2

u/charleswj 22h ago

Your entire post, save for maybe the last couple lines, is tinfoil hat misinformation that you made up in your head because it sounded good to you

2

u/maryjayjay 20h ago edited 20h ago

I worked in Ad Tech for a fortune 100 company for nine years. You are naive if you think most of what you replied to is untrue

1

u/charleswj 20h ago

Ok I'll just pick the first specific one...

GMail warns you that all external mail clients are not secure to use, only their own browser client is fine, because they can track your activity best there.

From https://support.google.com/a/answer/9003945?hl=en:

We recommend using the latest versions of:

Microsoft Outlook

1

u/maryjayjay 20h ago

I was referring to them collecting, aggregating, and selling your personal data

1

u/charleswj 20h ago

That companies do this isn't debatable. That apple and Microsoft are doing so, are doing it with numbers specifically provided for account recovery, and are intentionally discouraging people from removing these numbers for this monetary purpose, is debatable.

1

u/dkopgerpgdolfg 20h ago

... and if you continue reading:

Step 1 if it needs to be an external client

Turn on Less secure apps

Starting May 1, 2025, Google Workspace accounts no longer support less secure apps, third-party apps, or devices that ask you to sign in to your Google Account with your username and password. You must use OAuth to let these apps and devices access your account. Third-party email apps that are no longer supported include Microsoft Outlook

People who think that the whole page contains some contradictions, yes it does.

If you try it in practice, you'll see that: Without that "less secure" things, you won't get access, even with OAuth and/or Outlook and/or anything else that is mentioned.

1

u/charleswj 20h ago

What are you trying to say? Less secure means...less secure. It's not a thing you should do. They make it easy to use the more secure option, oauth, and happily instruct on how to do so.

The irony, that on a post about companies making it harder to enable more secure options, that you're complaining about them making it harder to be less secure.

1

u/charleswj 20h ago

Oh are you incorrectly thinking they're saying all external clients require the "less secure apps" instructions? You're wrong and need to reread.

1

u/dkopgerpgdolfg 20h ago edited 19h ago

I'm saying not that the linked page says that, but the real software does behave this way. I ran into this myself (in a paid business account), you can try it too if you want.

A big factor in this thread is that companies are not honest, your own link is an example of that.

And about that Apple/MS subtopic, this too: Even if they don't specifically sell these phone numbers, they at least lied about the reason why they're needed, and what things can (not) happen if a user doesn't provide a number. If they have no bad intentions at all, such lies are unnecessary.

1

u/charleswj 20h ago

I linked to a page saying it's supported. You pointed to the part of the page that says old versions aren't recommended but still work. Now you're saying, I think, that the docs are lying? What exactly are you saying doesn't work (or is discouraged) for connecting modern Outlook versions to Gmail?

1

u/dkopgerpgdolfg 19h ago

You told me to reread, so I'll return that advice now.

1

u/charleswj 19h ago

I'm saying not that the linked page says that, but the real software does behave this way. I ran into this myself (in a paid business account), you can try it too if you want.

Which one is it? Does the software not do what the docs say? Or does the doc say something you don't like?

1

u/OtherwiseAlbatross14 9h ago

None of it had anything to do with the question. Removing a phone number from 2FA options has nothing to do with a desire to sell user data. 

It has everything to do with the fact that most users don't know what the implications of not having sufficient backup 2FA methods in place. 

I have multiple different methods enabled on my important accounts and not only is it possible to remove my phone, one of the ones listed in the OP has a full step after adding the last one suggesting I remove the SMS option for increased security and I had to specifically say no and then confirm that no to bypass it.

The person above has the brainrot that causes them to just default to "everything a company does that I don't understand is because they're trying to fuck us over!" rather than having the ability to think critically or just shut up when they don't know anything about the subject.

1

u/dkopgerpgdolfg 22h ago edited 21h ago

All of the examples are easily provable, if you just care to look at the proof. And in all these cases, you'll find plenty people calling the company out for their bs, just to not get any response anymore. I also experience(d) all of them myself.

But feel free to not believe it, doesn't matter to me.

1

u/charleswj 21h ago

You're right, Microsoft wants your phone number to sell it and not because Grandma will lick herself out of her account when she wipes her totp when she gets a new phone.

