[patcheudor]

I may get down voted for this and so be it, this must be said. This is a prime example of creating what was intended to be a security feature without understanding the threat landscape. I just tested it, and it's 100% vulnerable to caller ID spoofing. In 2016, caller ID spoofing is as simple as downloading an iPhone app and spending $30 for a bunch of minutes.

The problem is, a lot of people will find this cool and will also not evaluate the threat landscape. In fact, it's even worse. They will assume the threat landscape has already been evaluated. The code is out there, so it must be good. They will then implement this into some "super duper secure" service which should require a far more security for user authentication. It will then take me 15 minutes of pulling my hair out in a security review to explain to whomever implemented it that it offers no security. The team will walk away from our meeting wondering if I was just trolling them and ask how their entire team could have made this mistake. They will then come to the conclusion they are smart and I must be wrong. They'll then call me back to explain again, at which point I'll take them through a full video demonstration with their VP of operations on the call. This time they will actually "get it" because they saw it exploited on video. Their VP of operations will then fire the project manager and lead developer and I'll feel like shit for being responsible for the termination of two careers.

[bpchaps]

Not to mention that it's incredibly inconvenient if you don't carry a phone, or if you lost it. I tried to signup for airbnb this weekend while traveling, but wasn't even able to go through the verification process without a physical phone. Zero alternatives for verification and even trying google voice (my main 'phone' provider) wasn't good enough. Sure, I could've borrowed someone's phone for a second, but isn't that the sort of thing these systems are supposed to guard against? I don't get it.

Another example - you can't use uber on a desktop without going to m.uber.com last I checked. There's no way to order trasnportation without that m. (why!)

Another - gmail. You either need another email or a phone, and at the time, neither were possible. (why!!)

For tons of reasons, I just don't like having a phone in my pocket 24/7/365. Mostly, I just enjoy the peace of mind of being unreachable. I've been oncall for years, but that oncall vibe is extending more and more into social situations, for the worse. I hate it. Devs - PLEASE account for those like me! I'm really tired of people telling me (accurately :(.) "You wouldn't have these issues if you had a phone." on account of your laziness or lack of awareness for sensible security.

[patcheudor]

I have a shocking number of burner phones driven by the need to register for stuff which requires phone-call validation of identity. Of course every one of those phones was purchased in cash while wearing a hoodie and sunglasses, after parking in a nearby neighborhood and walking to the store.

Note, I'm not a criminal, I just play one in my day job.

[bpchaps]

I might go that route, honestly. I've done a few security disclosures recently as myself and doing so has been giving me a vibe that I'm not a fan of. Same with a lot of the FOIA calls I need to make. Having a burner phone might help, as much as I'd hate to use it.

[patmcguire]

Wow, working in security sounds awful.