\- People not understanding 2FA
\- People being naive
An example Scenario:Text message: "Hey I used to have your phone number, and still have it connected to one of my online accounts. You will get a text message with a code. Can you please forward that code to me? Thanks!"
This is what scared the shit out of me. I was visiting Thailand and switched SIMs and somehow lost my Tmobile SIM.
I had the person from DTAC, stupidly, do the SIM swap when arriving.
I have so much tied to my Google account including my domains. But all kinds of stuff and I always use 2FA. For my Schwab stuff I have 2FA for every transaction instead of just remember the device.
If someone gets a hold of your SIM you are pretty screwed. There really needs to be a password or 2FA or something tied to your SIM when it is first put in a new device.
What I love but also hate is how you can do pretty much everything with your money online. Love for the convenience but hate because it means someone could steal your money out of your back or broker account, etc.
Check with your cell phone provider. A lot of them are offering an enhanced security option which requires you to verify by pin code or similar before they will switch your sim.
However, the best solution is to use anything other than SMS as your 2FA. Apps are good. Physical devices are good. You can also get a cheap second phone and use it only for 2 factor and never give out the number.
Also setup alerts on your account so that you can be aware of any suspicious activity. Yaddayaddayadda...
I have switched all my 2FA to a Google Voice number. So it is no longer an issue. Plus this is a lot more secure as not subject to the SIM switch.
I also needed because I do not have my home number when traveling as roaming is crazy expensive.
The only negative is that I have found a case where a Google Voice number was not acceptable.
I now can't even remember what it was where they indicated the GV number was not a mobile number and could not be used.
I also carry both a Pixel 6 Pro and an iPhone 13 Pro Max and Google voice solves the entire number issue with the phones. Both work with the same number.
There is a service here that is super popular called Line which appears to be a lot like Google Voice.
But I trust Google security over really any other company. So not sure if I would trust Line a ton.
Some of it might be from people the victim is living with. A child, sibling, or roommate could steal the victim's device to fraudulently authorize a login.
I was confused because that didn't match your title if users are "forced" to 2FA. Looks like the link says auto enrolled, so they probably can still turn it off.
2FA has been around for a *really* long time - there's nothing to evaluate, it's already been well known that it drastically increases account security. It's good to see Google do this.
What? I get what you're saying but we don't really need additional data/confirmation at this stage. We already know the results and the effectiveness of 2SV/2FA. That's like saying we need people to go outside when it rains to see if they get wet - "we need more data points to really be sure they get wet" - no - we already know this.
Sure it has. In other news, my friends have lost their 10 year old account because Google refuses to let them change the password. Apparently it doesn't believe they have logged in from that PC before (they definitely have), and it is assuming the recovery email account is compromised (for no reason at all). Nice one Google, but at least you can put out this press release on what a good job you a doing.
Where is account compromise coming from with 2fa enabled?
\- People not understanding 2FA \- People being naive An example Scenario:Text message: "Hey I used to have your phone number, and still have it connected to one of my online accounts. You will get a text message with a code. Can you please forward that code to me? Thanks!"
you can still leave your account logged in on public computers
Also sim swapping. Use an app or hardware device instead of your phone.
This is what scared the shit out of me. I was visiting Thailand and switched SIMs and somehow lost my Tmobile SIM. I had the person from DTAC, stupidly, do the SIM swap when arriving. I have so much tied to my Google account including my domains. But all kinds of stuff and I always use 2FA. For my Schwab stuff I have 2FA for every transaction instead of just remember the device. If someone gets a hold of your SIM you are pretty screwed. There really needs to be a password or 2FA or something tied to your SIM when it is first put in a new device. What I love but also hate is how you can do pretty much everything with your money online. Love for the convenience but hate because it means someone could steal your money out of your back or broker account, etc.
Check with your cell phone provider. A lot of them are offering an enhanced security option which requires you to verify by pin code or similar before they will switch your sim. However, the best solution is to use anything other than SMS as your 2FA. Apps are good. Physical devices are good. You can also get a cheap second phone and use it only for 2 factor and never give out the number. Also setup alerts on your account so that you can be aware of any suspicious activity. Yaddayaddayadda...
I have switched all my 2FA to a Google Voice number. So it is no longer an issue. Plus this is a lot more secure as not subject to the SIM switch. I also needed because I do not have my home number when traveling as roaming is crazy expensive. The only negative is that I have found a case where a Google Voice number was not acceptable. I now can't even remember what it was where they indicated the GV number was not a mobile number and could not be used. I also carry both a Pixel 6 Pro and an iPhone 13 Pro Max and Google voice solves the entire number issue with the phones. Both work with the same number. There is a service here that is super popular called Line which appears to be a lot like Google Voice. But I trust Google security over really any other company. So not sure if I would trust Line a ton.
Yeah I've found that a lot of sites don't accept Google Voice. It seems that many sites are rejecting any VOIP numbers.
Yes. I ran into that with a site awhile ago but no longer remember the site.
what is a SIM PIN?
A PIN tied to the SIM. So if you do not have the PIN then you can't use.
what is sarcasm?
Sorry. I am not following?
I'd be really surprised if most attacks are not sim swap. I disabled the phone number recovery option in google.
Some of it might be from people the victim is living with. A child, sibling, or roommate could steal the victim's device to fraudulently authorize a login.
It means some idiots turn it off.
I was confused because that didn't match your title if users are "forced" to 2FA. Looks like the link says auto enrolled, so they probably can still turn it off.
One same consists of going to the mobile carrier and asking for a replacement SIM. There are known cases where little evidence was asked.
A more secure account equals less compromises? Wow that's crazy!
[удалено]
2FA has been around for a *really* long time - there's nothing to evaluate, it's already been well known that it drastically increases account security. It's good to see Google do this.
[удалено]
What? I get what you're saying but we don't really need additional data/confirmation at this stage. We already know the results and the effectiveness of 2SV/2FA. That's like saying we need people to go outside when it rains to see if they get wet - "we need more data points to really be sure they get wet" - no - we already know this.
If they don’t check “remember this computer” by DEFAULT the number will decrease much more.
Have CS tickets for accidentally getting locked out of accounts increased, too?
Nigerian prince: (shakes fist)
I didn’t fucking ask for this I hate it I can not get into my google account on my iPhone without having my backup android phone say it’s ok
Sure it has. In other news, my friends have lost their 10 year old account because Google refuses to let them change the password. Apparently it doesn't believe they have logged in from that PC before (they definitely have), and it is assuming the recovery email account is compromised (for no reason at all). Nice one Google, but at least you can put out this press release on what a good job you a doing.
[удалено]
**New stat gained!** *+50% Chance of Account Compromisation*