[HN Gopher] PayPal and Venmo are still letting SIM swappers hija... ___________________________________________________________________ PayPal and Venmo are still letting SIM swappers hijack accounts Author : danso Score : 158 points Date : 2020-04-06 14:34 UTC (8 hours ago) (HTM) web link (www.vice.com) (TXT) w3m dump (www.vice.com) | mikece wrote: | It is annoying that some of these companies refuse to allow me to | use a Twilio number when they insist on using SMS as 2FA. If they | are going to insist on the weakest possible form of 2FA and | INSIST that I use a number which is subject to SIM hijacking, how | are they not liable through negligence? | dheera wrote: | 2FA should never be SMS based. I've deprecated SMS for all | communications and block all SMS messages to my phone. | | I use a virtual number for all such services that demand an | idiotic SMS verification code. I won't state which one I use | here, but there are several services you can choose from that | provide virtual numbers. | tpmx wrote: | There should be a well-known website with a neat domain name that | lists well-known companies that allow this to continue to happen. | maallooc wrote: | My account was abused because of SIM swap. It was banned. I | explained them that I did not do it. They won't budge. | | We need to enforce tech companies to have proper customer | support. We need to make a regulation that enables users to | appeal or sue tech companies decision about their account. No | more 'fix through hacker news submission or reply' please. | toomuchtodo wrote: | The term you're looking for is an "Ombudsman". | | https://en.wikipedia.org/wiki/Ombudsman | TheChaplain wrote: | It's a great idea as long as they have teeth to make shady | businesses fear them. | eqtn wrote: | We just need a law stating that if a website cross certain | number of active users(registered) in a country they should | have physical customer care offices. When they reach 10m,they | should have it in every district(just like phone service | centers). Its nice to think about this although these companies | are rich and can lobby against these kind of laws. | valuearb wrote: | Yep, because more laws solve every problem without unintended | side effects! | | Or, just hear me out, you could stop using services that | don't meet your high customer support standards? | __s wrote: | Their suggestion is a bit far reaching, but their point is | that eventually the user count of a service reaches a point | where due to network effects individuals aren't able to | effectively shop around | adjkant wrote: | Agreed completely. I think it's quite easy to imagine | that a virtual version of this law could be enacted to | require that they actually deal with these situations in | a timely manner. | Eldt wrote: | So what, keep trying different services and getting burned | until... eventually... you don't get burned? | stronglikedan wrote: | > and getting burned until... eventually... | | _you have nothing left to burn_ | RHSeeger wrote: | I'm not entirely sure that not allowing them to just close | your account, never talk to you again, and walk away with | your money is "high customer support standards". | cortesoft wrote: | Every district? I think you underestimate how big a country | like the United States is, and how few 10 million users are | for web sites. Facebook has one of the highest revenue per | user at $7 a year... so 10 million users would get them about | $70 million in revenue a year.. take a phone company like | Verizon... they have 2300 stores in the US.... if our | hypothetical web company opened up 2300 stores, they would | only have $30k per store... and that is just revenue, not | taking into account any other expenses. | | If they had zero other expenses and just ran the offices, | they wouldn't even be able to hire one worker for each | store.... | AnthonyMouse wrote: | Paypal is less of a tech company and more of a finance company. | | This kind of behavior is caused by rules that put the cost of | fraud on the payment processor rather than the customer, even | though the payment processor's primary tools to prevent it | basically involve locking the customer's account based on vague | suspicion and hearsay. | | When someone has stolen your identity, there isn't really | anything you can tell someone to prove you're you. Having your | password or SSN or access to your email or the answers to your | security questions tell them nothing. The perpetrator could | have those things. Your account may have been created by the | perpetrator to begin with and the person whose name is on it | has never even used their service. How are they supposed to | tell? Even if you're you, the perpetrator may still have access | to whatever method was used to access your account to begin | with and if they turned it back on there would be more fraud | (which causes the payment processor to lose money instead of | you). So your account is locked forever and you can pound sand. | | The alternative to people getting locked out of their accounts | is having accounts without reversible transactions. You don't | want this for your brokerage account, but you do want it for | the account you're using to buy things with petty cash. Because | then the account never has more than $1000 in it to begin with, | which limits your losses to that amount, but then the payment | processor doesn't have any incentive to ban your account | because the losses are yours. If you're careless and reuse | passwords, you might lose the $1000, but you don't get banned | forever from making financial transactions. Then you learn your | lesson and do better next time. | | That would also result in lower transaction fees, because most | of the transaction fees go to paying the cost of fraud | protection. And it would reintroduce the incentive to prevent | fraud to the people best situated to do that ( _stop reusing | passwords, people_ ), so there would also be less fraud, which | is better for everybody. | zxcvbn4038 wrote: | PayPal is the worst - a couple days ago they disabled my | password (including both 2FAs) and sent me an e-mail asking | me to reset it. The only way to reset it is via SMS which I | don't do. I'm locked out of my account now and also support | now since the only way to contact them is by logging in. I'm | hoping Synchrony has an in with them because I have balances | on PayPal MasterCard and PayPal line of credit that can only | be accessed by logging in. | dangus wrote: | 1-888-221-1161 | AnthonyMouse wrote: | It's really the same problem. As soon as they suspect your | account could be compromised, they can't trust your | authentication methods anymore and the risk calculation | favors losing your business over reactivating your account | and then having fraud losses on it. It's a math problem, | not a customer service problem. | | Granted it's obviously bullshit if they try to keep the | money when your account had a positive balance. | mycall wrote: | This is why I think we should have public keys we choice on | our government IDs. Then we can prove who we are. | 9HZZRfNlpR wrote: | Plenty of countries already do, but at least judging from | reading about America on HN its much more difficult to do | anything like that in America because of distrust in | government. You even vote without ID which is extremely | weird for the rest of the world. | tpmx wrote: | > Paypal | | So my instinctual habit of adding and then deleting my credit | card details whenever I need to do a Paypal payment was correct, | after all... | caymanjim wrote: | While SIM swapping is certainly a concern, this article makes it | sound like it's universally bad to rely on phones as a form of | authorization. What are the alternatives? I'd argue that email is | far riskier; it's more commonly compromised, easier to | compromise, and less visible when compromised. Ideally, users | employ more secure 2FA methods like TOTP apps or dongles, but | it's like pulling teeth to get anyone to adopt those. Relying on | SMS in addition to email is better than relying on either one in | isolation. I don't think I agree that Google Voice numbers are | necessarily harder to hijack, because to do that they just need | access to your Google login (typically your email credentials). | | There are risks all around, but this article doesn't offer any | good solution that customers are likely to adopt in meaningful | numbers. Maybe PayPal and other companies should require people | to use secure 2FA, but they'd lose too much business. | valuearb wrote: | Authentication apps. | jjoonathan wrote: | U2F can't spread fast enough. For about a year or so it's been | good enough that almost all U2F keys Just Work on all major | browsers / platforms without installation or tweaks. That's | huge, and it's actually a relatively recent state of affairs. I | believe Firefox defaulted it to enabled ~1 year ago. | | The next big hurdles are getting support from e.g. banks, | getting keys into peoples' hands, and getting people familiar | with them. Those efforts are underway in the corporate world | and I am optimistic that they will cross-pollinate well into | personal security. HN-ers are well positioned to help with all | of these steps. | | People already accept that they should lock their front doors | and their cars with keys. Most people already lug a keychain | around. I don't think it will be steady-state problematic to | convince people to secure their bank accounts and email with | keys. Example: my parents. I expected it to be difficult to | convince them that they should use a U2F key to secure their | gmail. It wasn't. Their response was more along the lines "of | course we should use keys, why weren't we doing this before?" | They don't know anything about crypto, but they get the | metaphor, and since it gives them a clear path to action, they | are willing to engage with it. The answer to why we weren't | doing it before is that the previous implementations were a | PITA in a way that U2F isn't (TOTP was slow and fiddly, ISO7816 | required non-portable setup), but now that we have U2F, I think | people will be more willing than many here expect. | | If we can channel the fear of SIM swaps into U2F adoption, I | think it actually stands a chance. | rabuse wrote: | TOTP apps are fine, if they're properly implemented (either | completely on-device, or properly encrypted before stored in | cloud). Services should properly implement account restoration | codes if access to TOTP secret is lost. SMS should never be | used for 2FA, ever. | WorldMaker wrote: | There are some apps that if my TOTP secret is lost, as | horrifyingly annoying as it would be, I'd much rather need to | take the time to get a registered public notary to stamp that | they saw me in person, and checked my ID or other such | documents, before the account recovery process can begin. | | The "old ways" are usefully slow, have protections built | around them for centuries of our culture, and I'd rather the | annoying administrative headache and "slow" over the quick | abuse of account recovery systems for theft and fraud. | Mirioron wrote: | Email might get compromised more often, but that's usually due | to some kind of user error. The problem with these sim swapping | attacks is that the only way as a user to guard against this is | not to give the company your phone number. This often means | that you can't do 2FA. | Skunkleton wrote: | I think the ultimate problem here is that the average person | has no hardened mechanism for authentication. Using the | infrastructure we have today, a combination of passwords and | OTPs is better than other consumer-accessible alternatives. | | Ultimately we need some mechanism for trusting and | administering identity that is low friction and which can be | used by 99.9% of users. The government offering a `login with | apple id` like service would make sense. Then they could | qualify various security chips, like the T2 or a YubiKey for | use with the service. As an added benefit, we could stop using | stupid things like SSNs, tax ids, and drivers license id | numbers to prove identity. | | Eventually we could do interesting things like abstracting | mailing addresses. Instead of mailing a package to my street | address, send it instead to "me", and then I can authorize | USPS, UPS, FedEx, or whoever requests it to look up my real | address when they are sorting and delivering mail. When I move, | I just update the _one_ database with my new address and I am | done. | | There are some obvious concerns with the government acting as a | clearing house for identity. Perhaps the better option would be | for private companies to be able to implement some sort of | standard API, and limit the government's involvement to | auditing these services. | ppf wrote: | Oddly enough, today I finally had to give my mobile number to | paypal - apparently due to incoming EU PSD2 regulations. I was | also automatically signed up to paypal "one touch", where my | device is now able to make transactions with no need for a | password. Another thing I have to turn off. | zxcvbn4038 wrote: | CapitalOne is even worse -they locked me out of their app today | and asked to send an SMS code - and they let you pick which | number to send it to on the spot. Good one fellas. What is the | point of having Touch ID and their dumb Swift ID stuff set up if | they keep doing dumb stuff like this. | RJIb8RBYxzAMX9u wrote: | Google does this too when you sign in from "unknown" locations, | if you don't have 2FA configured. I think the purpose is to | slow down bots. If you try reusing the same number in quick | succession on different accounts, Google won't let you. | | I'm so glad I'm out of the family tech support "business"; if | only firing real customers were so easy... | GordonS wrote: | For me, it shows a short list of phone number endings, and | you have to pick the right one. It's far from perfect, but it | doesn't just let me enter any number I want. | ladberg wrote: | This really bugs me. I have throwaway Google accounts that I | don't want to add my phone number to, so I can only access | them from the location I created them. | markdown wrote: | How do you even create a Google account without a phone | number? | ladberg wrote: | I made the account while ago and it let me, I guess they | don't let you anymore though | RJIb8RBYxzAMX9u wrote: | Enabling 2FA should stop this from happening. Adding TOTP | as your 2nd factor would require adding a recovery number, | but maybe you can remove it after. I have accounts that has | TOTP 2FA w/o recovery number, but perhaps they were | grandfathered in. | | Alternatively, use a physical token as the 2nd factor, then | no recovery number is required. | ThePowerOfFuet wrote: | Why haven't you gotten the hell out then? | csomar wrote: | Honestly, what is a good US bank that has a great web/mobile | experience, a large financial offering (checking, credit, | savings, investment, etc...), great customer support, a good | presence internationally, reasonable and no hidden fees.. | wait there is none. | choward wrote: | It's the same bank that doesn't send you spam emails which | make you used to receiving unsolicited communication from | your bank. These emails make it easier to sneak in phishing | emails. That's why I use that bank. | zachberger wrote: | Schwab? I've been using them for about 2 years and have no | complaints now. | mcny wrote: | previously, on hn: | https://news.ycombinator.com/item?id=8783790 | https://archive.fo/xPtn5 | jedberg wrote: | They all fit that description. If you're rich. | | Put a few hundred thousand in the bank and you'll get all | that stuff for free! | enjo wrote: | USAA fits that bill for me. | SkyMarshal wrote: | Isn't USAA restricted to military or spouse/child of | military? | jedieaston wrote: | Is there a US bank (national, not a local credit union) that | allows you to use TOTP, U2F and backup codes as your sole 2FA | sources? Heck, the US Government lets you do it now | (https://login.gov), you think that BofA would... | pixel16 wrote: | Both usaa and navy fed allow this as well as schwab. | nitrogen wrote: | I believe SoFi allows TOTP (full disclosure: I used to work | there but not on 2fa) | toomuchtodo wrote: | https://twofactorauth.org/#banking | filoleg wrote: | > https://twofactorauth.org/#banking | | Looking at that link, pretty much none of the major US | banks (Bank of America, US Bank, Wells Fargo, PNC, Chase, | etc.) seem to support software 2FA token solutions (e.g., | Google Authenticator, Authy, etc.). Not gonna lie, this | is abysmal. | dpifke wrote: | radiusbank.com does. | fossuser wrote: | I think Fidelity does allow this, but I haven't bothered | with it since I use a password manager. | | Fidelity has a brokerage account, free checks, free ATM | withdrawals via debit card, maybe also your 401k, free | money wires, automatic investment etc. | | The only thing they don't have are branches where you can | deposit cash, but that's really never necessary - in an | extreme case you can open another bank account, deposit | cash, transfer to fidelity and immediately close it. | | I'm not sure why anyone uses a bank other than Fidelity. | imajoo wrote: | Fidelity does it through either SMS or Symantec's | Validation and ID Protection (VIP) Access app. I called | and asked if they support another app and they said they | don't. Why they couldn't use another (read: non-Symantec) | 2FA is beyond me. | fossuser wrote: | Ah that's lame, I saw the 2FA app support and assumed it | would be any app. | dabernathy89 wrote: | This is the recommended solution: | | > The easiest way to make it impossible for SIM swappers to take | over your accounts after they hijack your number is to unlink | your phone number with those accounts, and use a VoIP number-- | such as Google Voice, Skype, or another--instead. | | They don't mention that some carriers offer the ability to secure | your account against unauthorized transfers, but it's opt-in. | Here's how you can do it on Verizon: | | https://twitter.com/ramsey/status/1235227940054585344 | ping_pong wrote: | Thank you! I didn't know this existed, it puts my mind at ease | for now. | Nextgrid wrote: | I've heard stories where an account PIN or other "enhanced | security" was still bypassed during fraudulent SIM swaps. | | Presumably, the PIN is supposed to be verified by the tech | support advisor which can get social-engineered or bribed. | | Maybe the solution is to actually have _real_ technical support | that is tech-savvy and paid a good wage instead of the monkeys | we currently have? | dabernathy89 wrote: | Yep, we had a PIN in place before and it did no good, because | the transfer is initiated from outside of Verizon - and for | some reason Verizon just allows it (without the enhanced | security). We were told that Verizon's enhanced security | requires actually having to provide photo ID in person at a | corporate Verizon store to allow a number to be