Ask HN: Is there a security-centric US Mobile Carrier you'd recommend?

[mdu]

Mobile Carrier is one of the biggest weak points for many 2FA.

Unfortunately, most of the sites I use do not leverage U2F or TOTP, and I'm forced to use SMS for 2FA.

Is there any mobile carrier that is more security and privacy centric? Such that someone can’t just impersonate me and gain access to my SMS through the phone carriers?

[bronco21016]

I believe the insecurity of SMS comes from the design of mobile network protocols. Not from individual carrier’s implementation.

Can you change online services if you’re that paranoid? Can you compartmentalize in a fashion that if one site is compromised the rest will remain intact? The main services I would be concerned about are financial institutions and the e-mail accounts tied to them. Switching banks in the US is relatively easy. Also, good password practices would limit exposure to risk.

[Eridrus]

As others have said, the protocols are kind of crap, but it sounds like your concern is more about account takeover through customer service.

Maybe Project Fi? I don't know that they're better, but Google takes security pretty seriously, and you can probably lock down your Google account.

There's still a risk with phone number portability where someone tricks another carrier into porting your number somewhere else, and I kind of doubt that even Fi does anything here.

[mdu]

I was looking into Fi. It's true the number portability can be exploited as well. It's too bad many of these financial institutions that I'm required to used only do their 2FA via SMS.

Someone should try and create a secured layer on top of SS7.

[cremp]

None.

SS7 itself is bad, and proven time and time again that it can be used maliciously.