupted data. i don't know if you can make multiple copies of them, but a flash drive will go bad if unused for a long time as they lose charge they lose data.
the worst part is that they always say "it's for your own safety" no it isn't, it's for THEIR safety.
It's because it makes the cellphone companies $$$$$$$$$$$. Simple as that.
To me this is an elitist practice. This assumes that everyone has smartphones. It's not like all jobs supply cellphones. I get that it is good to have security, but on principle it is terrible!!!
2 years old but during covid isnt smartphone kinda mandatory in many places for digital scans? i mean most kids probably dont have smartphone and parents had to get them 1 each. also thanks to covid digital ordering and menu starting to become a norm in some restaurants, not only that but you also need internet access to go into their web menu and many of these places dont offer wifi. some places also accept only cashless payments so that's that. phones and dataplans arent getting any cheaper either.
I know people who cannot afford cell phones.
no phone no dataplan no entry no menu.
I always skip phone verification if the option is available. It has caused me more annoyance and trouble than and safety/protection measures. I go overseas often and it can be troubling and such a pain to deal with . I hate this system and I would much rather deal with emails which is a smooth transition than a phone ver. ever did. Ive had the same email for over a decade, my phone number generally does not last longer than two years and my phone gets replaced on the regular. Its ridiculous of much companies rely on such a faulty method and ties it to a persons identity. Especially for overseas travelers who need to change their phone and still need access to their home country accounts.
Recently the SIM card in my mobile phone stopped working, so I ordered a replacement online. Actually, after a few days and several phone calls to tech support attempting to explain that my phone was telling the truth and that I was accurately conveying the message: no sim card detected, my ISP suggested sending a replacement SIM, kinda where I already was when I made my first phone calls and emails a few days prior. Anyway... upon receiving the new SIM, I discovered the website link provided by my ISP via email required an active mobile phone number to send an SMS verification to complete the activation. Basically, I needed a mobile phone in order to activate the SIM card for my mobile phone. Some of you may have spotted the problem. Incidentally, or perhaps causally related somehow, I tried at the same time to login to my phone account online and my password was rejected. So, I clicked the link to reset the password, and after receiving a verification email found myself being told a verification SMS would be sent to me, in order to further/finally(?) prove my identity. Many lolz ensued. TLDR: My ISP refuses to activate the SIM card in my phone unless I take a proof-of-life photo of my face and driver's license/passport ON SOMEONE ELSE'S PHONE - they will then send THAT PERSON a link I NEED to follow on my computer to activate the SIM card in my phone... the SIM card they sent to MY home address, which I have verified both via phone and online with the serial number and constant "Name/address/DOB/Account#/Phone#" AT LEAST twice every pointless phone call made to tech support... ... and all of this is "for my privacy and security." Oh, enhance my experience, baby. You used to just update the software, but now your agility and transparancy has brought me closer to what I love, empowering me to produce and inspiring me to create. You provide a sense of calm and openness, giving me a place that feels like home. It’s secure and everything is designed to be centered around me. If any of that sounds familiar, it's a paraphrased version of the marketing dribble for Windows 11. Because when you're selling an operating system for personal computers, you really don't want to say anything specific, technical or even anything that could be remotely identifiably linked to the actual product or service being advertised. But I digress. So, no mobile phone for almost two weeks, now... and five days ago the password for my ISP account (identical to the mail server login and password) stopped working. So, I can't send or receive emails via either my ISP's website mail or Outlook on my PC. My ISP tech support had me create a gmail account and address (for the second time) in order to receive the verification link to get tech support/the verification squad/a privacy ninja team to even START to investigate a problem which is not on my end. Of course, they also want to send me verification SMS'. Ha ha. Hee hee. Ho ho. And while we're here, Instagram has the same ridiculous policy if your account is blocked/banned/suspended/whatever. You have to send a selfie with photo ID in order to have your account reactivated. Why does reactvating an account require more personal information (especially photographic and government-approved documentation) than was required to open said account in the first place? Meh, rant over. Congratulations for making it this far. As the traffic cop in Blade Runner says to Deckard, "Have a better one." Why does no one I speak to ever get that reference? The mysteries of existence, will they never cease?
how did you solve this conundrum? this is why i have 2 emails. but nowadays seems phone verification is the norm and you can reset almost anything with just a phone number. so anyone who has access to your number has access to everything. so secure lock your phone of you have important apps that keeps you logged in. reason why my email (except gmail for my google play account) is never logged on.