2

u/CaucusInferredBulk 20h ago

I'm sure I could find people licking themselves out on the Internet. But Im not sure I want it to be grandma.

1

u/charleswj 20h ago

Send me your contact info, I'll hook you up

1

u/thaynem 16h ago

There is another reason, which is ultimately because of money, that if it isn't the primary reason, is at least the reason these companies will probably give if pressed for an answer: people losing their TOTP codes.

Your average user is more likely to lose their TOTP code,  than lose access to their mobile phone number. And if a user does lose their TOTP code, and you don't have their phone number as an alternative verification method, how do you allow them to log in? Your options are either tell the user they are out of luck, which infuriates the user, and may cause you to lose business, or use some other method to verify the user's identity. In some cases you might be able to send a verification code via email. But if you are the user's primary email provider, that doesn't do any good if they can't log in to their email. If you know the user's real identity, you can have the user provide proof they are who they say they are, but that is relatively expensive to do.  So to avoid having to deal with that situation, they want to have your phone number, at least as a backup in case you lose your TOTP code.

Of course, once they have your number, at least some companies will use or sell it for ...  less ethical purposes.

1

u/random20190826 1d ago

No. It’s not. I know of call forwarding, but that results in calls being redirected to another number. The original number doesn’t ring.

By extension, are you claiming that it is possible for text messages to appear on multiple devices even if they are sent to only one number?

2

u/mjmcfall88 1d ago

I don't know about texts, but I have a Google voice number that rings mine and my wife's phone at the same time

1

u/random20190826 1d ago

Google Voice is only available in the United States. I am on the other side of the border in Canada.

2

u/Way2trivial 1d ago

yes in fact.. that can be arranged. Simultaneous texting to more than one phone number/

1

u/Way2trivial 1d ago

ex https://www.twilio.com/code-exchange/sms-forwarding-multiple-numbers

1

u/random20190826 1d ago

Oh, I didn’t know that these services exist. Thank you for letting me know.

1

u/NekkidWire 18h ago

Also you have some premium watches that are NOT bluetooth but use SIM/eSIM, that will ring together with their master phone. From Apple and other manufacturers.

Not to be confused with kids' watches (cheap garbage with 2G and GPS alerts).

1

u/VeiledShift 1d ago

(You can't possibly set anything up where 2 phones would ring at the same time when a call is placed to a single number, right?)

I know it's not relevant here, but did every millenial and up who read this part get immediate flashbacks of EVERY PHONE IN YOUR HOUSE ringing anytime anybody calls your parent's landline?

1

u/random20190826 1d ago

Is that a traditional cellphone with either a physical SIM card or eSIM, as opposed to a VOIP phone?

2

u/dkopgerpgdolfg 1d ago

Even better, a decades old landline connection can do this by default.

But yes, it works with normal cell phones too, if the operator supports it.

1

u/charleswj 22h ago

As someone else who works in big tech for a company that secures hundreds of millions of personal and business users accounts, this is 100% correct. Microsoft has even released research on the safety of just SMS MFA over password only, and it stopped something like 99%+ of all password-related attacks.

People tend to think they're way more important than they are and that sim swapping is way easier than it is in practice.

1

u/random20190826 21h ago

The problem is not about importance. For 99.999999% of SIM swappers, they do it to steal money. It is the same reason why people would use stolen credit cards to buy things online.

I keep talking about it because I know that SIM swapping is easy because I managed to do it, as I described in the OP.

1

u/charleswj 21h ago

The money is the importance here. Important means "target who is desirable enough to attack".

It is not easy in the way you describe. It takes significant effort compared to other attacks. It requires significant knowledge about the target. It requires significant time and often significant luck. It also tends to create significantly more exposure for the attacker that creates the need for even more time and effort to mitigate.

Since you say you did it, explain the specifics of your methods. What knowledge did you require, how did you acquire it, how long did it take, and what effort was expended?

1

u/random20190826 21h ago

I did it because the target is my own sister. I live with her and I know her legal name, date of birth l, address (obviously), and I control the phone in which the text verification code is sent to, as I own that phone. So, she is already compromised because she is family.

