Bank login security question - need a dummy SMS number

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Topic Author
RationalWalk
Posts: 462
Joined: Sun May 07, 2023 12:31 pm

Bank login security question - need a dummy SMS number

Post by RationalWalk »

My bank offers online 2FA login by selecting either my phone # or email for code. I'd like to use text with my phone but the bank website will not allow me to use my google voice number to prevent sim swapping. It will let me choose my Gmail for the code, which seems OK to me because my Gmail is secured. However, I need to defeat the phone text option with my real mobile number or I'm still vulnerable to sim swapping. Is there a way to get a real disposable SMS number for that purpose? There a lots of apps that use voip numbers like google voice, so I don't think those numbers would work either. The bank website seems to know if the number entered is a real number, because it won't accept my google voice number. It forces me to enter some phone number, so I can't just leave it blank. Wouldn't have this problem if the stupid bank would let me use my google voice number.
“Meteorologists” are the MOST accurate predictors of the future -- for the next 3-days...
torso2500
Posts: 117
Joined: Wed Sep 14, 2022 11:35 am

Re: Bank login security question - need a dummy SMS number

Post by torso2500 »

A lot of online services just aren't set up for non-voip sms 2FA preference. Do you have protocols in place with your wireless carrier to prevent a SIM swap, like a PIN for porting a number and MFA for logging into the wireless service account? Personally I find that combats some of my anxiety around sim swapping and SMS 2FA.
LeftCoastIV
Posts: 1029
Joined: Wed May 01, 2019 7:19 pm

Re: Bank login security question - need a dummy SMS number

Post by LeftCoastIV »

If you use a phone number and then discard it, the number may be recycled and assigned to someone else.
alexbogle
Posts: 281
Joined: Thu Sep 22, 2022 8:01 pm

Re: Bank login security question - need a dummy SMS number

Post by alexbogle »

what bank?
"Learn every day, but especially from the experiences of others. It’s cheaper!” -- Jack Bogle
funyun
Posts: 86
Joined: Tue Oct 31, 2023 11:07 am

Re: Bank login security question - need a dummy SMS number

Post by funyun »

I use dual sims with T-mobile prepaid. I have the cheapest $10 per month plan for my line that does all my 2fa texting. It's worth the price to me.
LookinAround
Posts: 870
Joined: Tue Mar 27, 2018 5:41 am

Re: Bank login security question - need a dummy SMS number

Post by LookinAround »

RationalWalk wrote: Tue Feb 06, 2024 3:26 pm My bank offers online 2FA login by selecting either my phone # or email for code. I'd like to use text with my phone but the bank website will not allow me to use my google voice number to prevent sim swapping. It will let me choose my Gmail for the code, which seems OK to me because my Gmail is secured. However, I need to defeat the phone text option with my real mobile number or I'm still vulnerable to sim swapping. Is there a way to get a real disposable SMS number for that purpose? There a lots of apps that use voip numbers like google voice, so I don't think those numbers would work either. The bank website seems to know if the number entered is a real number, because it won't accept my google voice number. It forces me to enter some phone number, so I can't just leave it blank. Wouldn't have this problem if the stupid bank would let me use my google voice number.
If you happen to use Bank of America, they support FIDO security keys (like Yubikey). They can authenticate via USB port (for computer access) or by touch contact via NFC (I use mine for 2FA access to my Vanguard account. I keep one at home and one on my keychain if I travel).You might check if your bank supports security key access.
Bank of America Security Key
Topic Author
RationalWalk
Posts: 462
Joined: Sun May 07, 2023 12:31 pm

Re: Bank login security question - need a dummy SMS number

Post by RationalWalk »

alexbogle wrote: Tue Feb 06, 2024 3:55 pm what bank?
U.S. Bank. Here's the weird thing. For years it wouldn't accept my Google Voice number as my primary phone number. Then one day, it did so I figured they had entered the 21st century. Then I just got a new GV number and it wouldn't accept it. And it wouldn't accept the old one either that it had accepted before. It was working fine. I'm back to square one with these idiots. CRAZY!
“Meteorologists” are the MOST accurate predictors of the future -- for the next 3-days...
Topic Author
RationalWalk
Posts: 462
Joined: Sun May 07, 2023 12:31 pm

