This should be far more secure and privacy friendly than a Sim card of a cellular connection. Why isn’t this done more often? What are the Pros and Cons. I bet the price is similar as well.
Cons:
You absolutely cannot get 2FA authenticator codes from 90% of services. Many services that require a phone number even without 2FA just for “verify you’re a human” or because they want your data or to verify region use shortcode services that also will not work with ANY VOIP provider.
You will not receive their codes. These companies vary from banking institutions to gaming companies to online shopping marketplaces and stores to a Google account (used to be you could get an automated phone call to verify an account, not anymore, must be able to receive SMS from shortcodes that are disabled for VOIP numbers to register and to recover an account) just about anyone you could end up doing business with.
A shockingly large amount of companies demand phone numbers and send verification texts before allowing you to do business with them, to create an account, to recover an account, to delete an account, to place an order, etc.
They really shouldn’t, it’s a bad security practice but companies love it because with a phone number they can lower support costs by just allowing people to do a self-service where they get an automated text and can unlock their locked account. They also love harvesting that data and preventing anonymization with VOIP numbers and the reduction of fraud and increase of reliable KYC that comes with requiring them.
And they all take it as a given that EVERYONE or at least 99% have a cell plan with a non-VOIP number that works with these and the 1% who don’t they don’t care about in the developed world and are an acceptable loss.
I think how often this is a problem varies widely from person to person. I don’t remember the last time I gave a mobile number out to a company, but it was more than a few years ago. The last few that strictly required one were non-essential; I just took my business elsewhere.
90% of American commercial services that is.
Online services or many/most European services have more proper 2FA (TOTP, app-based, card reader OTP, etc…)
Can you name me an EU bank that doesn’t demand a phone number to signup?
Unfortunately, PSD2 doesn’t support TOTP and other strong 2FA solutions, so they all appear to require phone numbers. This is one area where EU is worse than US
My EU bank never ever used my phone number to verify anything. They only used it to contact me on some occasions. 2FA is done through their app.
Oh, right, their closed source app. Thats allowed. So it requires a phone.
So the OTP is still transmitted to satisfy the requirements of PSD2. But TOTP (a more secure system that doesn’t transmit the OTP at all) is not allowed.
That is a completely separate issue from the above commenter.
You absolutely cannot get 2FA authenticator codes from 90% of services
A shockingly large amount of companies demand phone numbers and send verification texts before allowing you to do business with them, to create an account, to recover an account, to delete an account, to place an order, etc.
They really shouldn’t, it’s a bad security practice but companies love it because with a phone number they can lower support costs by just allowing people to do a self-service where they get an automated text and can unlock their locked account.
Also an issue, but indeed a separate issue from using unsecure SMS as TOTP.
I don’t follow. Banks are required to use insecure SMS for OTPs by PSD2
Can’t I just transfer my existing phone number, from any Pay As You Go SIM?
You can but they’ll find out. It’s reported or flagged or something, they can tell what provider holds a number and they block VOIP ones. Also if a number was ever previously a VOIP number do not try and transfer it back to proper cellular as it will still remain blocked for many but not all of these for years potentially.
You can buy for cents phone numbers online for one time verification purpose or even rent the number for long term if you need. It’s better to use these anonymous cheap throwaway numbers if you want privacy instead of your real phone number for everything.
You probably shouldn’t be using a service that requires a phone number. More often than not, they use it as a backdoor to bypass your password and it leaves your account super vulnerable.
Still so much 2FA via SMS where I am in Aus.
I’d prefer to move everything over to something like Signal but I neeed a phone # to register for that but how do u tell the bank my Signal ID is @hanrhan.666
Use SimpleX, no id no phone.
How do you tell your bank to use simplex to send you a verification code ?
Well I’ve tried, but usually they just don’t respond to my emails
Sorry this is not for replacing banks verification
I’ve been trying to work this out since the beginning of the year. This is anecdotally what I’ve done, what works and what doesn’t.
Most of my solution comes from JMP.chat for my phone number along with the cheogram app for functionality.
Basically I got a number for friends and family. I got a second number to give to businesses that don’t care about VoIP (my dentist etc). ($5 ea). Cons here are that SMS groups are limited to 10 recipients. This doesn’t work for my large family chats (I can get them but can’t respond). Another thing I dislike is since its XMPP based, all contacts are listed as their phone number if in a group, so it’s hard to tell who’s in it. (Solo texts show as names just fine). They have a premium tier that routes differently to allow more than 10 in a group text, but I’ve tried that twice now and the actual phone calling gets screwed up. So I’m still trying to get it all sorted out (and I’m not optimistic) It’s also a service only in USA and CAN.
My original number that I’ve had for 20 years and all big tech have assigned to me, I ported to google voice ($20 fee)
Since my original phone number was a carrier number it is already assigned to all the stringent companies like banks. They continue to use it without knowing its now a VoIP number. I have all SMS messages forwarded to my email so I don’t have to log into google ever. It works perfectly for 2FA. Shortcoming of this is that any group texts the email just says you got a group text, but a single source text the actual text is forwarded. I don’t use it for groups so its not a problem but just mentioning it as a potential con. Then of course, its legacy so opening new accounts won’t work the same way since its a VoIP number now.
