This should be far more secure and privacy friendly than a Sim card of a cellular connection. Why isn’t this done more often? What are the Pros and Cons. I bet the price is similar as well.

  • Majestic@lemmy.ml
    link
    fedilink
    arrow-up
    29
    ·
    2 months ago

    Cons:

    You absolutely cannot get 2FA authenticator codes from 90% of services. Many services that require a phone number even without 2FA just for “verify you’re a human” or because they want your data or to verify region use shortcode services that also will not work with ANY VOIP provider.

    You will not receive their codes. These companies vary from banking institutions to gaming companies to online shopping marketplaces and stores to a Google account (used to be you could get an automated phone call to verify an account, not anymore, must be able to receive SMS from shortcodes that are disabled for VOIP numbers to register and to recover an account) just about anyone you could end up doing business with.

    A shockingly large amount of companies demand phone numbers and send verification texts before allowing you to do business with them, to create an account, to recover an account, to delete an account, to place an order, etc.

    They really shouldn’t, it’s a bad security practice but companies love it because with a phone number they can lower support costs by just allowing people to do a self-service where they get an automated text and can unlock their locked account. They also love harvesting that data and preventing anonymization with VOIP numbers and the reduction of fraud and increase of reliable KYC that comes with requiring them.

    And they all take it as a given that EVERYONE or at least 99% have a cell plan with a non-VOIP number that works with these and the 1% who don’t they don’t care about in the developed world and are an acceptable loss.

    • mox@lemmy.sdf.org
      link
      fedilink
      arrow-up
      9
      ·
      2 months ago

      I think how often this is a problem varies widely from person to person. I don’t remember the last time I gave a mobile number out to a company, but it was more than a few years ago. The last few that strictly required one were non-essential; I just took my business elsewhere.

    • JustEnoughDucks@feddit.nl
      link
      fedilink
      arrow-up
      5
      ·
      2 months ago

      90% of American commercial services that is.

      Online services or many/most European services have more proper 2FA (TOTP, app-based, card reader OTP, etc…)

      • delirious_owl@discuss.online
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        2 months ago

        Can you name me an EU bank that doesn’t demand a phone number to signup?

        Unfortunately, PSD2 doesn’t support TOTP and other strong 2FA solutions, so they all appear to require phone numbers. This is one area where EU is worse than US

        • JustEnoughDucks@feddit.nl
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          2 months ago

          That is a completely separate issue from the above commenter.

          You absolutely cannot get 2FA authenticator codes from 90% of services

          A shockingly large amount of companies demand phone numbers and send verification texts before allowing you to do business with them, to create an account, to recover an account, to delete an account, to place an order, etc.

          They really shouldn’t, it’s a bad security practice but companies love it because with a phone number they can lower support costs by just allowing people to do a self-service where they get an automated text and can unlock their locked account.

          Also an issue, but indeed a separate issue from using unsecure SMS as TOTP.

        • Nithanim@programming.dev
          link
          fedilink
          arrow-up
          2
          ·
          2 months ago

          My EU bank never ever used my phone number to verify anything. They only used it to contact me on some occasions. 2FA is done through their app.

          • delirious_owl@discuss.online
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            2 months ago

            Oh, right, their closed source app. Thats allowed. So it requires a phone.

            So the OTP is still transmitted to satisfy the requirements of PSD2. But TOTP (a more secure system that doesn’t transmit the OTP at all) is not allowed.

      • Majestic@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        edit-2
        2 months ago

        You can but they’ll find out. It’s reported or flagged or something, they can tell what provider holds a number and they block VOIP ones. Also if a number was ever previously a VOIP number do not try and transfer it back to proper cellular as it will still remain blocked for many but not all of these for years potentially.

    • chappedafloat@lemmy.wtf
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      2 months ago

      You can buy for cents phone numbers online for one time verification purpose or even rent the number for long term if you need. It’s better to use these anonymous cheap throwaway numbers if you want privacy instead of your real phone number for everything.

