Most likely whatever password app you use supports these now. I know for myself, I started using Authy long long ago when there were not really many options.
In my case, 1 Password can do this now. I believe the same is true for Bitwarden and Apple passwords.
I hesitate to use the same app for both authentication factors.
The reason why I started using Authy a long time ago is that it supports multiple devices and isn't linked to any other account (such as Google or Microsoft).
Personally I dislike the idea of putting the other factor(TOTP) alongside the main two ones (email/password). Kind of ruins most of the purpose of TOTP and MFA in general.
Besides all the other advice of using the password manager as a 2FA store as well, on the stand-alone side there is Aegis. I have good experience with it, and allows better interoperability than Authy as well.
While it’s nice that password managers can handle this as others have mentioned, the whole point of a 2nd factor is to ensure an attacker can’t get in if they somehow get your password. Storing the second factor along with the 1st factor doesn’t make much sense to me.
I just did some quick research on these IDs. Correct me if I'm wrong, but it seems like each user account would be tied to one device. It also seems like the user, at least on Apple devices, has to opt into advertising tracking in order for your app to even get access to this.
Ignoring the security pitfalls of phone numbers, it really doesn't seem like these advertising IDs are a drop in replacement for using phone numbers.
Do what I do and turn off "allow multi-device." Problem solved -- even if your phone number is stolen, they can't recover your 2FA because it's locked to the device too.
You can enable multi device, and have it on multiple devices, then disable it (and keep it on multiple devices - it's just that then adding yet another device needs toggling multi-device on from an existing device, a confirmation SMS is not enough).
> for the 100,000th time, just stop using phone numbers for 2FA.
I agree, and I say this to whoever asks me too, and I avoid any services that still use phone numbers as a way to associate it to you (Signal, I’m looking at ya!)
However, easier said than done, some services still require you to use a phone number, like banks, some government agencies, insurance companies, etc., the services that actually matter if your data get leaked. I believe there should be a regulation to prevent using the phone in any way to confirm your ID, and never force you to provide one to access such services.
I slowly migrated away from Authy when they decided to shut down their desktop authenticator. You can painfully export codes, though I generated new 2FA codes at every vendor.
Some months ago, I used https://github.com/alexzorin/authy to export them. It basically creates a dummy-device to access the tokens, and then exports them to some format. But I have not figured out how to import them now into another app.
Use the plaintext export option on that project. Most TOTP apps should accept the URIs that are exported. Maybe not en-masse but individually for sure.
Ah, thank you, that worked in Aegis. I just missed the option for plaintext because of the long list of supported apps. So all it needs is a textfile with one otpauth://-entry per line and it imports them all at once.
I thought I had a lot of totp codes to migrate but then it turned out I didn't use many of them. After deducting them, there remained 10 apps that I needed to migrate. It took me an hour to port them to bitwarden manually.
I use Authy’s iOS app to generate 2FA tokens for a few accounts. I cannot remember ever entering my phone number into it, or establishing an Authy account of any kind. Is there some other way they would have acquired my phone number?
I’m trying see if the issue is some unanticipated issue with the iOS client app itself, or if it is only affecting people who created online accounts with Authy to sync their 2FA credentials across devices.
Authy is both a SaaS and a consumer-facing authenticator app.
When companies integrate Authy into their system, they can use it for SMS OTP (also deliverable by phone call + TTS iirc) as well as regular TOTP, Authy's proprietary TOTP, and others.
Your phone number would only be at risk if you used a service which used Authy for SMS 2FA
The consumer app also wants your phone number... It prompts you to "backup" your codes, so that they're not gone if you reinstall the app or switch devices
you probably gave them your phone number at some point if youve got authy on multiple devices.
/Edit: just checked on a clean install. It prompts for a phone number instantly and won't let you scan codes without creating an account. Not sure when that happened, as I haven't really used it in years.
We used Authy for 2FA at my last company and migrated off it to use a complete auth platform. The amount of user (consumer and business) hostile shit we found in the process was astounding.
Twilio was nice to work with way back when it was the only decent API-driven POTS connection service out there. They've steadily gotten worse over the years and acquisitions though. Wouldn't recommend them to my worst enemy these days.