transferred | out. | markovbot wrote: | They also don't mention that Venmo (and presumably PayPal also) | won't actually let you sign up with a Google Voice number. They | check to make sure it's an actual cell phone. | eslaught wrote: | You can (or at least used to be able to) sign up for PayPal | with an email address. Or at least I'm fairly sure, since | PayPal keeps prompting me to put in a mobile phone number, | and so far I've always been able to exit out of that dialogue | without entering anything. | | Venmo, on the other hand, I will never use because of this | "feature". | brewdad wrote: | I created a Venmo account this week because it was the | easiest way to get out two payments to friends who I can't | see face to face at the moment. The next day Paypal added | my new Venmo phone number to my Paypal account that | previously didn't have a phone associated. Good times. | KingMachiavelli wrote: | I tried using a Twilio number with my bank. I found out that | any service that uses SMS shortcodes for their SMS '2FA' won't | work as this kind of service. SMS shortcuts are a value addon | that carriers provide that is only suppose to work with real | numbers. | | It's possible that services more centered around VOIP vs an | automation plateform might work. It's also possible that using | a foreign VOIP number might work but that also might also cause | issue if you try using it with a US bank. | | And I'd rather not have some half baked solution using Google | Voice. | | If anyone knows how to get an shortcode enable number ( _not_ a | short code number but rather a number that can recieve SMS | _from_ shortcodes) on Twilio or similar platform, it would be | very easy to set up an SMS 2 EMAIL gateway. Perhaps if a number | is ported to Twilio it will retain shortcode capabilities? | | Besides finding a solution to the above problem, I suppose I | could just get a GSM usb modem & SIM card for this purpose. | yitzif wrote: | Hi, I've actually used BurnerApp to get a number that you pay | monthly for. Something along the lines of 5$ for every 90 | days I believe. | [deleted] | gruez wrote: | >If anyone knows how to get an shortcode enable number (not a | short code number but rather a number that can recieve SMS | from shortcodes) on Twilio or similar platform | | you can use jmp.chat, which is a SMS to XMPP service. | [deleted] | stormdennis wrote: | I used Google authenticator for 2fa for PayPal. I don't recall | if PayPal have my mobile number. If they do am I vulnerable? | karlding wrote: | According to this post [0] on /r/verizon, it's not available to | Prepaid and Business accounts. | | [0] | https://old.reddit.com/r/verizon/comments/eve25m/comment/fkq... | hasham11 wrote: | The problem with using a VOIP number is that most app and | websites won't let you use anything but a regular carrier | number for verification -- they specifically restrict VOIP | numbers from use. I presume this is to prevent spammers or just | regular users from creating multiple accounts, but I think | they're mistaken as it's trivial to buy a temporary "real" | carrier number on the internet if you're fine using a somewhat- | shady site. | toast0 wrote: | I've been the person at the app banning voip numbers. The | problem is there are some services that make it very easy to | obtain a voip number at no cost to the user; if they don't | have effective protections against bulk registration, | spammers abuse them to get thousands of numbers and then use | those numbers to abuse the service I was at. | | Forcing spammers to have a non-voip number raises their | costs, sometimes significantly, reducing their ROI and their | interest in spamming our users. | | We tried to make exceptions where we could, but it does suck | for real people using voip numbers for whatever reasons. | skrtskrt wrote: | Unless you're doing a dip of the number against proprietary | telecom data sets, you have no idea if the number is a | "VOIP" number, due to North American number porting laws, | you can take any number that was a "Verizon landline" or | whatever and move it to a VOIP provider that can overlay | SMS capabilities on it. Even if you dip and see that it | belongs to a VOIP provider, it's a completely legit use | case for some to own their phone number through Bandwidth, | Twilio, Telnyx, Messagebird, whatever. | adrr wrote: | There are DBs that can get you that info. Some even tell | you when the number was ported which is useful to catch | mobile number takeovers. Things have moved beyond NPA/NXX | lookups. | skrtskrt wrote: | Of course, that's what I was referring to. The consumer | still has to subscribe to those data sets, keep them | updated, and understand which lesser-known company names | are "legit" telecom providers (as many large providers | are non-household names _and_ have VOIP offerings) vs | whatever kind of VOIP provider he feels he needs to | protect against. | | My point being that if he's doing it right, he's probably | spending more time and money than it's worth, and if he's | not, he's banning legit users for the crime of not having | a big-4 provider. | stqism wrote: | There are companies that will sell you the ability to | look up this information and/or determine if you should | trust this number. | KingMachiavelli wrote: | How can an arbitrary number be used to abuse your service? | At least for SMS "2FA" you only need to be able to send a | message to an number associated with an existing account. | | As long as you aren't using SMS as your rate limiting step | to aquire an account then then it doesn't matter if someone | has 1 phone number or 1000 numbers. In the case that SMS | verification is the rate limiting step, why not switch to | an open captcha or similir system? | megous wrote: | They're also mistaken in their filtering oftentimes. | | I have a smaller lesser known telephone operator friendly to | a more advanced users, and my SIM-bound mobile phone number | is rejected by big services like Google. | | Not that I care anymore, I'll certainly not go to great | lengths to use services which start their onboarding by | blocking my number and forcing me to use big telco's services | or some shady website. | dang wrote: | The article this is pointing to was discussed here: | https://news.ycombinator.com/item?id=22687927 | | and the study here: https://news.ycombinator.com/item?id=22016212 | Raphaellll wrote: | This was (is?) also possible with Lyft. When I was interning in | the US, my visa sponsor sent me a SIM card that they clearly | reused several times a year. Opening the Lyft app with this SIM | automatically logged me in to the attached account. I didn't | noticed this and took a 70$ trip from SF to SV. Next morning I | realized it wasn't my account and credit card details. Wrote to | Lyft support but never heard back. It wasn't even possible to log | out of this account and create a new one. | jedberg wrote: | Lyft probably decided it was cheaper to eat the $70 than admit | this attack vector exists. | latchkey wrote: | To be clear, Paypal owns Venmo. | wronglebowski wrote: | Is there a recommended defense against a SIM Swap attack at the | carrier level? Do carriers offer some form of two factor? I | suppose the weakest link is the in store associate who just can't | be bothered to verify identities. | kube-system wrote: | Some carriers have security questions they are supposed to ask | before making changes to an account. Not sure how well these | actually work in practice. | imglorp wrote: | There should be an explicit lock like there is for credit | agencies. | littldevl wrote: | Verizon Wireless allows you to block ports and SIM swaps. Open | App --> Account --> Account Settings --> Security --> Number | Lock. | Jimpulse wrote: | Just looked it up, T-Mobile has a NOPORT account level security | protection. It requires that a valid ID is presented in store | to port your number to another carrier or swap SIMs. | dabernathy89 wrote: | Yes, you can add additional security onto your account - at | least with Verizon. I highly encourage everyone to do so. Once | enabled, you will need to present photo ID at a corporate | Verizon store to allow your phone # to be transferred to a new | carrier. | | Instructions: | https://twitter.com/ramsey/status/1235227940054585344 | | My wife got SIM jacked just a few weeks ago and we got | extremely lucky that it didn't turn into a bigger problem. They | did get a hold of her Venmo account, but fortunately it's not | actually linked to our bank account (Venmo restricts the # of | users that can link to a single bank account). | dguo wrote: | Thanks for the tip! I'm glad to see they've implemented this. | Though I'm still very frustrated about how long it took for | them to do anything about this problem. | [deleted] | kyrra wrote: | (I'm a googler, opinions are my own. I don't work on Fi.). | | Google Fi provides sim swap attack protection. To bind a Google | Fi # to a phone, you need to be able to log into your Google | account on that phone (from the Fi app). There is no other way | to bind a Fi number to a phone (customer service doesn't even | have the power to do this). | | This means that whatever 2FA you have setup on your Google | account is the same protection you get against sim swap | attacks. | johndough wrote: | That is good to hear, but I am more worried about google | suspending my account and ignoring all appeals for automated | reasons. | | To be fair, this has not happened to me yet (with gmail) or | anyone I personally