I bought a hotspot from calyx. By far the most expensive part of my solution. But it gives me WiFi access without a standard carrier (it does use T-Mobile but calyx doesn’t track you like they do). Check them out to see if it fits your threat model. It works out to about $50/mo but the biggest issue is that its an annual lump sum.
Another option I’ve been trying is 4freedommobile. They have decent plans and are focused on privacy. Everything runs through their app for encryption. But I’ve found the app lacking both in UI and functionality. You can’t do group SMS (which is apparently coming very soon) but my biggest issue is they require google play services for notifications. They state they don’t, but they do. Hands down it just doesn’t work without it. So that’s a deal killer for me.
Honorable mention is the premium service Elfani. I haven’t used it but have considered it. Its very expensive at $99 a month but is secure. However I don’t see much on privacy so I’m not sure how different they really end up being from their base AT&T provider.
You can keep your cell number with jmp.chat. Call over wifi or data. They offer eSIM. View text messages on any device/program with XMPP support. 2FA works 100% like normal unlike VoIP. All data, calls, texts are routed through their VPN first, then the cell network. Any other inhouse XMPP chat not going to networks stay within XMPP. I have no affiliation with jmp.chat, I am satisfied with the service.
I would switch to jmp immediately if only it were available in Germany.
Is an eSIM vulnerable to the same security risks as a physical SIM?
What security risks are you considering for physical SIM?
SIM cards are a computing device that can execute closed source code on your device, sent from a cell tower
Most of the zero days used by NSO Group that were reported by Citizen Lab only worked if you had a SIM card. By eliminating SIM cards, you decrease the surface area of attack by magnitudes
Thanks for enlightening me. That is certainly concerning. I am not knowledgable enough to say if eSIM would be outside the scope of that attack. There are some differences in how the tech is implemented, but heck my eSIM still connects to the cell tower at the end of the day (and to multiple carriers, at that, unlike physical SIM). If there is a surface area, there is a chance for attack vectors.
I could see this being a problem for me
Note: While JMP does provide phone numbers and voice/SMS features, it does not provide 911, 112, 999 or other emergency services over voice or SMS.
How do you deal with it?
That is true, but there is a good reason. For example, you may call 911 in North America without any cell plan, or without a SIM. As you long as you are within physical range of any cell tower (whether your phone shows bars or not) the 911 call will go through. This is required by law. So, like your quoted text indicates, 911 calls would just need to be routed through your phone’s native dialer instead of, let’s say, Cheogram’s dialer (jmp.chat’s phone/message app).
Ohh I see.
Why not is the question and that comes down to guessing. Sheep do what they are told so don’t need to guess much there. Those who are not sheep have to go through a long journey to gradually keep increasing their privacy and unlearn the sheep habits we’ve been conditioned to have.
The end goal is to throw away your phone because you can do everything on your computer instead including buying a phone number, using voip and take and make calls. Phones are unnecessary spy devices used by sheep.
Hmmm… Or maybe people just like making calls easily man. Not everything is an ideology war.
privacy is about making effort to protect it. With your logic you should just use google chrome browser and be signed in to google because it makes an easier experience. Then install alexa in your home and make it a smart home, it also makes life easier.
Not addressing your main points. Just wanted to point out you can have a smart home with purely local devices. No cloud.
Privacy is about being comfortable.
Pros is that you don’t need a small, fragile device to use your primary communication method.
But the pros are that it’s usually cheaper if you know what to look for.
You didn’t give any cons
I guess the cons is that you gotta maintain separate cellular data if you want it. And transfer your number.
You’d only be able to make calls if you have a wifi connection though, right?
Unless you want to maintain separate cellular data.
The only time I call anyone is when my partner can’t find her phone and I have to call it, because we set it so that my number is on the VIP list so it will ring even if it’s on mute or Do not disturb mode.
SMS codes as mentioned and cellular data makes something with Sim card or e-sim a necessity. This can be mitigated by using a portable hotspot or cellular router/modem. Had a teltonika router that autoforwards the SMS as email.
If you care about security, don’t put a Sim card in your phone.
Personally I don’t have a VoIP plan. For archaic services that I can’t live without and required a phone number, I use google voice or Skype. Its a vulnerability, so avoid if at all possible
If you care about security, don’t put a Sim card in your phone.
Depends on what you mean by security… or privacy. You need to define a threat model before any suggestions can be made.
If you’re worried about someone hacking into your phone via an app, a sim card likely won’t make a difference.
If you’re worried about your location being tracked… that can often be done without a sim card or any cellular service on your device.
Then there are malicious carriers (or ones compelled by a government) that could track you without even having legitimate service activated. All phones at least in the US now are mandated to have (A)GPS receivers.
All depends on what your concerns are.
My location isn’t being tracked. Not having a SIM card is part of the reason why.
I’m not worried about apps on my phone owning my device. I would be worried about a SIM card owning my device.