Re: Bank login security question - need a dummy SMS number

Post by RationalWalk »

torso2500 wrote: Tue Feb 06, 2024 3:40 pm A lot of online services just aren't set up for non-voip sms 2FA preference. Do you have protocols in place with your wireless carrier to prevent a SIM swap, like a PIN for porting a number and MFA for logging into the wireless service account? Personally I find that combats some of my anxiety around sim swapping and SMS 2FA.
Unfortunately, I use an MVNO which doesn't provide these options.
“Meteorologists” are the MOST accurate predictors of the future -- for the next 3-days...
mhalley
Posts: 10394
Joined: Tue Nov 20, 2007 5:02 am

Re: Bank login security question - need a dummy SMS number

Post by mhalley »

Deleted
the_wiki
Posts: 2733
Joined: Thu Jul 28, 2022 11:14 am

Re: Bank login security question - need a dummy SMS number

Post by the_wiki »

Why would a dummy SMS or Google voice account be any less susceptible to account takeover?
Topic Author
RationalWalk
Posts: 462
Joined: Sun May 07, 2023 12:31 pm

Re: Bank login security question - need a dummy SMS number

Post by RationalWalk »

the_wiki wrote: Tue Feb 06, 2024 8:32 pm Why would a dummy SMS or Google voice account be any less susceptible to account takeover?
google voice isn't susceptible to sim swapping, so it's preferable to a "real" mobile number. I'm envisioning a dummy SMS as a "place-holder" on the bank login page that wouldn't do anything.
“Meteorologists” are the MOST accurate predictors of the future -- for the next 3-days...
User avatar
TheRoundHeadedKid
Posts: 324
Joined: Thu Aug 10, 2023 11:28 pm

Re: Bank login security question - need a dummy SMS number

Post by TheRoundHeadedKid »

How about getting a cell phone service with Google Fi instead to prevent SIM swapping? Its account is protected the same way as a Gmail account, which can include 2FA with YubiKey. This is a more direct approach than going through all your bank accounts and setting up them to use a Google Voice number.
All 86 Vanguard ETFs equally invested.
Topic Author
RationalWalk
Posts: 462
Joined: Sun May 07, 2023 12:31 pm

Re: Bank login security question - need a dummy SMS number

Post by RationalWalk »

Here's a thought. What if I get a new number and sim from a prepaid mobile service and then register that number with the bank for 2FA login. They should accept it because it's a mobile number. Then I port the number over to Google Voice. It becomes a GV number with sim swapping protection but since that number has been registered with the bank previously, will it continue to work for 2FA log in? Would this be a workaround to trick the bank into accepting a GV number?
“Meteorologists” are the MOST accurate predictors of the future -- for the next 3-days...
Topic Author
RationalWalk
Posts: 462
Joined: Sun May 07, 2023 12:31 pm

Porting phone# used for 2FA to Google Voice - will 2FA still work?

Post by RationalWalk »

[Merged into previous discussion - moderator oldcomputerguy]

I want to port the mobile phone number that I must use for 2FA text codes at my bank to Google Voice, where it will become my Google Voice number. Has anyone ported their number to Google Voice, or know if a number will still work for 2FA at the bank after it is ported?
“Meteorologists” are the MOST accurate predictors of the future -- for the next 3-days...
Invest4lt
Posts: 325
Joined: Sat Jul 15, 2017 12:25 pm

Re: Porting phone# used for 2FA to Google Voice - will 2FA still work?

Post by Invest4lt »

No, it won’t work since the bank will detect the voip. They are looking for security that includes something you have and something you know. Replacing a physical phone with GV reduces security to two things you know.
"People sometimes fail to live because they are always preparing to live." - Alan Watts
Nonchalance
Posts: 14
Joined: Wed Sep 28, 2022 6:30 am

Re: Porting phone# used for 2FA to Google Voice - will 2FA still work?

