Comment by errantspark

Never ever ever ever give your phone number to Google for verification or authorization. People just don't understand how easy it is to find someone's phone number and then steal it for long enough to steal e.g. emails. Has happened, will happen etc. Like ssn, phone numbers were never made for this purpose. In fact phone numbers and services (e.g. SMS) are just the front end and are setup to be easy to redirect.

We had incidents in the past just because the colleague had given the number to Google and those were corporate accounts.

Every time a service moves to SMS or phone calls for 2FA a cry can be felt across the universe by any security engineer/cryptographer.

If you are a person responsible for this: please don't. If my antiquated bank that is insured and doesn't really care can understand this, so can you, if you care just a bit.

It's especially nice when traveling. I was once asked by a client to do something while I was in other country about 5k km from regular location. Couldn't login to the apps account for this reason (no backup email or phone set). So I didn't do the work.

I suspect it's some work-life balance enhancing thing. :D

I don't really mind, since it also helps me bash Google services in front of my clients who still use them, without being aware of these failure modes.

Personally speaking, it's absolutely a no go service. I can probably handle service loss at home quite fine, but if I relied on google or other services with these "anti-abuse" features while traveling that would be very stressful. I usually print out everything important before departing so I don't rely on any electronics, anyway, because none of it is as reliable and as quickly accessible as a piece of paper or a bunch of cash.

I had that happen, too — even after successfully receiving the passcode at my recovery address, and entering it, they still denied login. Presumably it's a bug in their system (being generous), but who knows when they'll fix it, if ever?

I currently have an old (infrequently used) gmail account, with a valid recovery email, that I cannot log in to at all.

I don't have (or want) 2FA set up for it.

I tried an incognito window just now, and same problem ):

Just had this happen to me with my Microsoft/Minecraft account. I had migrated my mojang account 2 days ago and today I was told that apparently they "detected some activity that violates our Microsoft Services Agreement" and locked my account. They did not explain what the violation was and apparently it would magically go away if I verified my phone number (which they did not have before).

Never doing any buissness with ms again.

I've actually found it hysterical. The phone number question seems to be for their data mining as well as evidence. But anyone can get into any email address when prompted this way. It is possible to send a text to someone else's phone, the servers connected to phones online are often polluted but many times they are not. You can send a text to those and get the code.

Or of course, just send the code to anyone and SS7 hijack that specific text message. You aren't hacking them, after all, you're hacking yourself or someone else.

>if unable to do that, I could provide the 2FA code sent to that same backup email address (how would I be able to know this without being able to know what the address was?)

I am one of those people using option 2, by virtue of keeping a lot of old email accounts that I have set up to forward to my main account. So I don't usually need to remember which account if was, and just wait for the email to come through from the void

Once upon a time not long ago, I got off from my flight into a foreign country (I don't have a SIM card that would work there). I turned on my wifi and was delighted to see they had a public network you can use. There was a captive portal, and the only sign in options (besides using a local phone number) were Facebook and Google. I chose Google, and entered my id and password. Google promptly went into the "sus" mode as you described.

Now I can't use option 1 or 2 because I don't have internet access until Google approves my sign in. I can't use option 3 because I don't have a SIM card that would work locally. Thankfully Facebook login worked.

When I sign into a Google apps account I have associated with a school about half the time I am forced to go through option (3) whereby I’m asked for a number they can send a SMS to. I am never presented with option 1 or 2. Per the tenant settings which I do not control, 2FA is disabled and users cannot enable it, nor provide a backup email last I checked. Extremely frustrating- especially not being able to use a VoIP number, landline to dial, or set up a more robust TOTP generator or the like. Perhaps the school should codify the requirement for students have cellular service just to enroll, since it’s the de facto case already. sigh

How does that story have anything to do with being evil, by any stretch of the definition?

Are you insinuating that Google has this convoluted verification flow to intentionally harm people in some way? Or even to intentionally harm privacy or further business goals at users' expense?

Or are you just using "evil" to refer to anything you don't like?

I had this problem this week too. I have a secondary Gmail account that is forwarded to my main one. I tried to login to it, they demanded a phone number (even though I do have access to the backup email), and wouldn't let me in because the only number I have is one that's already in use on my main account. I guess now you need one unique fully-functional phone number for ever Google account you have?!

> if unable to do that, I could provide the 2FA code sent to that same backup email address (how would I be able to know this without being able to know what the address was?)

Two options from the top of my head:

1. you have email forwarding configured so received mails will be delivered to another account. That's generally configured in the settings of the provider (I.e. directly under account settings in Gmail iirc)

2. You have a logged in device which receives mails through an application password. You cannot read it out because it's masked and even if you could, it wouldn't help you because it's only allowed to receive mails, not login.

I don't think this is particularly rare, honestly.

