Hacker News new | ask | show | jobs
by b112 1543 days ago
Maybe, but, no one gets my mobile number, not my bank, no one.

It's not in my name, I pay cash for it, I share my contacts with no one, etc.

I won't have it linked to me, and with how you can so readily be location tracked when someone knows your number, I am astonished so many people give it out.

So there goes the easiest 2fa....
11 comments
colechristensen 1543 days ago
Other people share your contact though, unless you exclusively associate with people equally paranoid. You simply can’t have an anonymous phone number these days unless you actively switch numbers all the time which if you get accused of something will be used as evidence against you.
link
b112 1543 days ago
I have a voip number forwarded for incoming. I have no caller id for outgoing.

Thus, even with google having my name linked to a number, it does not link to my cell phone.

Reply to comment below:

No one gets my real mobile number, so that is solved.

Why would I care if my VOIP number is in address books. That's the point of it, and why I have it

I'm not trying to hide from the government, I am preventing Google, FB, etc from linking my mobile to me, and preventing random people from tracking my location, which is trivial when they know your mobile number.

link
multjoy 1543 days ago
Your VOIP number can be resolved to your mobile number. Your cell provider has the link.

You withholding your caller ID only hides it from the receiving handset, it doesn't disguise it from the network.

link
getcrunk 1542 days ago
If you host your own pbx, you can consider it as a proxy to your cell phone, and even do it over vpn. You cant track that further than the pbx server ip
link
giantrobot 1543 days ago
It only takes one contact to have your real number in your name, or even better also associated with your VoIP number in their address book, to lose your "anonymity".
link
izzygonzalez 1543 days ago
That was my thought. The value of a piece of metadata is inherent in its context as a node within a network. You might have disparate pieces of information about a group of people, but weighing their connections by similarity/proximity/etc. allows you to develop assumptions about individuals, even if all you know is their phone number and who had that phone number in their contact list.

Specifically, from the point of view of network analysis, a missing or unknown node becomes suspect when various connections point to it. In the era of high connectedness, that seems like kicking a goal on your own team if you're playing the "be anonymous" game.

link
b112 1542 days ago
This level of automatic tracking would require all players (VOIP company, network providers (eg, via wifi), cell phone companies, Google + Facebook + Apple, along with significant tracking effort...

Just to find out that phone #5 is Pete.

Whilst it could be done, things aren't quite that far along yet. Further, I believe you are presuming I intend to remain unknown from all parties.

I believe you, and a few other commenters here are jumping to an extreme interpretation. My goal is to cut automated tracking.

A key example may be photo radar, and those license plate covers which make plates illegible (presumably). In this case, should a police officer, or the government in general want to track you, yup, they could.

For example they could go through video looking for you again. Your exact car. Including, the covered plate! It really wouldn't be that hard to do, but it would take time. Effort.

However, plate readers are networked, and databases are being kept of car movements. Having that plate cover breaks this automatic tracking, even if a dedicated person may want to track.

So you raise the bar. You remove automation.

And that's the guts of it. Because profitability in this business is won by doing a few simple things, and then collecting massive amounts of data. Remove any degree of automation, and it is no longer profitable to track someone.

I bought my phone with cash, my sim card, my minutes with cash, used a fake address and name, signed up to Google with a different fake name, bought a play card with cash, which was basically zero effort for me.

I do this whenever I buy a new phone. A new, clean slate.

I then, using my already existing infrastructure, only allow people to reach my mobile via a voip number. Done.

Yet everyone here thinks this is loads of work, with zero benefit. Welp, I disagree.

link
izzygonzalez 1542 days ago
Fair enough! The conversation evoked screenshots of Palantir software from a decade or so ago. I imagine it's next level now.
link
b112 1542 days ago
How does my VOIP number being in my friend's address book, enable Google to see that address book, and learn my mobile number?

My goal is not to ensure no one is capable of tracking me ; that's literally impossible. However, I do not want:

* Google to get my name, contact info, etc via my phone itself

* Google to link to me, by seeing my mobile phone in another person's contacts

This is why I give no one my mobile number.

If the Government, or if someone was suing me, or I was up to "no good", an exhaustive search would likely bear fruit. So? That's an entirely different animal.

link
giantrobot 1542 days ago
> * Google to link to me, by seeing my mobile phone in another person's contacts

I'm pointing out that it takes only one of your friends or acquaintances to add your real mobile number to their address book alongside your VoIP number to ruin your system. People don't think twice about giving apps access to their address book. They're also regularly scooped up by malware.

Your scheme requires you to have perfect OpSec 100% of the time. Just human nature says you've probably goofed and given out your mobile number once or twice. There are enough huge database leaks that your info has probably been leaked by someone you don't even know.

link
b112 1542 days ago
I'm pointing out that it takes only one of your friends or acquaintances to add your real mobile number to their address book alongside

I said I don't give my mobile number out. Do you believe my friends work diligently to find this number out? And how would they get it? And why do you believe they would get it so easily.

I don't even know my number without looking in 'about phone'.

Your scheme requires you to have perfect OpSec 100% of the time. Just human nature says you've probably goofed and given out your mobile number once or twice.

I don't understand why you think I would do that? Or how it would happen by accident.

When someone asks my number, why would I give a number I never do, instead of the number I always do. Why would I even memorize my real number? I really don't understand why you think this is hard, tricky.

Or think it is a "scheme".

I use cash almost everywhere too. I have a friend who thinks this is strange, and sketchy. Cash. Sketchy. I just get bewildered when I encounter these types of thought processes...

link
colechristensen 1543 days ago
Then why do you care? Get another forwarded number for giving out.
link
ehPReth 1542 days ago
Any toll-free number you call - at least within the +1 country code - can see your outbound number even if you hide it.

So if you’re in the USA and you have ever called your bank’s toll-free from your mobile they already have your cell phone number. you can try to sell yourself by googling for toll-free ANACs which will read your number back to you

link
b112 1542 days ago
This is helpful info, but I use voice on my mobile sparingly, and use my voip line most of the time. (I have a cordless + desktop voip phone at home and work).
link
loceng 1543 days ago
And how might voice recognition play into this too? If you're not easily identified then you may draw more attention and more effort spent to determine who you are.
link
kube-system 1543 days ago
How is that related to this?

OATH/TOTP does not need your mobile number. It only needs the current time, a secret, and an SHA/HMAC function.

There's no phone number involved.

link
throwaway81523 1543 days ago
Do you mean SMS? I don't see a requirement that you use that. Yeah, that would be a pain. My SMS goes to a voip number that emails me the message, and that works most of the time, but a few jerky sites reject it. I just figured that the 2fa slows down requests to 2 per minute or whatever, the speed of TOTP codes changing.

I also don't know what a verified account is. If it's just email-confirmed then yeah, that is trivial. If it is a payment card that worked, or even further a shipping address that worked, that can be more annoying to game.

I had thought that it was only the Pi Zero series that had strict quantity limits, and that people were supposed to be able to buy lots of 4's if they wanted to.

Also, for most users (not all) there isn't really a pressing need for a 4, since the 400 has been plentiful and is basically a 4 in a different form factor, with an attached keyboard. I figured if I wanted a 4 before they became available again, I'd just get a 400. What I really want is some more Zeros and Zero W's, but I think those are both being replaced by the more power hungry and expensive Zero W2.

link
Terry_Roll 1543 days ago
You dont need to hand over your mobile number, just get a raspberrypi, install freeswitch and sign up to a free voip number which happens to be in the range of numbers used by mobile phone operators. https://www.sipgatebasic.co.uk/

I really dont know how they think they can use 2FA to stop all but the most basic of bots from buying up rpi's.

link
b112 1543 days ago
I have SMS capable voip numbers, and also ones ported from old phones. Many 2fa services have a db of these, and refused to send.
link
Terry_Roll 1542 days ago
> >Makes you think, do Linux, Windows and Mac handle this properly? Honestly, I doubt it!

Thats quite a lot of surveillance.

link
skeeter2020 1542 days ago
>> You dont need to hand over your mobile number, just get a raspberrypi, ...

You DO realize you're posting on an article about restrictions for purchasing Pis right?

link
imgabe 1542 days ago
Kind of pointless to have a phone if you don’t give the number to anyone. It’s whole purpose is for people to be able to contact you.
link
nextaccountic 1543 days ago
Get another phone number, get a phone with dual sim, disable this sim card and only enable to answer 2FA queries
link
swiftcoder 1543 days ago
Unless you cycle across town every time you swap SIMs, I don't think this will help much. Just the fact that those two SIMs ping the same cell towers is enough for a bunch of data aggregators to correlate the numbers back to the same person.
link
b112 1543 days ago
Plus, IMEIs are often sequential, and can be queried (like a mac address) in a DB. This helps prevent theft.

So they have one IMEI, they have all for that phone.

link
b112 1543 days ago
2FA is not even remotely secure via sms, as shown 100 times over. The only reason google loves it so much, is it links your real life name to your accounts.
link
littlestymaar 1543 days ago
You'll probably be interested by this other article[1] on the front page of HN today, but you're not going to like it.

[1]: https://news.ycombinator.com/item?id=30765223

link
Zenst 1542 days ago
Use a seperate mobile number for all your 2fa, that way if one of your mates has say Truecaller - your number/name/email is not going to be out there with association.
link
7402 1543 days ago
Actually, they don't allow new use of SMS verification.
link
skeeter2020 1542 days ago
how do you buy anything on the internet? Is the addition of 2FA even an issue for you, or an opportunity to humble brag?
link
esoterae 1543 days ago
Easiest to pwn 2FA
link