Post by Nonchalance »

I've had that setup for about 8 years, and it works at least 95% of the time. Just once had a financial institution say they won't connect with VOIP. A more common limitation is that Google Voice texts work in only US, Canada, and a handful of countries in Western Europe.
Last edited by Nonchalance on Thu Feb 08, 2024 9:33 pm, edited 1 time in total.
Saving$
Posts: 2508
Joined: Sat Nov 05, 2011 8:33 pm

Re: Porting phone# used for 2FA to Google Voice - will 2FA still work?

Post by Saving$ »

I have some accounts for which the 2FA goes to a Google Voice number.
Works fine.
nalor511
Posts: 4891
Joined: Mon Jul 27, 2015 1:00 am

Re: Porting phone# used for 2FA to Google Voice - will 2FA still work?

Post by nalor511 »

All my 2fa, only a few won't let me use GV, almost all work fine
w5000
Posts: 301
Joined: Mon Feb 10, 2020 8:33 pm

Re: Porting phone# used for 2FA to Google Voice - will 2FA still work?

Post by w5000 »

There are some institutions where a GV number won't work for receiving a security code by text message, but will still work for receiving it by a phone call. Ally Bank is in this category.

There are some institutions for which a GV number doesn't work at all. In my experience, Citizens Bank is one such institution.

I don't know of a comprehensive list of where a GV number does and doesn't work. It works fine for most of the institutions that I do business with, but YMMV.
User avatar
breakaway
Posts: 124
Joined: Sun Jul 15, 2018 7:15 pm

Re: Porting phone# used for 2FA to Google Voice - will 2FA still work?

Post by breakaway »

It may work some of the time, and could stop working at any time. GV numbers are not mobile numbers, and you cannot rely on them working for short message codes (5/6 digit numbers that banks and other use) all the time. You may be better off porting to a low cost mobile virtual network operator (MVNO).

ymmv
Topic Author
RationalWalk
Posts: 462
Joined: Sun May 07, 2023 12:31 pm

Re: Porting phone# used for 2FA to Google Voice - will 2FA still work?

Post by RationalWalk »

Let me clarify. I know my bank won't take new VOIP numbers for 2FA. When I try to enter a GV number, the site recognizes it as a VOIP and won't let me enter it. So, I have entered my mobile number as my primary number to use for 2FA and it's working. Now if I port that number to GV will it continue to work? I recognize that it probably wouldn't be accepted if I were trying to enter it for the first time, but if it's already in there now why wouldn't it work OK? I think VOIP numbers will function OK; but banks don't like them and won't take them. It's the difference between a fox that's already in the henhouse and one that's trying to get in.
“Meteorologists” are the MOST accurate predictors of the future -- for the next 3-days...
User avatar
typical.investor
Posts: 5201
Joined: Mon Jun 11, 2018 3:17 am

Re: Porting phone# used for 2FA to Google Voice - will 2FA still work?

Post by typical.investor »

RationalWalk wrote: Thu Feb 08, 2024 10:35 pm Let me clarify. I know my bank won't take new VOIP numbers for 2FA. When I try to enter a GV number, the site recognizes it as a VOIP and won't let me enter it. So, I have entered my mobile number as my primary number to use for 2FA and it's working. Now if I port that number to GV will it continue to work? I recognize that it probably wouldn't be accepted if I were trying to enter it for the first time, but if it's already in there now why wouldn't it work OK? I think VOIP numbers will function OK; but banks don't like them and won't take them. It's the difference between a fox that's already in the henhouse and one that's trying to get in.
I am not sure having been accepted in the past will help you.

I just ported my number to a new carrier (neither are VOIP) and what I noticed is that Schwab and Capitol One made me re-register for text alerts. This tells me they noticed that I changed networks and they rescinded my previous trust.

YMMV
Northern Flicker
Posts: 15159
Joined: Fri Apr 10, 2015 12:29 am

Re: Porting phone# used for 2FA to Google Voice - will 2FA still work?

