Never ever ever ever give your phone number to Google for verification or authorization. People just don't understand how easy it is to find someone's phone number and then steal it for long enough to steal e.g. emails. Has happened, will happen etc. Like ssn, phone numbers were never made for this purpose. In fact phone numbers and services (e.g. SMS) are just the front end and are setup to be easy to redirect.
We had incidents in the past just because the colleague had given the number to Google and those were corporate accounts.
Every time a service moves to SMS or phone calls for 2FA a cry can be felt across the universe by any security engineer/cryptographer.
If you are a person responsible for this: please don't. If my antiquated bank that is insured and doesn't really care can understand this, so can you, if you care just a bit.
> Never ever ever ever give your phone number to Google for verification or authorization.
You literally do not have a choice, last time I checked you had to setup SMS 2FA first. Once you’ve done that you can setup a better method and remove the SMS, but you have to remember to do it.
> If my antiquated bank that is insured and doesn't really care can understand this, so can you, if you care just a bit.
Even if it looks like you can disable it, I wouldn't be surprised at all if they'll still let you recover access with the phone number if you fail to log in enough times. They want people using their accounts, searching and using other Google $ervices.
What even more sucks that you need to first set up phone 2FA before you can enable TOPT. You can remove the phone number afterwards, but why make it so complicated?
I don't think it's down to the SIM. It's more they call help at the phone company and say "hi I've lost my phone, number 0123123. Could you transfer it to my new handset with another SIM in." Or similar. I had my one (with Three UK) transferred to some random fraudster this year. I got it back but it was a pain and potentially dangerous. In fairness to Google they didn't manage to get in to that.
Suggestion to phone companies: When receiving such requests email and text the user saying "we've had a request to transfer your number, contact us if not you" rather than just cracking ahead.
> Isn't the SIM supposed to hold all sorts of secrets to prevent that?
The process has a security hole by design: SIM cards can get damaged/lost (usually with the phone) and you wouldn't want to lose your number just because you lost your phone or damaged your SIM card by accident. This hole is typically exploited by attackers after they have identified a high-value target. You basically outsource the control over your account to a telco employee.
I had happen after a promotion that changed my LinkedIn title to something more prominent.
Still can’t prove what happened but someone ported my number from my carrier to Sprint and it took easily 18 hours to undo it. And it required convincing sprint, which I had no affiliation with, that the original transfer was not intended, and that yes I want to reverse it out.
It varies by country and the US is not very secure. In a lot of technically more secure countries social engineering and corruption are available for a determined attacker.
It shouldn't be an immediate problem if it's really 2FA: if the second factor fails, there's still the first factor. The problem is that many systems use phone as single factor.
We had incidents in the past just because the colleague had given the number to Google and those were corporate accounts.
Every time a service moves to SMS or phone calls for 2FA a cry can be felt across the universe by any security engineer/cryptographer.
If you are a person responsible for this: please don't. If my antiquated bank that is insured and doesn't really care can understand this, so can you, if you care just a bit.