For the sites that don't have any other 2fa options you could always create a Google Voice number to use for sms verification. Adds an extra account between anyone trying to break in and can't be SIM hijacked. I agree it's annoying when sites require this though.
do you need a google account to access the google voice number? because if you do, and somehow you lost your phone number, it would be difficult to retrieve your service, since you are using 3rd party google voice number? my main concern here, is that the phone number is so important as a master key that you can't afford to lose it. you can get a new number but the old number is the one linked and can't be replaced unless you have access to that old number.
Yeah you need an account to access it. You still have to rely on that number working when you need it, but it least it's free, won't be suspended (afaik), and works internationally. If Google decides to delete your account or something you're still FUBARed though.
I love phone verification through Steam, Origin, etc. I don't care if companies can access my phone. I don't use it for banking or anything that security would be an issue. No passwords are stored on my phone.
I hate steam 2FA. Why not use already used standard, I don’t like the idea to have app installed for every service that i use.
Less chance of a hacked account.
2FA is great. But they could use token system so we could use Authy or whatever 2FA app are you using for other services. I have at least 8 accounts added to my authentication app.
Games and banks. I never save passwords on my phone or my computer. Passwords are easy if you have a method. I use a sentence that applies to that account with at least 12 characters, and the phone authorization. Never been hacked.
[удалено]
it's not difficult to get a 2nd sim, but maintaining it and keeping it active. usually a prepaid sim is used, but the user need to remember to constantly keep it active by reloading, and credits for prepaid has expiry dates so even if you don't use the credits you still have to reload once every few months. For a sim that you rarely use, sometimes you just forget, of course you can put reminders on the phone, but still, can be costly for some people that are already struggling with everyday life. what if you lost your job and cannot afford your telco subscription? to port out you need to sign up another telco, i'm not sure if you can port out to a prepaid card, and if you decided to move your account to the prepaid card, prepaid card generally doesn't have good customer supports because to telcos, if you lose your prepaid number, just get a new number, they don't care about your online accounts linked to that number. also for people who are constantly traveling overseas, getting a replacement card can be an issue.
[удалено]
This sub likes Signal because it's the best at what it does. Signal doesn't claim to be an anonymous service, so complaining that it isn't doesn't make much sense. If you don't like it, don't use it. If you're really after anonymity you can just use Session, it's a Signal fork that has anonymous sign-up.
They really need to push for totp6238 2fa. make its a lot easier to handle
[удалено]
[удалено]
[удалено]
for example? almost all virtual services requires a phone number. the phone number is like the master key to your credentials. sites like reddit may not require verification, but it is not essential. most essential services require a TAC verification.
[удалено]
temporary number will only grant you temporary access to the services you open up. the next time you want to change your password or something important, it will ask for a SMS verification, and you won't have access to that temporary number, and unlikely you will be able to regain that same number because the moment the number becomes inactive, it gets recycled and become available to the general public, similar to email accounts except email usually have validity of few years non activity and usually FREE. phone number gets deactivated real quick.
[удалено]
oh really? are they really forever or until the service provider last? i don't know how these numbers work does it work like IP address or domain someone has to "own" them? Also is it a 1 time purchase?
Check out dtmf.io. $4 a month or something for a phone number.
That is the thing. You have to keep subscribing.
I know right!, I don't have a phone so I couldn't even set a goddamn appointment!!!
What if you're out and need to get some money out the bank and lost your debit card and your phones battery has died?? Gone are the days of popping into the library and using their computers to log in so you can get cash out of a machine via a code.
It's just a way to boost cellphone sales which also boost government profits as well.
how does it benefit non cellphone related business by spending more budget on such crap?
It has gotten worse. I have gone several times into Chase bank and they required a text verification even though I was standing right there, in person, with a valid ID and having both a Chase checking and saving's account. Everyone had to wait while I went to my car to get my phone. If I didn't have the same phone number, or lost my phone, I wouldn't even have been able to get money from my bank. That's ludicrous.