Post by Northern Flicker »

Invest4lt wrote: Thu Feb 08, 2024 9:09 pm No, it won’t work since the bank will detect the voip. They are looking for security that includes something you have and something you know. Replacing a physical phone with GV reduces security to two things you know.
That is unlikely to be the reason. The service has an additional requirement for authentication that the customer lacks: non-repudiation. It is more difficult to tie a GV number to a person if the person tries to claim they did not login when they did. Some GV accounts are old enough that google may not be able to match them to a known person unequivocally.
User avatar
anagram
Posts: 1464
Joined: Fri Aug 04, 2023 1:03 am

Re: Porting phone# used for 2FA to Google Voice - will 2FA still work?

Post by anagram »

RationalWalk wrote: Thu Feb 08, 2024 10:35 pm Let me clarify. I know my bank won't take new VOIP numbers for 2FA. When I try to enter a GV number, the site recognizes it as a VOIP and won't let me enter it. So, I have entered my mobile number as my primary number to use for 2FA and it's working. Now if I port that number to GV will it continue to work? I recognize that it probably wouldn't be accepted if I were trying to enter it for the first time, but if it's already in there now why wouldn't it work OK? I think VOIP numbers will function OK; but banks don't like them and won't take them. It's the difference between a fox that's already in the henhouse and one that's trying to get in.
No. The bank will notice the change in network.
User avatar
VictorStarr
Posts: 742
Joined: Sat Jan 04, 2020 9:13 pm
Location: Washington

Re: Porting phone# used for 2FA to Google Voice - will 2FA still work?

Post by VictorStarr »

RationalWalk wrote: Thu Feb 08, 2024 5:03 pm I want to port the mobile phone number that I must use for 2FA text codes at my bank to Google Voice, where it will become my Google Voice number. Has anyone ported their number to Google Voice, or know if a number will still work for 2FA at the bank after it is ported?

In general, banks may notice a change of carrier. A GV number ported from mobile carrier to voip may work for some time but there is no guarantee.

Why do you want to stick with a bank that does not support a proper 2FA? There are a number of banks/CMA that have 2FA with authenticator app. Schwab, E*Trade and Fidelity support the Symantec VIP app.

Among national banks, Bank of America and Chase support Google Voice for 2FA and alerts. BofA even supports YubiKeys with fallback to a phone number.
User avatar
VictorStarr
Posts: 742
Joined: Sat Jan 04, 2020 9:13 pm
Location: Washington

Re: Bank login security question - need a dummy SMS number

Post by VictorStarr »

RationalWalk wrote: Tue Feb 06, 2024 3:26 pm My bank offers online 2FA login by selecting either my phone # or email for code. I'd like to use text with my phone but the bank website will not allow me to use my google voice number to prevent sim swapping. It will let me choose my Gmail for the code, which seems OK to me because my Gmail is secured. However, I need to defeat the phone text option with my real mobile number or I'm still vulnerable to sim swapping. Is there a way to get a real disposable SMS number for that purpose? There a lots of apps that use voip numbers like google voice, so I don't think those numbers would work either. The bank website seems to know if the number entered is a real number, because it won't accept my google voice number. It forces me to enter some phone number, so I can't just leave it blank. Wouldn't have this problem if the stupid bank would let me use my google voice number.

There are a number of sites that offer temporary mobile numbers. For a few bucks you can rent a phone number for a week.
Here a couple of sites for US mobile numbers:
https://mobilesms.io
https://quackr.io/rent-sms-numbers

I used similar services for temp foreign phone numbers.
Northern Flicker
Posts: 15159
Joined: Fri Apr 10, 2015 12:29 am

Re: Bank login security question - need a dummy SMS number

Post by Northern Flicker »

RationalWalk wrote: Tue Feb 06, 2024 9:39 pm
the_wiki wrote: Tue Feb 06, 2024 8:32 pm Why would a dummy SMS or Google voice account be any less susceptible to account takeover?
google voice isn't susceptible to sim swapping, so it's preferable to a "real" mobile number. I'm envisioning a dummy SMS as a "place-holder" on the bank login page that wouldn't do anything.
That may be less secure than just using your regular phone. If the "dummy" number were ported to an attacker's phone, not only would the 2FA be compromised, but you may not observe any evidence of that to be able to take corrective actions.

