60
submitted 2 months ago by OhVenus_Baby@lemmy.ml to c/privacy@lemmy.ml

This should be far more secure and privacy friendly than a Sim card of a cellular connection. Why isn't this done more often? What are the Pros and Cons. I bet the price is similar as well.

you are viewing a single comment's thread
view the rest of the comments
[-] Majestic@lemmy.ml 30 points 2 months ago

Cons:

You absolutely cannot get 2FA authenticator codes from 90% of services. Many services that require a phone number even without 2FA just for "verify you're a human" or because they want your data or to verify region use shortcode services that also will not work with ANY VOIP provider.

You will not receive their codes. These companies vary from banking institutions to gaming companies to online shopping marketplaces and stores to a Google account (used to be you could get an automated phone call to verify an account, not anymore, must be able to receive SMS from shortcodes that are disabled for VOIP numbers to register and to recover an account) just about anyone you could end up doing business with.

A shockingly large amount of companies demand phone numbers and send verification texts before allowing you to do business with them, to create an account, to recover an account, to delete an account, to place an order, etc.

They really shouldn't, it's a bad security practice but companies love it because with a phone number they can lower support costs by just allowing people to do a self-service where they get an automated text and can unlock their locked account. They also love harvesting that data and preventing anonymization with VOIP numbers and the reduction of fraud and increase of reliable KYC that comes with requiring them.

And they all take it as a given that EVERYONE or at least 99% have a cell plan with a non-VOIP number that works with these and the 1% who don't they don't care about in the developed world and are an acceptable loss.

[-] mox@lemmy.sdf.org 9 points 2 months ago

I think how often this is a problem varies widely from person to person. I don't remember the last time I gave a mobile number out to a company, but it was more than a few years ago. The last few that strictly required one were non-essential; I just took my business elsewhere.

[-] JustEnoughDucks@feddit.nl 5 points 2 months ago

90% of American commercial services that is.

Online services or many/most European services have more proper 2FA (TOTP, app-based, card reader OTP, etc...)

[-] delirious_owl@discuss.online 3 points 2 months ago* (last edited 2 months ago)

Can you name me an EU bank that doesn't demand a phone number to signup?

Unfortunately, PSD2 doesn't support TOTP and other strong 2FA solutions, so they all appear to require phone numbers. This is one area where EU is worse than US

[-] JustEnoughDucks@feddit.nl 2 points 2 months ago* (last edited 2 months ago)

That is a completely separate issue from the above commenter.

You absolutely cannot get 2FA authenticator codes from 90% of services

A shockingly large amount of companies demand phone numbers and send verification texts before allowing you to do business with them, to create an account, to recover an account, to delete an account, to place an order, etc.

They really shouldn’t, it’s a bad security practice but companies love it because with a phone number they can lower support costs by just allowing people to do a self-service where they get an automated text and can unlock their locked account.

Also an issue, but indeed a separate issue from using unsecure SMS as TOTP.

[-] delirious_owl@discuss.online 1 points 2 months ago

I don't follow. Banks are required to use insecure SMS for OTPs by PSD2

[-] Nithanim@programming.dev 2 points 2 months ago

My EU bank never ever used my phone number to verify anything. They only used it to contact me on some occasions. 2FA is done through their app.

[-] delirious_owl@discuss.online 1 points 2 months ago* (last edited 2 months ago)

Oh, right, their closed source app. Thats allowed. So it requires a phone.

So the OTP is still transmitted to satisfy the requirements of PSD2. But TOTP (a more secure system that doesn't transmit the OTP at all) is not allowed.

[-] autonomoususer@lemmy.world 1 points 2 months ago* (last edited 2 months ago)

Can't I just transfer my existing phone number, from any Pay As You Go SIM?

[-] Majestic@lemmy.ml 1 points 2 months ago* (last edited 2 months ago)

You can but they’ll find out. It’s reported or flagged or something, they can tell what provider holds a number and they block VOIP ones. Also if a number was ever previously a VOIP number do not try and transfer it back to proper cellular as it will still remain blocked for many but not all of these for years potentially.

[-] chappedafloat@lemmy.wtf 0 points 2 months ago

You can buy for cents phone numbers online for one time verification purpose or even rent the number for long term if you need. It's better to use these anonymous cheap throwaway numbers if you want privacy instead of your real phone number for everything.

[-] delirious_owl@discuss.online -1 points 2 months ago

You probably shouldn't be using a service that requires a phone number. More often than not, they use it as a backdoor to bypass your password and it leaves your account super vulnerable.

this post was submitted on 19 Sep 2024
60 points (95.5% liked)

Privacy

32177 readers
263 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS