Hacker News new | ask | show | jobs
by aikinai 867 days ago
Your point is completely orthogonal to account takeover. You can require a phone number to create an account and not allow SMS to the number to takeover the account.
2 comments
AnonC 867 days ago
What happens when the owner of the number discontinues the phone service, loses the number and the same number is give to another customer who then tries to register for an account on the same platform? Phone providers may recycle numbers in as short a period as a few months.
link
rrr_oh_man 867 days ago
> Phone providers may recycle numbers in as short a period as a few months.

Then, I guess, the account on that German home automation online forum was maybe not that important, after all.

link
pnt12 867 days ago
Such a strawman. People get locked out of accounts with important stuff for them all the time.

Let's demand more of tech companies who have the means to do proper security , instead of bling user mistakes.

link
rrr_oh_man 867 days ago
No, I’m not blaming the user. Look at this from the other perspective:

I have an apartment, a vacation home, a chicken coop, a shed with old tools, a car, a bank deposit box.

Do all of those things absolutely require a Post-Blockchain-Ready™ SuperDuperLock 3000© with the patented Forensic Upgrade Crypto Key™ technology?

Not really. Some security vs. accessibility/usability trade-offs need to be made.

Somebody stealing the contents of my bank deposit box? Okay, that would suck.

Somebody breaking into the shed and stealing that old broken Toyota diff lock actuator I *swear* I'm going to fix at some point and maybe a shovel? Please.

This is why I think there might be a security floor for critical applications, but it should be the user's choice if they really want full 2FA+ with smartphones, biometry, and social security number verification for their random account on once-a-month-visited social network for cats.

link
hedora 867 days ago
Why does the service provider care about account takeover, from a financial perspective?

They can always reset the password on their end, given proof of identity (if the account matters).

link
romwell 867 days ago
>Why does the service provider care about account takeover, from a financial perspective?

Indeed, caring in any way about users of your product or service is merely a liability and a cost center.

link
rrr_oh_man 867 days ago
I honestly don't want that type of overprotective caring that cares so. much. about you that it restricts you in meaningful ways.
link