Suggest that you use an authentication mechanism recommended by and supported by the bank so you don't inadvertently take on undue liability for a hypothetical breach of your account.
OnlyBugs
Posts: 33
Joined: Wed Mar 01, 2023 2:47 pm

Re: Porting phone# used for 2FA to Google Voice - will 2FA still work?

Post by OnlyBugs »

Pretty insecure to do so, even if it works.
alexbogle
Posts: 281
Joined: Thu Sep 22, 2022 8:01 pm

Re: Porting phone# used for 2FA to Google Voice - will 2FA still work?

Post by alexbogle »

I'm surprised to read all the comments saying this reduces security.

In other threads where sim swaps are brought up, using Google voice for 2fa is often recommended!

Google voice works fine for 2fa for me at: merrill, schwab, fidelity, amex, boa, and chase. Citi works but voice only, even though you can force a text from citi by manually creating an api request for it ..

My Google account has 2fa consisting of only fido keys and totp. I consider it more secure than my cell phone. But I mostly do it so I can access the texts while on holiday out of the country.
"Learn every day, but especially from the experiences of others. It’s cheaper!” -- Jack Bogle
Vinny_in_NJ
Posts: 117
Joined: Fri Jan 12, 2024 5:01 pm

Re: Bank login security question - need a dummy SMS number

Post by Vinny_in_NJ »

After reading this thread went onto my carrier, T Mobile, and was able to lock my numbers down with one button. I guess nothing is fool proof but every security measure makes it just a little difficult for someone to gain access. Other carriers may have the same setup.

Now I can't say how they know it's me if/when the time comes to prove anything. I have a Pin set up and use 2FA now. But I'm not really on social media and I never answer random texts and when my friend "Scam Likely " calls the phone I never answer.
one_speed
Posts: 89
Joined: Tue May 25, 2021 2:01 pm

Re: Bank login security question - need a dummy SMS number

Post by one_speed »

RationalWalk wrote: Thu Feb 08, 2024 11:35 am Would this be a workaround to trick the bank into accepting a GV number?
Don't try to trick the bank. If/when something bad does happen, then they'd have a reason to put all the liability on you.
jebmke
Posts: 24919
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Bank login security question - need a dummy SMS number

Post by jebmke »

I’d be inclined to either change banks or (my choice) keep little money in the bank. Banks aren’t great places to store money these days anyway.
Stay hydrated; don't sweat the small stuff
User avatar
jabberwockOG
Posts: 3079
Joined: Thu May 28, 2015 7:23 am

Re: Bank login security question - need a dummy SMS number

Post by jabberwockOG »

Northern Flicker wrote: Fri Feb 09, 2024 1:12 am
RationalWalk wrote: Tue Feb 06, 2024 9:39 pm
the_wiki wrote: Tue Feb 06, 2024 8:32 pm Why would a dummy SMS or Google voice account be any less susceptible to account takeover?
google voice isn't susceptible to sim swapping, so it's preferable to a "real" mobile number. I'm envisioning a dummy SMS as a "place-holder" on the bank login page that wouldn't do anything.
That may be less secure than just using your regular phone. If the "dummy" number were ported to an attacker's phone, not only would the 2FA be compromised, but you may not observe any evidence of that to be able to take corrective actions.

Suggest that you use an authentication mechanism recommended by and supported by the bank so you don't inadvertently take on undue liability for a hypothetical breach of your account.

This. Don't try to "fool/trick/workaround" a financial institution trying to fix a fraud possibility that will likely never happen, and inadvertently expose yourself to same or even greater risk.

I was in this part of the business for many years. Fraud is a long standing small and large scale cost of doing business for all large banks and financial institutions, but none of them publicize this fact, for obvious reasons. Follow exact bank recommended protocol for security there, and if something does happen you almost certainly will be made whole by the bank. If you don't follow their security recommendations, and get hacked, you may very well be on your own.
ScubaHogg
Posts: 3386
Joined: Sun Nov 06, 2011 2:02 pm

Re: Bank login security question - need a dummy SMS number

Post by ScubaHogg »

Just sign up for a google voice number
There are more things in Heaven and Earth, Horatio, than are dreamt of in your Expected Returns
jebmke
Posts: 24919
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Bank login security question - need a dummy SMS number

Post by jebmke »

ScubaHogg wrote: Fri Feb 09, 2024 7:24 am Just sign up for a google voice number
RationalWalk wrote: Tue Feb 06, 2024 3:26 pm My bank offers online 2FA login by selecting either my phone # or email for code. I'd like to use text with my phone but the bank website will not allow me to use my google voice number to prevent sim swapping. It will let me choose my Gmail for the code, which seems OK to me because my Gmail is secured. However, I need to defeat the phone text option with my real mobile number or I'm still vulnerable to sim swapping. Is there a way to get a real disposable SMS number for that purpose? There a lots of apps that use voip numbers like google voice, so I don't think those numbers would work either. The bank website seems to know if the number entered is a real number, because it won't accept my google voice number. It forces me to enter some phone number, so I can't just leave it blank. Wouldn't have this problem if the stupid bank would let me use my google voice number.
Stay hydrated; don't sweat the small stuff
4nursebee
Posts: 2577
Joined: Sun Apr 01, 2012 7:56 am
Location: US

Re: Bank login security question - need a dummy SMS number

Post by 4nursebee »

RationalWalk wrote: Tue Feb 06, 2024 3:26 pm My bank offers online 2FA login by selecting either my phone # or email for code. I'd like to use text with my phone but the bank website will not allow me to use my google voice number to prevent sim swapping. It will let me choose my Gmail for the code, which seems OK to me because my Gmail is secured. However, I need to defeat the phone text option with my real mobile number or I'm still vulnerable to sim swapping. Is there a way to get a real disposable SMS number for that purpose? There a lots of apps that use voip numbers like google voice, so I don't think those numbers would work either. The bank website seems to know if the number entered is a real number, because it won't accept my google voice number. It forces me to enter some phone number, so I can't just leave it blank. Wouldn't have this problem if the stupid bank would let me use my google voice number.
You wouldn't have this (stupid) problem if you gave them your real cell phone number.
Pale Blue Dot
ScubaHogg
Posts: 3386
Joined: Sun Nov 06, 2011 2:02 pm

Re: Bank login security question - need a dummy SMS number

Post by ScubaHogg »

jebmke wrote: Fri Feb 09, 2024 7:27 am
ScubaHogg wrote: Fri Feb 09, 2024 7:24 am Just sign up for a google voice number
RationalWalk wrote: Tue Feb 06, 2024 3:26 pm My bank offers online 2FA login by selecting either my phone # or email for code. I'd like to use text with my phone but the bank website will not allow me to use my google voice number to prevent sim swapping. It will let me choose my Gmail for the code, which seems OK to me because my Gmail is secured. However, I need to defeat the phone text option with my real mobile number or I'm still vulnerable to sim swapping. Is there a way to get a real disposable SMS number for that purpose? There a lots of apps that use voip numbers like google voice, so I don't think those numbers would work either. The bank website seems to know if the number entered is a real number, because it won't accept my google voice number. It forces me to enter some phone number, so I can't just leave it blank. Wouldn't have this problem if the stupid bank would let me use my google voice number.
Weird, as I use mine with multiple banks
There are more things in Heaven and Earth, Horatio, than are dreamt of in your Expected Returns
Topic Author
RationalWalk
Posts: 462
Joined: Sun May 07, 2023 12:31 pm

Re: Bank login security question - need a dummy SMS number

Post by RationalWalk »

The strange thing is that the bank (US Bank) actually did accept my Google Voice number after many years of rejecting it. I got a notice that they were "upgrading" their website, so I tried the GV number again and voila it was accepted. I figured they had changed their protocol. Everything worked fine. Then recently I changed my GV number, so went to the website to update it. It was rejected once again, and the old GV number couldn't be re-entered so I was back to square one. Frustrating. But this experience informed me that a GV number will work just fine on their website if I can get it accepted again. If they are able to detect a "change in network" and reject, it sure didn't happen then.
“Meteorologists” are the MOST accurate predictors of the future -- for the next 3-days...
User avatar
anagram
Posts: 1464
Joined: Fri Aug 04, 2023 1:03 am

Re: Bank login security question - need a dummy SMS number

Post by anagram »

RationalWalk wrote: Fri Feb 09, 2024 10:12 am The strange thing is that the bank (US Bank) actually did accept my Google Voice number after many years of rejecting it. I got a notice that they were "upgrading" their website, so I tried the GV number again and voila it was accepted. I figured they had changed their protocol. Everything worked fine. Then recently I changed my GV number, so went to the website to update it. It was rejected once again, and the old GV number couldn't be re-entered so I was back to square one. Frustrating. But this experience informed me that a GV number will work just fine on their website if I can get it accepted again. If they are able to detect a "change in network" and reject, it sure didn't happen then.
Just use a real cell number or change banks. Simple.
Northern Flicker
Posts: 15159
Joined: Fri Apr 10, 2015 12:29 am

Re: Porting phone# used for 2FA to Google Voice - will 2FA still work?

Post by Northern Flicker »

alexbogle wrote: Fri Feb 09, 2024 3:57 am I'm surprised to read all the comments saying this reduces security.

In other threads where sim swaps are brought up, using Google voice for 2fa is often recommended!
We weren't saying that GV reduces security-- having a dummy SMS number that is not used or monitored probably reduces security. Two threads were merged, which may have changed the apparent context for some posts.
cipriano
Posts: 13
Joined: Thu May 13, 2021 6:17 pm

Re: Bank login security question - need a dummy SMS number

Post by cipriano »

Why aren't these banks using TOTP (authenticator apps), which are much more secure? Weird.
Topic Author
RationalWalk
Posts: 462
Joined: Sun May 07, 2023 12:31 pm

Re: Bank login security question - need a dummy SMS number

Post by RationalWalk »

cipriano wrote: Fri Feb 09, 2024 1:06 pm Why aren't these banks using TOTP (authenticator apps), which are much more secure? Weird.
From my limited understanding, some banks want to verify that a "real person" is logging in so they limit phone numbers to "real wireless numbers" that are physically linked to a "real" phone or device somewhere. VOIP numbers don't meet that test. But since authenticator apps are (based on my limited understanding) linked to a "real" phone or device somewhere, that would seem to meet the test. Maybe it's just because they are lazy and don't want to implement this option.
“Meteorologists” are the MOST accurate predictors of the future -- for the next 3-days...
Northern Flicker
Posts: 15159
Joined: Fri Apr 10, 2015 12:29 am

Re: Bank login security question - need a dummy SMS number

Post by Northern Flicker »

They may send an SMS code to your phone when the seed for the TOTP secret is established, after which possession of the current TOTP code in the sequence establishes the same identification.

A phone or TOTP device may be lost or compromised, but this would be reported and there would be evidence.
User avatar
HanSolo
Posts: 2170
Joined: Thu Jul 19, 2012 3:18 am

Re: Bank login security question - need a dummy SMS number

Post by HanSolo »

cipriano wrote: Fri Feb 09, 2024 1:06 pm Why aren't these banks using TOTP (authenticator apps), which are much more secure? Weird.
... or hardware security keys, which are even more secure.
Strategic Macro Senior (top 1%, 2019 Bogleheads Contest)
hudson
Posts: 7050
Joined: Fri Apr 06, 2007 9:15 am

Re: Bank login security question - need a dummy SMS number

Post by hudson »

