• Last Updated:
  • Feb 7th, 2020 8:39 pm
Tags:
Deal Expert
User avatar
Aug 18, 2005
18997 posts
3655 upvotes
Burlington-Hamilton
21Rouge wrote: I will do this shortly but just to confirm, if one removes all references to a backup phone # as you describe above, one still has 2 FA with the 2nd step being either an Authenticator, Backup Codes or even.....the Google Prompt?
Yes, as long as you already set up the other 2FA method first, it's still going to be active.

Don't forget, those backup codes are only for emergency. I have only used them one time in 7 years, when I broke my phone while travelling overseas.
Member
Dec 13, 2006
258 posts
16 upvotes
Jucius Maximus wrote: MAKE SURE YOU KEEP YOUR 2FA BACKUP CODES PRINTED OUT AND SECURED. OTHERWISE YOU COULD GET LOCKED OUT OF YOUR ACCOUNT!!!
Maybe not quite as dire as one would still have a "recovery email address" associated with the gmail account in question?
Deal Expert
User avatar
Aug 18, 2005
18997 posts
3655 upvotes
Burlington-Hamilton
21Rouge wrote: Maybe not quite as dire as one would still have a "recovery email address" associated with the gmail account in question?
I've never tried the recovery e-mail address part.
Member
Dec 13, 2006
258 posts
16 upvotes
Jucius Maximus wrote:
I was only talking about Google account here.

Here's how you disable the use of SMS to access a Google Account.
I recently did all of that in the past couple of weeks to my multiple gmail accounts.

(I still have "Prompt", Authenticator (Aegis) and printed out codes as second steps in authentication).

Thanks again Jucius Maximus...I feel better about the security of our family's gmail accounts.

(New Year's Resolution.....look at a password manager)
Deal Expert
User avatar
Aug 18, 2005
18997 posts
3655 upvotes
Burlington-Hamilton
21Rouge wrote: I recently did all of that in the past couple of weeks to my multiple gmail accounts.

(I still have "Prompt", Authenticator (Aegis) and printed out codes as second steps in authentication).

Thanks again Jucius Maximus...I feel better about the security of our family's gmail accounts.

(New Year's Resolution.....look at a password manager)
Great job!

For password managers, I prefer KeePass, but most people should probably use lastpass or 1password.
Moderator
User avatar
Jul 5, 2004
24677 posts
4008 upvotes
A SIM swap alone won't get the thieves any information. In fact, the scam doesn't start with the SIM swap. These people are getting their victims personal information first, which allows them to then swap the SIM.

If someone stole my SIM, that would give them nothing. They still need my e-mail address in order to try to reset passwords for sites that require e-mail to login. Most of my banking is accessed by entering the card number. An e-mail wouldn't work. So they would also need my card numbers, which they would have no access to even if they did get into my e-mail.

All these scams have one thing in common, people are being too careless with their private information. If a thief has no information about you, a SIM swap isn't possible, but even if they could pull it off, they can't get any information from a SIM alone.
Member
Dec 13, 2006
258 posts
16 upvotes
Shaner wrote: If someone stole my SIM, that would give them nothing. They still need my e-mail address in order to try to reset passwords for sites that require e-mail to login. Most of my banking is accessed by entering the card number. An e-mail wouldn't work. So they would also need my card numbers, which they would have no access to even if they did get into my e-mail.
I believe it isn't very hard for a malicious individual to be in the know regarding a person's email address and cell #.

And taking it to the next step, it appears also not too difficult to port said # as telcos seem lax in regard to a individual's mobile account security.

Having said the above I am not overly concerned that, at least not initially, I would lose money if the "hacker' was able to port my # BUT I would be very fearful to lose our family's decades old primary email address with the "malicious individual" using the selection "forget password", hoping to get that SMS for a PW reset.

Now I would like to think that it would take more than the email address and the associated cell # as the recovery #, for a an email provider to send out that crucial SMS but I am doing what I can to remove that 'weak line" in the 2 FA setup ie the SMS as proof of email account ownership.
Penalty Box
Jun 24, 2015
3611 posts
1044 upvotes
Woodbridge, ON
there was a posting about this already but thanks for the heads up
Hi
Deal Expert
Aug 22, 2011
32036 posts
17917 upvotes
Ottawa
Once they steal your number, they attempt the "forget my password" at all of the different online banking institutions, until they get a hit?
With RBC, you need to know the debit card number/username or email address!
Deal Addict
User avatar
Aug 15, 2015
1568 posts
194 upvotes
Markham, ON
I wonder when this thread will be locked and pinned.

Less discussions or more discussions?

Scam or not scam?

What happened?

This, this, that and a little bit of this.

What else?

That's it.

Top