• Last Updated:
  • Feb 7th, 2020 8:39 pm
Tags:
Deal Addict
User avatar
Mar 19, 2005
1276 posts
67 upvotes
Montreal
The scam may not be new but it's only recently that some companies have started to implement account recovery via SMS. As mentioned by others, TD/MBNA does that.

Microsoft also does that too for recovery but if you have activated MFA with the authenticator app, even the recovery will require another recovery code or the use of the Authenticator.

The other issue is that companies like Videotron still ID using Date of Birth, Postal Code and/or Mother maiden name. Not too hard to get these info.

People under estimate this but email should be more protected then before. Once someone gains access to that, he can resets password for most websites.

Event Text message should always be hidden from your lockscreen.
Sr. Member
Aug 17, 2018
538 posts
345 upvotes
Jucius Maximus wrote: This is also why TD Canada Trust's new standard of requiring a phone number to keep for verification is absolute idiocy. I would never use TD for anything important.
TD has been so useless in terms of account security, you only use them for there promo events then leave. Many times I had to re-authenticate at a branch because they screw up there system and delete access to my account.
Member
Dec 13, 2006
258 posts
16 upvotes
Jucius Maximus wrote: No, but you can get enough information to unlock sites like Amazon and PayPal, which already have this info entered.
I have an Amazon Prime account but I do not have any CC information stored there. (Each time I make a purchase I enter the CC info and then delete it subsequently).
Member
Dec 13, 2006
258 posts
16 upvotes
Jucius Maximus wrote: They used SMS password recovery to get into online banking
I am sure I am missing...how will the "hacker" who has ported my # obtain the bank access card # which one requires as part of the log in?
Jucius Maximus wrote: The correct way of protecting yourself is to never link your mobile number to password recovery. Use the Google 2FA app or similar, where available.
I am not the most tech savvy so correct me if I am wrong but if I deselect my mobile # as the second stage of authentication in my gmail account and instead use one of the 8 digit backup codes seems a simple option for me for 2FA which is "safe" from a remote hacker.
Deal Fanatic
Feb 4, 2015
5508 posts
2101 upvotes
Canada, Eh!!
So in terms of security how would the following rank from most secure to least secure:

1. Google authenticator or similar or hardware token
2. Google voice number that has no name on it or has made up name and has USA area code
3. Landline
4. Voip number [But not sure how secure these are or at least the ATA used]
5. Family mobile
6. Your mobile

For TD guess 1 is not possible but could use 2?

Or are the above order wrong?
Deal Expert
User avatar
Aug 18, 2005
18996 posts
3655 upvotes
Burlington-Hamilton
21Rouge wrote: I am sure I am missing...how will the "hacker" who has ported my # obtain the bank access card # which one requires as part of the log in?
With TD at least, you can do a password recovery with a username. They'll use phone verification to recover access to Gmail, etc., and then find out what other accounts and services you use. Based on this, they can make some educated guesses on what username you use, since most people reuse the same name on many sites. Furthermore, if they got into your e-mail, they will be able to get a lot of information about you from mail, and accounts that can be recovered through e-mail. They may be enough to call into TD and socially engineer access by saying they forgot the login ID and password.

Combine this with other databases of leaked / hacked e-mail and password combinations from other sites, people who re-used any credentials on any website will probably get owned.

I never reuse username, passwords, e-mails on any site. Yes, I use a unique e-mail on every website, which forwards into my main e-mail.
21Rouge wrote: I am not the most tech savvy so correct me if I am wrong but if I deselect my mobile # as the second stage of authentication in my gmail account and instead use one of the 8 digit backup codes seems a simple option for me for 2FA which is "safe" from a remote hacker.
No. You use the Authenticator app, which generates a new code every 30 seconds. The backup codes are only for cases when your can't use your phone, for example: Broken phone, stolen phone, no battery.

Those backup codes saved my butt when I dropped and broke my phone while on vacation in Asia.

Here's a good summary for you:


As with all security, it becomes more annoying as it gets more secure.
Don't lose your 8-digit backup codes, or you could get seriously locked out of your Google account. I personally keep all my 2FA QR seed codes and backup codes in an encrypted password manager database. And I print out my key backup codes and keep the paper in a safe place.
Last edited by Jucius Maximus on Nov 21st, 2019 10:25 pm, edited 1 time in total.
Deal Expert
User avatar
Aug 18, 2005
18996 posts
3655 upvotes
Burlington-Hamilton
georvu wrote: So in terms of security how would the following rank from most secure to least secure:

1. Google authenticator or similar or hardware token
2. Google voice number that has no name on it or has made up name and has USA area code
3. Landline
4. Voip number [But not sure how secure these are or at least the ATA used]
5. Family mobile
6. Your mobile

For TD guess 1 is not possible but could use 2?