RationalWalk wrote: Fri Feb 09, 2024 1:35 pm
cipriano wrote: Fri Feb 09, 2024 1:06 pm Why aren't these banks using TOTP (authenticator apps), which are much more secure? Weird.
From my limited understanding, some banks want to verify that a "real person" is logging in so they limit phone numbers to "real wireless numbers" that are physically linked to a "real" phone or device somewhere. VOIP numbers don't meet that test. But since authenticator apps are (based on my limited understanding) linked to a "real" phone or device somewhere, that would seem to meet the test. Maybe it's just because they are lazy and don't want to implement this option.
It looks like you've hit a wall.
I vote that you're good. You have 2FA in place and you are aware. Good luck on anyone trying to get into your account.
User avatar
beyou
Posts: 6801
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: Bank login security question - need a dummy SMS number

Post by beyou »

Seems you can best consider

1) new bank, one known to use gv. many allow it
2) new phone carrier, one that seems most secure


Maybe there should be a thread to compare notes on which phone carrier is most secure rather than the hundreds of threads than discuss which is cheapest ! Seems cheapest is not a good criteria for something as important to security (if done right).
otinkyad
Posts: 482
Joined: Wed Jun 01, 2016 5:35 pm

Re: Bank login security question - need a dummy SMS number

Post by otinkyad »

RationalWalk wrote: Fri Feb 09, 2024 1:35 pm
cipriano wrote: Fri Feb 09, 2024 1:06 pm Why aren't these banks using TOTP (authenticator apps), which are much more secure? Weird.
From my limited understanding, some banks want to verify that a "real person" is logging in so they limit phone numbers to "real wireless numbers" that are physically linked to a "real" phone or device somewhere. VOIP numbers don't meet that test. But since authenticator apps are (based on my limited understanding) linked to a "real" phone or device somewhere, that would seem to meet the test. Maybe it's just because they are lazy and don't want to implement this option.
Authenticator apps (TOTP) are not tied in any way to a physical device. They are just cryptographic functions wrapped around a secret seed value. They are wildly scalable.

Banks are conservative, highly regulated, and have nearly everyone as a potential customer. I think poor IT is one cause, but the biggest reason for not moving beyond SMS for 2FA is likely social. They would have lots of customer support issues if they forced everyone to install an app on their smartphone to do online banking. Security keys are easier to use, but cost money. SMS, while no longer recommended, is simple and easy to use (annoying, but conceptually easy), and far better than nothing.

I don’t have any idea the reason for only sometimes supporting VOIP, whether it’s technical, social, financial, or even regulatory (historically).
diverdoc
Posts: 56
Joined: Tue May 16, 2017 10:46 pm

Re: Bank login security question - need a dummy SMS number

Post by diverdoc »

Check out anonymsms.com. You can rent a private number there for a day or more and use it for SMS verifications. They offer real numbers, so I don't think you should encounter any problems using it on your bank's website.
mptfan
Posts: 7176
Joined: Mon Mar 05, 2007 8:58 am

Re: Bank login security question - need a dummy SMS number

Post by mptfan »

RationalWalk wrote:But since authenticator apps are (based on my limited understanding) linked to a "real" phone or device somewhere, that would seem to meet the test.
This is not true at all. TOTP authentication can be done on any device, anywhere, including a computer or tablet and is not linked to one device.
Last edited by mptfan on Thu Feb 15, 2024 6:16 pm, edited 1 time in total.
Breezy
Posts: 225
Joined: Mon Jul 11, 2011 11:38 am

Re: Bank login security question - need a dummy SMS number

Post by Breezy »

funyun wrote: Tue Feb 06, 2024 4:02 pm I use dual sims with T-mobile prepaid. I have the cheapest $10 per month plan for my line that does all my 2fa texting. It's worth the price to me.
Are you saying that you have a second phone that you use for all 2fa texting? An acquaintance of mine traveling in South America just experienced a worst-case financial hack due to iphone hack/theft, and I am trying to think how not to ever have that happen.
Post Reply