As for money, I live in Canada, which means the primary means for stealing money from online banking profiles is unauthorized Interac e-transfers. Most people have limits of anywhere from $2000 to $10000 every 24 hours. This means a thief doesn’t get very far regardless of how rich a victim is, because if you try stealing $20000 from a chequing account with $100000 in it, that will take more than 24 hours, enough time for a victim to discover that their cell service stopped. I can imagine that most people have at least a few thousand dollars in their bank accounts. This means practically anyone can be targets, from 20-year-olds to 100-year-olds, from computer illiterate people to software developers, from low income people with $1000 in the bank to millionaires, etc…

1

u/charleswj 21h ago

I did it because the target is my own sister. I live with her and I know her legal name, date of birth l, address (obviously), and I control the phone in which the text verification code is sent to, as I own that phone. So, she is already compromised because she is family.

You're essentially saying "a person can sim swap themselves (obviously), anyone who consents (obviously), or anyone who already has a very high level of trust in you", which is exactly my point. And in the third case, it's highly likely that a person who could do that could steal your totp codes or attack your finances or personal situation in other, likely more catastrophic, ways.

I wouldn't do it, but as an example: my wife has a best friend. We go to her house often. We'd be trusted there alone. I could rummage through her personal papers and find all the information (that I don't already know) required to steal her entire identity. I could add keystroke loggers to her computer. Hidden cameras pointing at her screen and kb. The list goes on.

The point is it takes effort and/or closeness, and if you can do either, you can probably get around totp anyway.

As for money, I live in Canada, which means the primary means for stealing money from online banking profiles is unauthorized Interac e-transfers. Most people have limits of anywhere from $2000 to $10000 every 24 hours. This means a thief doesn’t get very far regardless of how rich a victim is, because if you try stealing $20000 from a chequing account with $100000 in it, that will take more than 24 hours, enough time for a victim to discover that their cell service stopped. I can imagine that most people have at least a few thousand dollars in their bank accounts. This means practically anyone can be targets, from 20-year-olds to 100-year-olds, from computer illiterate people to software developers, from low income people with $1000 in the bank to millionaires, etc…

You think people are getting sim swapped by strangers for $1k?

1

u/random20190826 23h ago

I am actually not using any Internet service to keep them in sync. When I set up the codes, I set them up on my phone and computer at the same time. On my iPhone, it is Google Authenticator logged out. On my computer, it is KeePassXC. They are different programs using the same open standard. Again, I know the biggest vulnerability is malware on my computer sniffing out the seed code more than anything. I never store Authenticator codes online because I know about these dangers.

In the event that both my computer and phone get destroyed, it probably means my house is destroyed, which possibly means I am dead. Even if I am still alive, losing Authenticator codes is the least of my problems if I am homeless in a country where the temperature dips well below freezing in the winter and soars above human body temperature during the summer.

1

u/charleswj 21h ago

What percent of people who setup totp do you think take any precautions whatsoever to ensure recoverability?

For that matter, why do you think the likelihood that someone will sim swap you is greater than the likelihood that something happens to both codes? But suggesting that the only scenario where you lose access to your codes is one where you're dead or soon to be due to exposure to the elements seems intentionally crafted to make one scenario more likely than the other.

1

u/random20190826 21h ago

I don’t have any statistics to prove how many people take precautions. However, can you think of a scenario in which both my phone and computer would be either lost, stolen, damaged or destroyed, but at the same time, I would remain uninjured and my house is intact? My computer is a desktop computer that has no backup battery, which means the only scenarios are earthquakes, house fires, floods and home invasions. All of these are very deadly events.

I don’t think the most important concern is the likelihood of these things happening. But rather, what are the consequences when they happen. If a SIM swap occurs, I lose access to information, probably lose money and have a very difficult time getting reimbursed. Whereas losing both codes would render the email accounts permanently inaccessible. At that point, I would just work with banks and merchants to get things changed to a new email address and set up new authentication codes. No money is lost.

1

u/charleswj 21h ago

Nearby lightning strike. And it's very rare for people to actually die in the events you described.

At that point, I would just work with banks and merchants to get things changed to a new email address and set up new authentication codes.