Or are the above order wrong?
Assuming your adversary is some anonymous criminal, I'd say 2FA through Google Authenticator or similar app is #1, as you can generate a new 2FA seed at any time. Hardware token is second.

A 'secret' phone number is the next more secure, since crooks won't know what number to steal.

A 'known' phone number is less secure.

A 'known' phone number that's associated with you, such as your own mobile number, is not so secure.

I personally do have a 'secret' VoIP number that I use for these things. This is really only 'security through obscurity,' which I implement only for services that require a phone number.
Member
Dec 13, 2006
258 posts
16 upvotes
Thanks for taking time to reply jM.
Jucius Maximus wrote: With TD at least, you can do a password recovery with a username.
For my TD login I have no "username" as I log in each time with my "access number".

Jucius Maximus wrote: No. You use the Authenticator app, which generates a new code every 30 seconds.
Just tonight I setup the Google Authenticator BUT that won't help me be more secure (yet) as I can't see how to completely eliminate a phone # associated with ones google account which then continues to permit "another way to sign in" ie the easily compromised SMS code method.
Jucius Maximus wrote: The backup codes are only for cases when your can't use your phone, for example: Broken phone, stolen phone, no battery.
Thanks for clarifying. I have printed out a copy for safekeeping.
Jucius Maximus wrote: Here's a good summary for you:
Will do.
Member
Dec 13, 2006
258 posts
16 upvotes
georvu wrote: So in terms of security how would the following rank from most secure to least secure:
It is my understanding that Google Prompt is more secure than an SMS sent code but I am not sure why if both are dependent on a phone number. (Is Prompt phone # dependent?)
Deal Fanatic
Feb 4, 2015
5508 posts
2101 upvotes
Canada, Eh!!
Jucius Maximus wrote: Assuming your adversary is some anonymous criminal, I'd say 2FA through Google Authenticator or similar app is #1, as you can generate a new 2FA seed at any time. Hardware token is second.

A 'secret' phone number is the next more secure, since crooks won't know what number to steal.

A 'known' phone number is less secure.

A 'known' phone number that's associated with you, such as your own mobile number, is not so secure.

I personally do have a 'secret' VoIP number that I use for these things. This is really only 'security through obscurity,' which I implement only for services that require a phone number.
If had to choose from two choices below, which one:

Google voice number that has no name on it or has made up name and has USA area code
Voip number [But not sure how secure these are or at least the ATA used]

I'm thinking google voice number as voip may have your name associated and even if not the underlying device ATA might present security issue.
Deal Expert
User avatar
Aug 18, 2005
18996 posts
3655 upvotes
Burlington-Hamilton
21Rouge wrote:
It is my understanding that Google Prompt is more secure than an SMS sent code but I am not sure why if both are dependent on a phone number. (Is Prompt phone # dependent?)
Google Prompt goes over the Internet, be it a 4G connection or your home WiFi. It's tied to your Google account, not your phone number. It's an Android OS feature.

If someone SIM-jacks your number, you will lose mobile internet access, so your won't get your Google prompt notifications until you connect to WiFi. The thief will not get your Google Prompt notifications because they are not logged into your Google account.

Personally I still prefer the authenticator apps. More versatile. Doesn't need a data connection. Doesn't even been to be logged into anything. Fewer moving parts and fewer points of failure compared to the Google Prompt option.
21Rouge wrote:
Just tonight I setup the Google Authenticator BUT that won't help me be more secure (yet) as I can't see how to completely eliminate a phone # associated with ones google account which then continues to permit "another way to sign in" ie the easily compromised SMS code method.
It is possible to totally remove SMS authentication in the Google account. I've done it, but they make it hard to find, as most people are truly unprepared for the possibility of losing their phone number.

I'm on mobile right now but I'll look up the location of the settings later.
Last edited by Jucius Maximus on Nov 22nd, 2019 11:46 am, edited 2 times in total.
Member
Nov 18, 2008
249 posts
78 upvotes
Toronto
Jucius Maximus wrote: It is possible to totally remove SMS authentication in the Google account. I've done it, but they make it hard to find, as most people are truly unprepared for the possibility of losing their phone number.