But yes, it is obnoxious.

I have real anxiety about being locked out from "digital self" someday due to issues like this. Sometimes I really think this just isn't worth it anymore and I'm far too invested in "the Internet".

There's a workaround to fix an account afflicted this way, use a yubikey to add as a security key and then add a 2fa through the google authenticator standard (which works with 1password). Once that's setup google will never ask for your phone number again.

I seem to recall fb doing similar. It's similar to banks or telecom providers requiring a persons home address (or worse: to prove it using a utility bill).

Wherever I can I set up code generation / TOTP 2FA precisely to avoid lockouts. Then to avoid losing all of those whenever I change/reinstall my phone I opt for the less secure option of storing them in a password manager...

I can't think of another way not to get locked out in case I ever lose my phone.

Google, Paypal and a few others seem to be the worst offenders at "protecting me".

Phone numbers are tied to your identity. You cant buy a mobile sim card without showing your id and the phone number will be registered to your id.

This happened to me years back. What would you say to the argument that it's to protect users from identity theft

Check your internet connection and Google/Gmail certificates. It looks like you are taped.

> It's about linking your account to a real person identity, so they can sell that to someone - either live, or later when they get bought out

Yeah, this can't be emphasized enough. Phone numbers are established as universal identifiers. Discord is sitting on a giant heap of personal information including DMs from millions of young people. It is all centralized, both in terms of data, and in terms of accounts (instead of them having to correlate an account between multiple forums, most of which volunteer run and they don't turn over non-public data for money), and also associated with phone numbers. Making multiple accounts for different areas of life is made hard. Beautiful for whoever has access to the data.

Asking for information for one purpose and using it for another is amazingly user-hostile and abusive, and it's an almost universal practice for technology companies.

I first noticed phone number abuse with facebook, which asks for a phone number for "security" but then uses it to match you with advertisers.

It's the same scam that sites have been running for years where you have to use an email address as a user login, and that address is instantly added to spam lists.

"Sign in with Apple" is hilariously useless since privacy-violating apps can just require a phone number for "security" or "verification" purposes.

It's 100% about linking identities between services. I've had my cell phone number for 25 years. It's basically a lifelong identifier at this point and I constantly have to use it for low value online accounts. I wish I could go back 10 years and get a dedicated phone number for online verification.

The security side is a total lie as well. Your post made me think about the biggest risk for myself and, like many people I know, I put my email address on my lock screen so that if I lose my phone someone can get it back to me. Now it just clicked for me and I realize I need to change that because if I lose my phone someone has everything they need to recover a lot of my online accounts. My Google, Microsoft, Amazon, etc. accounts all use that same email address and all they need to do to perform SMS recovery is put my (unlocked) SIM in another phone.

A credit score is used as a trustworthiness analog in arenas other than lending. For example renting a house or car, and some phone companies won't give you access to a post-paid plan, all of which can have a stratifying effect. The idea that because I don't take on debt that I am not trustworthy is wrong. I can pay a larger security deposit to offset risk, but often times that's not an option.

I've also heard tell of employers using credit checks to evaluate potential employees though I haven't researched that.

Why just communities be forced to accept everyone? Or even be nice? When in a group of friends we can often times not “be nice” however because we know each other, we understand it comes from a place of love. Perhaps it’s a military background thing, but exclusivity has its benefits.

Nice, thanks for pointing this out. It's fucking annoying that I'll have to figure out how to install the Windows Store on my computer to get an app that can receive text messages, something that you know, should be available through a pipe/file/tty or some dead simple interface since it's not exactly rocket science to receive 160 characters of text.

But thank you none the less.

There are laptops with SIM card slots?

They're trying to do that to break 3rd party financial integrations. Not for your security but because they think they deserve to get paid for your data and these other people haven't paid up.

Credential stuffing is a widespread problem. Im sure everyone on HN uses a password manager and different passwords for every service, but many people don't.

It's makes a lot of sense for a high-value target like banking to require 2FA, but SMS is the worst way to do it.

I'm not sure if there are any issues on Google Fi, since they're an MVNO, so identical to any other cellular network.

It's never been made illegal to use, or even ask for, an SSN.

You can refuse to provide it (unless it's required for tax/employment purposes) but whoever's asking can then just refuse to transact with you.

> You literally put a sim card into a phone for it to be treated as a cell number?

Well of course -- the SIM is the (as others have pointed out, "currently assigned", yada yada) phone number. So what else would any device with a working SIM slot be treated as, than a cellular device?

The SIM has its own phone number, so when they put it in a phone they can do "phone" things like make calls. In their laptop it's just for data.

I don't understand, isn't that how SIM cards are supposed to work ?

Instead of "phone" do you actually mean "laptop"? Interfacing with a SIM through a computer seems pretty Futuramaistic to me. How does _that_ work?