CapitalOne is even worse -they locked me out of their app today and asked to send an SMS code - and they let you pick which number to send it to on the spot. Good one fellas. What is the point of having Touch ID and their dumb Swift ID stuff set up if they keep doing dumb stuff like this.
Google does this too when you sign in from "unknown" locations, if you don't have 2FA configured. I think the purpose is to slow down bots. If you try reusing the same number in quick succession on different accounts, Google won't let you.
I'm so glad I'm out of the family tech support "business"; if only firing real customers were so easy...
This really bugs me. I have throwaway Google accounts that I don't want to add my phone number to, so I can only access them from the location I created them.
Enabling 2FA should stop this from happening. Adding TOTP as your 2nd factor would require adding a recovery number, but maybe you can remove it after. I have accounts that has TOTP 2FA w/o recovery number, but perhaps they were grandfathered in.
Alternatively, use a physical token as the 2nd factor, then no recovery number is required.
You can't create a Google account without a phone number (at least last I tried), however once you enable a 2FA method other then SMS you can then delete the phone number. To their credit the phone numbers I gave to Google when setting up my accounts have never shown up in any of the usual law enforcement or skip trace databases so I'm less apprehensive about opening new accounts with them.
T-Mobile sells me out once a year - I don't even give them my real name, they must get it from my credit card or something. This year I used a fake name "authorized user" card, still waiting to see if that keeps my latest number out of the databases or not, around nine months to go.
Wow there's a lock to unpack here. How are you accessing law enforcement or skip trace databases to check?! And what do you mean by T-Mobile selling you out -- where did they give out your info? (They let you get a line without your real name?!)
You can request a copy of your info from those databases from Transunion, LexisNexis, etc. and they'll send it to you. however since they are not used in credit decisions they are not governed by the FCRA and you can not dispute or amend anything. Every phone number I've ever had is in those databases, as well as every address I've ever lived at - plus a few dozen variations that are typos or incomplete which I guess says something about my handwriting, every paycheck I've received over the past twenty-some years is in there, both regular payments and bonus, with taxes broken out and everything (a lot of businesses outsource employment verification to a Transunion subsidiary called The Work Number and in return they get all that information). There is my list of "known associates" which is pretty much all of my family living and dead since the 80s, all of my wife's family, a couple former roommates and their families. Apparently I own a sporting goods store in Austin, Tx (thats false, but can't dispute or amend). Every legal action I've been a party to is there. Every car I've ever driven is in there. I think most people would be shocked if they knew how much data these companies keep. I became aware when a police officer called me about some tenants at a rental property on a phone number I'd never given to anyone. I think the Transunion TXLop database is where I finally found the number. Since then its been my hobby to see how long I can keep my phone numbers out of that database.
I think he means that the hijackers call into T-Mobile customer support who then allow his number to be ported to their sim.
My T-Mobile number was simjacked last year, though afterwards once I reclaimed my number they let me set up a "secret word" that the person calling in has to give them and I haven't had any problems since.
I've asked that my number be unable to be changed to a different sim over the phone. So to change it I need to go into a physical store and present proper ID
Just tested this, I was able to create an account without a phone number. I think it doesn't require a phone number if Botguard is highly confident you aren't a bot. (it does recommend adding a phone number for 2FA though) Also, I created the account through ChromeOS settings, which perhaps is a signal that I'm not a bot?
For me, it shows a short list of phone number endings, and you have to pick the right one. It's far from perfect, but it doesn't just let me enter any number I want.
Correct. I spoke with their digital team recently and got the low-down. Your full name and the phone number you type in is compared (not sure what entity does this comparison) with the telco billing records that also obviously have your name and number paired. In my case I only have a business cell phone which was problematic to use with my personal Capital One account for step-up auth.
It's disgusting to think about the record sharing, and I doubt it even protects against SIM swapping (or does it?).
Is there a US bank (national, not a local credit union) that allows you to use TOTP, U2F and backup codes as your sole 2FA sources? Heck, the US Government lets you do it now (https://login.gov), you think that BofA would...
Looking at that link, pretty much none of the major US banks (Bank of America, US Bank, Wells Fargo, PNC, Chase, etc.) seem to support software 2FA token solutions (e.g., Google Authenticator, Authy, etc.). Not gonna lie, this is abysmal.