I'm on mobile right now but I'll look up the location of the settings later.
Care to share how to do that, remove phone number as an authentication means. I also tried doing that with outlook, but couldn't find a way cause 2FA insists on phone number.
Member
Dec 13, 2006
258 posts
16 upvotes
Jucius Maximus wrote: Personally I still prefer the authenticator apps. More versatile. Doesn't need a data connection. Doesn't even been to be logged into anything. Fewer moving parts and fewer points of failure compared to the Google Prompt option.
So just speaking for me, if we are addressing the number port hijack, it seems that it would be best to have (if I exclude a hardware key) only the (Google) Authenticator and maybe the Google Prompt (with the 8 digit backup codes previously printed out) as the only options for the second step of authentication to my gmail account.

Jucius Maximus wrote: It is possible to totally remove SMS authentication in the Google account. I've done it, but they make it hard to find, as most people are truly unprepared for the possibility of losing their phone number.
And yet with the disadvantages of SMS authentication I would have thought it would be easy to find lots of links describing the steps to completely eliminate the option of SMS auth.

Jucius Maximus wrote: I'm on mobile right now but I'll look up the location of the settings later.
Much appreciated jM.
Last edited by 21Rouge on Dec 9th, 2019 1:09 pm, edited 2 times in total.
Deal Expert
User avatar
Aug 18, 2005
18996 posts
3655 upvotes
Burlington-Hamilton
georvu wrote: I'm thinking google voice number as voip may have your name associated and even if not the underlying device ATA might present security issue.
I'd be OK with using a Google Voice number for my own 2FA, as long as I had not shared that number with other people. Unfortunately people in Canada cannot get Google Voice right now, otherwise I'd sign up.
Currently I have another different number that nobody else knows about to use with sensitive SMS-based 2FA.
jkhan wrote: Care to share how to do that, remove phone number as an authentication means. I also tried doing that with outlook, but couldn't find a way cause 2FA insists on phone number.
I was only talking about Google account here. I don't know about Outlook. Microsoft probably thinks you're too stupid to handle an account without a phone backup, and they don't want to dedicate the call centre resources to help people who got locked out.
21Rouge wrote: And yet with the disadvantages of SMS authentication I would have thought it would be easy to find lots of links describing the steps to completely eliminate the option of SMS auth.
Here's how you disable the use of SMS to access a Google Account.
This assumes you have already set up the Google Authenticator or similar app.
MAKE SURE YOU KEEP YOUR 2FA BACKUP CODES PRINTED OUT AND SECURED. OTHERWISE YOU COULD GET LOCKED OUT OF YOUR ACCOUNT!!!

1. Enter your google account settings.
2. Click on Security.
3. Scroll down to 'Recovery phone'.
4. Ensure that no phone numbers are entered here.

Go back to the Security menu

5. Click on 2-Factor authenticaton.
6. Scroll down to 'Voice or Text Message'.
7. Ensure that no phone numbers are entered

Now verify that the settings were successful

8. On the left hand menu, click on 'Personal Info'.
9. Under 'contact info' you should still see a phone number. Click on it.
10. At the top of this menu, you'll see an option: 'Use your phone number for account recovery, so that you can get account security alerts and reset your password if you forget it: set up'.

That option to set it up means that your number is NOT set up for account recovery.

After this, you may see a reminder from time to time, when you login to your Google account on a PC, strongly suggesting you add a recovery phone number. Ignore it.

REMEMBER, IF YOU LOST YOUR 2FA RECOVERY CODES, YOU WILL HAVE A BIG PROBLEM GETTING BACK INTO YOUR ACCOUNT!!
Member
Dec 13, 2006
258 posts
16 upvotes
Jucius Maximus wrote: Here's how you disable the use of SMS to access a Google Account.
This assumes you have already set up the Google Authenticator or similar app.
MAKE SURE YOU KEEP YOUR 2FA BACKUP CODES PRINTED OUT AND SECURED. OTHERWISE YOU COULD GET LOCKED OUT OF YOUR ACCOUNT!!!
jM, I do appreciate you taking the time to detail the procedure.

I will do this shortly but just to confirm, if one removes all references to a backup phone # as you describe above, one still has 2 FA with the 2nd step being either an Authenticator, Backup Codes or even.....the Google Prompt?

Also with no phone # so to speak, will that have any negative effect on updates for Apps coming from the Google Play Store?

Top