Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Most of these breaches happen because someone gets targeted - something about their public profile lands them on the radar of the hackers. Then the hackers dig into the profile looking for associated phone numbers. So to mitigate this, you could (1) reduce your public profile, which is out of scope here, and/or (2) minimize phone number exposure. You want to make it impossible for someone targeting you to locate the phone number you use for 2FA on a particular site.

To minimize phone number exposure, you want to send the phone number to as few third parties as you can. You don't want it to show up in any databases, including in breached databases from hacks of companies where you stored your phone number for 2FA purposes. Unfortunately this means the only true solution is a unique phone number per account with SMS 2FA, but that's obviously not practical. So what can you do?

A VOIP number like one from Google Voice is the next best solution for receiving 2FA SMS codes to a dedicated number that you keep separately from your personal phone number. This way you receive texts purely through software and don't expose yourself to SIM swapping at the Mobile ISP level. Unfortunately, some providers won't accept Google Voice or VOIP numbers, so for them you're back to square one... maybe as a backup option (only for those sites), you could use a cheap phone with a pay-as-you-go plan; it's not great, because you're still vulnerable to SIM swapping, but at least you have a dedicated number for SMS 2FA.

Looking at the problem more widely, it would be nice if my phone or mobile ISP could solve this problem for me, with something akin to disposable phone numbers (think Apple Private Relay, or temporary credit card numbers from the bank) or a dedicated 2FA code relaying service (think Authy or Google Authenticator - in fact, maybe they could offer SMS numbers as a feature, although that seems at least as dangerous as the status quo).



I guess I am screwed. Breaches for lastpass and twitter alone link my phone and email and websites :(




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: