[supermatt]

It’s insane that providers can do this.

I note, however, that this attack seems to only be possible on VOIP routable numbers, and it’s my experience that banks, etc, will not allow you to use VOIP routable numbers for 2FA.

That’s definitely not the case for a naive implementation of sms 2fa as would be done by likely any dev using Twilio, etc.

Also, don’t forget that NIST deprecated SMS 2FA over 5 years ago. Here’s their reasoning: https://www.nist.gov/blogs/cybersecurity-insights/questionsa...

[aidenn0]

Meanwhile my bank just added 2FA in the past year and it's... SMS. No option to use TOTP or U2F.

[camkego]

Is there any chance my cellphone number is a VOIP-routable nubmer? Is there a way I can check to find out?

[supermatt]

Twilio has a (US-only) API for this: https://www.twilio.com/docs/lookup/tutorials/carrier-and-cal...

Im not sure what banks use, but I have had UK VOIP numbers flagged before when trying to register them for 2FA, so theres likely API providers for other countries.

[supermatt]

Further reading suggests this isn’t just voip numbers! How worrying!

[wealthyyy]

Yes, this is only for VOIP. The author of article is dishonest. He mentioned that his TMobile phone number got hacked but I am willing to bet that this is a marketing .. .