    • delirious_owl@discuss.online
      link
      fedilink
      arrow-up
      1
      arrow-down
      2
      ·
      2 months ago

      You probably shouldn’t be using a service that requires a phone number. More often than not, they use it as a backdoor to bypass your password and it leaves your account super vulnerable.

  • Hanrahan@slrpnk.net
    link
    fedilink
    English
    arrow-up
    12
    ·
    2 months ago

    Still so much 2FA via SMS where I am in Aus.

    I’d prefer to move everything over to something like Signal but I neeed a phone # to register for that but how do u tell the bank my Signal ID is @hanrhan.666

  • Broken@lemmy.ml
    link
    fedilink
    arrow-up
    6
    ·
    2 months ago

    I’ve been trying to work this out since the beginning of the year. This is anecdotally what I’ve done, what works and what doesn’t.

    Most of my solution comes from JMP.chat for my phone number along with the cheogram app for functionality.

    Basically I got a number for friends and family. I got a second number to give to businesses that don’t care about VoIP (my dentist etc). ($5 ea). Cons here are that SMS groups are limited to 10 recipients. This doesn’t work for my large family chats (I can get them but can’t respond). Another thing I dislike is since its XMPP based, all contacts are listed as their phone number if in a group, so it’s hard to tell who’s in it. (Solo texts show as names just fine). They have a premium tier that routes differently to allow more than 10 in a group text, but I’ve tried that twice now and the actual phone calling gets screwed up. So I’m still trying to get it all sorted out (and I’m not optimistic) It’s also a service only in USA and CAN.

    My original number that I’ve had for 20 years and all big tech have assigned to me, I ported to google voice ($20 fee)

    Since my original phone number was a carrier number it is already assigned to all the stringent companies like banks. They continue to use it without knowing its now a VoIP number. I have all SMS messages forwarded to my email so I don’t have to log into google ever. It works perfectly for 2FA. Shortcoming of this is that any group texts the email just says you got a group text, but a single source text the actual text is forwarded. I don’t use it for groups so its not a problem but just mentioning it as a potential con. Then of course, its legacy so opening new accounts won’t work the same way since its a VoIP number now.

    I bought a hotspot from calyx. By far the most expensive part of my solution. But it gives me WiFi access without a standard carrier (it does use T-Mobile but calyx doesn’t track you like they do). Check them out to see if it fits your threat model. It works out to about $50/mo but the biggest issue is that its an annual lump sum.

    Another option I’ve been trying is 4freedommobile. They have decent plans and are focused on privacy. Everything runs through their app for encryption. But I’ve found the app lacking both in UI and functionality. You can’t do group SMS (which is apparently coming very soon) but my biggest issue is they require google play services for notifications. They state they don’t, but they do. Hands down it just doesn’t work without it. So that’s a deal killer for me.

    Honorable mention is the premium service Elfani. I haven’t used it but have considered it. Its very expensive at $99 a month but is secure. However I don’t see much on privacy so I’m not sure how different they really end up being from their base AT&T provider.

  • NomenCumLitteris@lemmy.ml
    link
    fedilink
    arrow-up
    4
    ·
    2 months ago

    You can keep your cell number with jmp.chat. Call over wifi or data. They offer eSIM. View text messages on any device/program with XMPP support. 2FA works 100% like normal unlike VoIP. All data, calls, texts are routed through their VPN first, then the cell network. Any other inhouse XMPP chat not going to networks stay within XMPP. I have no affiliation with jmp.chat, I am satisfied with the service.

    • capital@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      2 months ago

      I could see this being a problem for me

      Note: While JMP does provide phone numbers and voice/SMS features, it does not provide 911, 112, 999 or other emergency services over voice or SMS.

      How do you deal with it?

      • NomenCumLitteris@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        2 months ago

        That is true, but there is a good reason. For example, you may call 911 in North America without any cell plan, or without a SIM. As you long as you are within physical range of any cell tower (whether your phone shows bars or not) the 911 call will go through. This is required by law. So, like your quoted text indicates, 911 calls would just need to be routed through your phone’s native dialer instead of, let’s say, Cheogram’s dialer (jmp.chat’s phone/message app).