My understanding from the situation has been that banks don't care because in a checking/savings account, it's your money getting stolen, not theirs.
For credit cards with awful security, they don't care because the money they get from making it easy to sign up and use their services is far, far greater than the costs of dealing with fraud.
How accurate is this hypothesis of mine? It really can't be an education thing because I'm sure these companies have great engineers working there, both at the lower ranks and (at least sometimes) in upper management.
The vendors foot the bill for credit card fraud, and end up paying transaction fees both ways. I used to work for a company whose website was found by some entity in the stolen credit card ecosystem to be convenient for making small purchases to validate stolen cards. The bank / credit card processor was in a much better place to make fraud decisions, and yet somehow all of the risk was on us and the credit card processors actually made better profits due to the fraud. Incentives are badly aligned.
In most cases checking/savings account hijacking would have little or no loss to the customer (usually there is a time frame the loss has to be reported by and there may be a low minimum fee of $50 or so).
There would be no raw financial loss at the end of the day, but there sure is a lot of time loss involved for both parties. It gotta cost not a non-zero amount of money to deal with all those issues, while with a proper 2FA all those costs would be pretty much cut to zero.
Robinhood impressed me by supporting both strong passwords AND 2FA with Google Auth. They haven't rolled out cash management accounts yet but I think they will my financial center once they do.
I think Fidelity does allow this, but I haven't bothered with it since I use a password manager.
Fidelity has a brokerage account, free checks, free ATM withdrawals via debit card, maybe also your 401k, free money wires, automatic investment etc.
The only thing they don't have are branches where you can deposit cash, but that's really never necessary - in an extreme case you can open another bank account, deposit cash, transfer to fidelity and immediately close it.
I'm not sure why anyone uses a bank other than Fidelity.
Fidelity does it through either SMS or Symantec’s Validation and ID Protection (VIP) Access app. I called and asked if they support another app and they said they don't. Why they couldn't use another (read: non-Symantec) 2FA is beyond me.
I just went and checked because I was excited to set this up. Navy Federal has email, SMS and OTP through their app. USAA has email, SMS and OTP through their app or Symantec VIP. I wish either one would allow the use of U2F or TOTP.
Honestly, what is a good US bank that has a great web/mobile experience, a large financial offering (checking, credit, savings, investment, etc...), great customer support, a good presence internationally, reasonable and no hidden fees.. wait there is none.
I don't think it's fair to assume weaknesses from 6 years ago still persist.
* I just tried to login with the first 8 characters of my password and it was not successful.
* Also this password is autogenerated and contains plenty of special characters.
* Their 2FA system no longer depends on the concatenation of password + token.
Also this reminds me of another HN discussion[1], which basically boiled down to the question of "Do you really think the only thing the bank does to log people on is to check the username and password?" I certainly hope not.
Robinhood for checking/direct deposit/ATM access and small DIY investments, Wealthfront for retirement accounts and savings/emergency fund, Apple Card for payments. Beautiful interfaces, non-SMS 2FA on all, fantastic customer service. I do this and I can’t think of anything else I’d need. The only fee I pay here is Wealthfront’s 0.25% management fee, but I don’t mind since it’s such a great service.
Robinhood is a brokerage but they deposit uninvested balance into normal banks so they are FDIC insured and pay interest, and you get a physical MasterCard debit card. Used to be 1.8% but the coronavirus happened and now it's 0.3% :(
They use normal TOTP for 2FA so it'll work with whatever authentication software you use.
However they follow the modern tech trend of not having live tech support; you have to email them for support. But I've heard response times have gotten better recently.
I moved most of my money into RH for the interest, but still maintain Chase checking and credit card accounts. For sonething as important as banking, there's no substitute to having tons of physical locations with humans. For example I recently went to the bank to deposit tax refunds, which were not 'normal' checks. I don't think you can even deposit normal checks into RH. And I trust Chase's fraud protection systems more than RH.
It's the same bank that doesn't send you spam emails which make you used to receiving unsolicited communication from your bank. These emails make it easier to sneak in phishing emails. That's why I use that bank.
Correcting myself in case anyone reads this: that seems to have been true in the past but they are moving investing to charles schwab and victory capital (separate companies). So long-term I wish I knew if that is nearly as good as not in the ways that matter for this discussion.
