[yieldcrv]

I think we should start doing product liability lawsuits to any organization capable of having user financial data affected from their account, that is using SMS one time codes as either default, enabled by default, and the heaviest legal remedies to financial organizations where that's the only option

we should also update PCI DSS compliance or whatever relevant security standard to call SMS one time codes totally insecure

we can also reach insurers these companies use and tell them to force removal of SMS one time codes

do a multi pronged assault on SMS one time passcodes

[guappa]

I think the more urgent thing is to not use the social security number both as the ultimate secret, and also as a number you must give to hundreds of people.

[klabb3]

> both as the ultimate secret, and also as a number you must give to hundreds of people

Don’t forget the final nail in the coffin, which completes the trifecta: it’s entirely immutable - damage radius = infinite.

[CatWChainsaw]

That. I'm in favor of stopping this societal wave of making phone numbers the equivalent of digital SSNs (they're critical for digital life, everyone wants them, nothing good happens when you hand them out that freely).

[ImPostingOnHN]

I think the more urgent thing is to end world hunger.

[yieldcrv]

non sequitur, make a different thread for that cause

[guappa]

Well if you fine companies for using SMS for security… you should put the CEO in jail for authenticating with social security number… if we go by just the number of people who get affected by skimmed SMS and by stolen ssn.

[chgs]

Not sure what sms one time codes has to do with this story either

[yieldcrv]

It’s one of the MFA methods Apple allows

[adrr]

Never will happen on the consumer side. Consumer lose their device way to often to make TOTP or pass codes viable.

Financial institutions can detect if your phone number has been ported or forwarded.

Bigger threat is phishing and password sharing between accounts. I ran tech at investment firm/ neo bank and never saw an attack on sms 2FA and we had over a million customers. We had email 2FA for a while there was significant number of people who shared passwords between email and their bank.