know, but it remains a concern for me due | to the high impact such an event could have on my life. | | Is there any bulletproof way that a non-US citizen could get | their account reinstated or at least recover associated | accounts? | kyrra wrote: | (I'm a googler, opinions are my own) | | Even for US citizen's, there isn't a full-proof way to deal | with account recovery. I'd say your account getting locked | for incorrect reasons is pretty rare. | | I think one important thing to know is that account- | suspension stories you read on the internet aren't always | legitimate cases. While, yes, getting publicity about an | account lock can get it a second look, bad actors know this | as well. Those who have done "bad" things will use this | same approach to try to get their accounts unlocked. Google | won't publicly comment on any individual case, so you are | getting a one-sided story about why an account was locked, | so be skeptical when you are reading them. | Mirioron wrote: | Even if there is, there are still so many different carriers in | the world. I doubt all of them are going to implement | safeguards against this, which means that accounts will be at | risk as long as websites rely on these phone numbers. | dguo wrote: | One of my relatives suffered three SIM swap attacks over about | six months. I asked our carrier after the first two times what | we could do to prevent it from occurring again. The answer each | time boiled down to "nothing." After the third time, my | relative got a new phone number. | | I'd love to be able to opt in to having to provide a photo id | at a physical location in order to complete the SIM swap. | | Or maybe the carrier can try to call or text the number for | some sort of confirmation process. In our case, we never even | got a warning that the swap was going to occur. We found out | after my relative's email account was compromised. | | This issue alone is enough to make me want to switch carriers, | but AFAIK, all of them do not provide robust protection | measures for this issue. I've considered Google Fi, but it | might have poor coverage where some of my relatives are. | Finnucane wrote: | I try to avoid having my phone linked to accounts as much as I | can. When the web sites say, "add your phone" I say "no." | NullPrefix wrote: | IIRC, gmail says no too and you are left without an email | address. | Finnucane wrote: | No, _you_ are left without an email address. I don't use | gmail. | dividuum wrote: | Agreed. Especially if it's unclear whether or not that's used | for any kind of magical and probably broken account recovery | process. I have to click through the Paypal "give me your phone | number" question every time I log in... It sucks. | pengaru wrote: | Same here, but disturbingly some sites are making it a | requirement. | | The Match Group dating sites like Plenty of Fish and OkCupid | recently made it a hard requirement to setup a 2FA phone | number, even for existing accounts. | | It's a super annoying trajectory, and I imagine potentially | dangerous if one considers the dating sites and victims of | abusive relationships attempting to get out. Making physical | access to the phone all one needs to gain access to a dating | profile is a clear regression from unsaved passwords. | nexuist wrote: | Without any form of national ID it's a really hard problem to | solve. As someone who runs my own login system, I require | phone numbers to prevent botting. Obviously you can make a | bot through Twilio etc, but it becomes economically nonviable | to mount attacks through bot registration, which is my goal. | pengaru wrote: | What are you doing to combat the risks of attacks like SIM- | swapping? | | Personally I find using phone numbers for this purpose as a | cop-out, and like you said it's just a Twilio account away | from being defeated. Like captchas it's only a matter of | time before that is the baseline capability for bots and | you're in no better place than before, except now your | users have worsened security. | | IMHO the true business incentive for requiring numbers is | just getting identity-coupled phone numbers which add | significant value to their collection of PII. | [deleted] | choward wrote: | Why isn't there more of an emphasis on the phone companies? | They're the ones literally giving your phone number to someone | else. | kome wrote: | can we please stop using cellphones and smartphone for anything | serious please? | jlebar wrote: | PayPal / Venmo also don't have support for proper security keys. | :( | fuzzy2 wrote: | PayPal supports Symantec tokens though? They even sold hardware | tokens in the past. ___________________________________________________________________ (page generated 2020-04-06 23:00 UTC)