Path: ...!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: "Carlos E.R." Newsgroups: comp.mobile.android Subject: Re: Codes sent by text message Date: Mon, 11 Mar 2024 13:37:02 +0100 Lines: 42 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Trace: individual.net aoYI20qpdbcSJRcPxFU5DApu/1pqCqpq4mI0TBXjAfOIKwN1IK X-Orig-Path: Telcontar.valinor!not-for-mail Cancel-Lock: sha1:vGWEtP69YTJ3GhEuhRDi9Zax5HU= sha256:AW1hGdKFFWsNsMoNb9oWHI1gYFynbTOr0XzJNIckEaM= User-Agent: Mozilla Thunderbird Content-Language: es-ES, en-CA In-Reply-To: Bytes: 2643 On 2024-03-10 08:58, Dave Royal wrote: > "Carlos E.R." Wrote in message: > >> On 2024-03-09 20:24, Newyana2 wrote: >>> "The Real Bev" wrote >>> >>> | WTF? Why is the google voice number not a REAL phone number? >>> | >>> As V said, the simple answer is that they want to spy. >> >> No, that's not it. Not for a bank. >> >> They want to know that you are an actual person with a phone and >> contract. They have to trust the company giving those numbers. > > Exactly. Banking regulations require them to use 2FA and SMS is a > simple and cheap way of doing it. Not very secure, though more > secure than email. Also it's easily understood by customers, and > that's very important. AMEX send me _both_ an SMS and an email, > which is convenient but more insecure - an OTP should go to > exactly one device. > > I have a TOTP client on both my phone (FreeOTP) and tablet > (andOTP) but none of my UK banks or savings accounts uses them. > One bank provides me with an OTP gadget, but that was before 2FA > became a legal requirement. I can also use their banking app to > generate a code: I think that's what will replace SMS for most > people. > > That banks or banking authorities are actually thinking about the > security of these SMSs and refusing to send them to some mobile > services is vaguely encouraging. There was an attack on Orange, basically breaking all internet service, and it was commented that had the attacked machines (RIPE database?) used a simple 2FA, the attack would not have succeeded. Nothing is fully safe, but an SMS to a mobile is better than nothing. -- Cheers, Carlos.