I believe the practical solution for many people is to switch the 2FA to an authenticator on-your-phone code generator, which someone cannot hack easily.
Most important account / banks / etc services now offer this option.
The only thing is, though, make sure to keep backups of the codes you use to initialize the authenticator app, because for some services there is no recovery if you lose your phone or don't have backups.
Sorry, I should've been more specific/accurate. I meant brokerages, like Fidelity, Etrade, Schwab -- where you're likely to have more funds/$ than a regular consumer bank. They do offer it. Even Amazon offers it.
And you are right, I have not seen any of the banks I use convert to authenticator (BofA, Chase, etc).
I can only guess that they think it's too difficult for the average consumer to understand or implement. But the fact that they don't even offer as an option is unfortunate.
Unfortunately, Fidelity (at least for my account) only offers some non-standard "Symantec VIP" product. Does someone reading this know if there's a way to turn it into standard TOTP?
Yes, Symantec VIP is their TOTP solution they're chosen. Etrade also uses it.
I find it less friendly than the normal QR code, since you can't back it up or clone it (and it's proprietary, although that is not a huge concern for me). Basically the app is both the server and the code generator (?) because the website you log on to does not issue you a shared secret, the app creates it itself. Every device has its own unique code, so it can't be cloned.
Fidelity enforces that you can't have multiple devices floating around able to log in -- they don't let you enroll multiple devices if you opt in to it. (Although why exactly I don't know, because Etrade does). It is a pain because 1) I want multiple devices to have my codes as backup, 2) I want one of my family members to be able to log in -- although they say, you should make that person an authorized user who can use his/her own login + own VIP code.
It's a pain, and I'm still debating whether or not to activate it. The interesting part is they clearly have a fall back in-person way to turn this off / help you if you forget or get locked out. You have to even call them in person to turn this feature on.
I was able to find this. Haven't attempted it yet but it appears that it is in fact standard TOTP, only the VIP app generates the seed and you have to provide the seed to (in this case) Fidelity. https://gist.github.com/jarbro/ca7c9d3eebba1396d53b4a7228575...
And yeah, my biggest problem with it is that I already have a solution for TOTP; I don't really want to also figure out some solution for their proprietary garbage.
Don't use Phone number based 2Factor or if you must use a number, keep it to an app (eg, Google Voice) and don't forward your Google Voice texts to your phone's number.
Basically, avoid using your carrier provided phone number for anything related to an account.
But Google Voice requires a Google account, and to create a Google account you need to provide a valid phone number. There are also a lot of service providers that don't allow you create an account without providing a valid phone number.
I wonder how high-profile politicians and celebrities deal with security issues like this? If this is really such an easy attack to pull off, what's stopping someone from shilling cryptocurrencies on celebrity social media accounts (again)?
I deleted the phone number from google account, just use 2FA from app. Now forgot password does not give extreme option of just sending a code to my phone.
I mean sending a code VIA SMS. I mean I deleted the phone number from my Google account. Now I have only Auth App, & Google App. The code & recovery options are 8 digit recovery phrase, Tap in Google App on other device. No reset code SMS.
Most important account / banks / etc services now offer this option.
The only thing is, though, make sure to keep backups of the codes you use to initialize the authenticator app, because for some services there is no recovery if you lose your phone or don't have backups.