        • delirious_owl@discuss.online
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          2 months ago

          SIM cards are a computing device that can execute closed source code on your device, sent from a cell tower

          Most of the zero days used by NSO Group that were reported by Citizen Lab only worked if you had a SIM card. By eliminating SIM cards, you decrease the surface area of attack by magnitudes

          • NomenCumLitteris@lemmy.ml
            link
            fedilink
            arrow-up
            2
            ·
            2 months ago

            Thanks for enlightening me. That is certainly concerning. I am not knowledgable enough to say if eSIM would be outside the scope of that attack. There are some differences in how the tech is implemented, but heck my eSIM still connects to the cell tower at the end of the day (and to multiple carriers, at that, unlike physical SIM). If there is a surface area, there is a chance for attack vectors.

  • chappedafloat@lemmy.wtf
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    1
    ·
    2 months ago

    Why not is the question and that comes down to guessing. Sheep do what they are told so don’t need to guess much there. Those who are not sheep have to go through a long journey to gradually keep increasing their privacy and unlearn the sheep habits we’ve been conditioned to have.

    The end goal is to throw away your phone because you can do everything on your computer instead including buying a phone number, using voip and take and make calls. Phones are unnecessary spy devices used by sheep.

    • Randomgal@lemmy.ca
      link
      fedilink
      arrow-up
      3
      ·
      2 months ago

      Hmmm… Or maybe people just like making calls easily man. Not everything is an ideology war.

      • chappedafloat@lemmy.wtf
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        2 months ago

        privacy is about making effort to protect it. With your logic you should just use google chrome browser and be signed in to google because it makes an easier experience. Then install alexa in your home and make it a smart home, it also makes life easier.

        • Analog@lemmy.ml
          link
          fedilink
          English
          arrow-up
          2
          ·
          2 months ago

          Not addressing your main points. Just wanted to point out you can have a smart home with purely local devices. No cloud.

  • Kairos@lemmy.today
    link
    fedilink
    arrow-up
    3
    ·
    2 months ago

    Pros is that you don’t need a small, fragile device to use your primary communication method.

    But the pros are that it’s usually cheaper if you know what to look for.

  • Jeena@piefed.jeena.net
    link
    fedilink
    Deutsch
    arrow-up
    2
    ·
    2 months ago

    The only time I call anyone is when my partner can’t find her phone and I have to call it, because we set it so that my number is on the VIP list so it will ring even if it’s on mute or Do not disturb mode.

  • Lawn_and_disorder [he/him]@hexbear.net
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    2 months ago

    SMS codes as mentioned and cellular data makes something with Sim card or e-sim a necessity. This can be mitigated by using a portable hotspot or cellular router/modem. Had a teltonika router that autoforwards the SMS as email.

  • delirious_owl@discuss.online
    link
    fedilink
    arrow-up
    2
    arrow-down
    1
    ·
    edit-2
    2 months ago

    If you care about security, don’t put a Sim card in your phone.

    Personally I don’t have a VoIP plan. For archaic services that I can’t live without and required a phone number, I use google voice or Skype. Its a vulnerability, so avoid if at all possible

    • refalo@programming.dev
      link
      fedilink
      arrow-up
      6
      ·
      2 months ago

      If you care about security, don’t put a Sim card in your phone.

      Depends on what you mean by security… or privacy. You need to define a threat model before any suggestions can be made.

      If you’re worried about someone hacking into your phone via an app, a sim card likely won’t make a difference.

      If you’re worried about your location being tracked… that can often be done without a sim card or any cellular service on your device.

      Then there are malicious carriers (or ones compelled by a government) that could track you without even having legitimate service activated. All phones at least in the US now are mandated to have (A)GPS receivers.

      All depends on what your concerns are.

      • delirious_owl@discuss.online
        link
        fedilink
        arrow-up
        1
        arrow-down
        2
        ·
        edit-2
        2 months ago

        My location isn’t being tracked. Not having a SIM card is part of the reason why.

        I’m not worried about apps on my phone owning my device. I would be worried about a SIM card owning my device.