How would you do this and why couldn't the sim swapper do this?

1

u/random20190826 21h ago

Ideally, if a bank knows what they are doing, they would force me to go to the branch with ID to reset things like this.

1

u/charleswj 21h ago

I haven't set foot in a bank in well over a decade, and that was for a very large cash withdrawal.

The points in trying to make are that you're obsessively focused on a technical fix for what can still be worked around but is also less of a risk than those things that can still be worked around

1

u/charleswj 21h ago

As an exercise, you should try "losing" access to all auth methods and see what it takes to get back in. If they insist on in person, say you're bedridden. I suspect you'll find that it's likely in the realm of what a person who can sim swap you can already do.

1

u/random20190826 22h ago

Interestingly, since I am from China, I know all too well that all of this is true. In China, your bank account and your phone number are both tied to your ID, which is so centralized that a bank teller can see your social security contributions. I know that because I was asked why I didn’t have such contributions when I opened a Chinese bank account, to which I lied about working in the US. Unlike Canada, China mandates real name registration on phone numbers. This means if you want a Chinese phone number, you must give your ID to the phone company.

Many prepaid services in Canada don’t require ID. I happen to use them not because of privacy, but because prepaid is substantially cheaper than postpaid. But here too, banks are way too reliant on cell phone based SMS authentication despite law enforcement agencies like the FBI warning about the dangers of SIM swapping. I know that it will take a very rich person losing a lot of money or hundreds of millions of average people losing money to this kind of fraud before anything will change. It is a sad state of affairs.

1

u/random20190826 22h ago

My biggest worry is with the banks. At least with all those companies I mentioned, I had the option to disable SMS authentication even though they discourage it. With banks, no one gets that option. The problem is, bank accounts have actual money in them. That means if they are hacked, my money would be stolen. Unfortunately, the way that SMS 2FA is implemented at the banks enables someone to reset the online banking password solely based on the SMS verification code. This makes it look like the account holder gave the code away to a scammer and the bank will not reimburse for those fraud losses unless the thief is convicted. Even then, the victim may have to sue the thief directly in civil court for compensatory damages. That means if the thief doesn’t have the money, the victim cannot collect on the judgement even if they win.

1

u/charleswj 21h ago

The irony of your points is that banks are actually safer than the purely personally protected options like crypto self custody, which is essentially what removing passwords and phone numbers is (at the auth level). People lose more money, more often, from crypto than banks when controlled for how many users there are for each.

1

u/random20190826 21h ago

I wasn’t talking about crypto in any of my posts. I don’t have any cryptocurrency anywhere. All I know is that banks are far more risky than, say, Interactive Brokers (a large international stock brokerage firm). Indeed, banks with forced phone number based authentication are more dangerous than Gmail, Hotmail or Amazon, because these 3 companies at least let you remove the phone number.

1

u/charleswj 20h ago

I didn't say you did, I was making a point about "purely technical measures". There is a lot of "soft" security in use in banking than you might think. And there are different risk profiles between a regular bank and something like IB.

I'm a technologist, I get it, I like absolutes and technical fixes. But the reality is the way things are is, from a practical perspective, secure enough. If we see sudden increased risk in sim swaps and account takeovers that outweighs the risk to the 99% of getting locked out of their accounts, things will change.

1

u/random20190826 20h ago

Why would banks be different than IB if both hold real money and have the same KYC requirements? In fact, banks have brokerage arms and they use the same login for all of their services. That makes bank brokerage accounts more likely to be breached than IB, at least that is the logical conclusion based on the authentication methods available.

Basically, my argument is simple. The purpose of a bank is to keep a customer’s money safe from unauthorized access by third parties. By not offering secure means of authentication or not allowing the disablement of dangerous methods, the bank has failed in its duty of care. Therefore, when SIM swapping occurs, they shouldn’t be able to turn around and accuse the victim of being negligent in the protection of their account credentials.

1

u/charleswj 20h ago

Different banks gave different risk profiles at least partially due to different customer profiles.

Implementing what you're asking for would increase costs, financially and otherwise, on the bank and its customers. Would you be willing to pay i.e. $5/no for additional support for others who lock themselves out?

I'm sure you're aware that increased security always reduces usability.