You know, one thing I learned from my patients... they all hate the phone company. It's interesting; even the stock holders of the phone company hate the phone company!
Nothing in the iOS Settings app for Authy, but tapping the little gear icon in the app UI shows my phone number and email! I guess I did enter them at some point and forgot. Thanks.
Cloudflare should probably deprecate their Authy provider, considering they support other more secure MFA options (hardware and virtual WebAuthN). I believe Wise (ex TransferWise) and Plastiq also use Authy natively for SMS OTP server side, but provide no mechanism to disable SMS 2FA (boo).
Thank you for correcting me, Cloudflare was presented as an Authy token that would be destroyed when I deleted my Authy account and some of the docs I found led me to believe this was still actively in use. I retract the Cloudflare part of my above comment.
No need to apologize. We did use Authy for a long time but allowed more general TOTP solutions from 2017 and have really pushed hard for people to use hardware keys.
> I cannot remember ever entering my phone number into it, or establishing an Authy account of any kind. Is there some other way they would have acquired my phone number?
Entering your phone number was mandatory. This was what turned me away [1] from Authy to Duo Mobile on my Apple devices.
Does anyone have a recommendation for an Open Source 2FA OTP app? That's the only thing I use Authy for, to scan the QR Codes into the App and generate the 2FA tokens, but in a way that allows me to migrate to another phone without having to re-set all the 2FA tokens on the vendor side.
Raivo was bought by a shady developer last year and is no longer open source. If that wasn’t enough, a few weeks ago they released an update which deleted all your codes - failing at literally the one job a 2FA app has!
I'm of the opinion that it's basically fine yo store them in your password manager. Yes if your password manager is broken into you lose everything (same as having no 2fa in that case), but you still prevent people from guessing your password and often avoid having to deal with email- or text-based 2fa. And if your password manager is broken into, there's a good chance your device has been broken into, in which case it doesn't matter where you store your 2fa.
If you do not need QR codes, oathtool is great. You can protect your tokens, recovery codes etc. with gpg -c or similar, so the encryption is entirely separate from the authentication mechanism.
And you actually know what is going on. Works for GitHub.
I personally use Bitwarden for TOTPs (with a self hosted vaultwarden instance), it's by far not the most secure way to store your passwords and TOTPs next to each other, but it saves so much time.
I migrated to Aegis a while back because I wasn't happy with how hard it is to get secrets out of Authy, or that someone else is managing them, and they they need my phone number (guess I was right, again).
I use Folder Sync on my Android to sync the Aegis auto-backups to a MinIO bucket I host at home.
I use andOTP https://github.com/andOTP/andOTP and my favorite feature is the database of 2FA can be backed up PGP-encrypted and reimported on another device. But sadly it is no longer maintained. The latest version on Google Play Store is from 2021 and can still be installed and works fine on Android 14.
Ente Auth or bitwarden builtin one or keepassXC builtin one.
Migrating from Authy is a headache, though you don’t have to reset the tokens. I found a way to do it (1), but I had to do it manually because Authy only exported the email/user and the token. Now, if you are like how I used to be, having the same email for different accounts, the exported JSON will be confusing and there's no way to tell which account is for which service. Only in the Authy UI can you tell. I had to follow the order of the JSON and the app, one by one, for my 700+ accounts, and verify that it works by going to the service site and testing the generated code from the new app, and also changing the email to a unique one. It took a whole week!
Edit: to add, I wouldn’t recommend using Yubico or hardware-based ones unless you will have two or more replicas, losing them is easy compared to having your tokens backed up in an encrypted KeepassXC db for example.
For Android, if you happen to use Keepass as your password manager, I really like KeePassDX[0]. If the camera app you use doesn't support QR scanning, though, you'd need an app for that (and I don't think any FOSS camera apps implement this, as for as I can tell).
This one[1] seems the most up-to-date, by a German research group. You'd share the link as text to the KeePassDX app, search for the entry it's for, and it populates it with the HTOP/TOTP secret.
There are iOS Keepass clients that support this as well, though from what I can tell there's some drama with source code[2][3] in the landscape.
We are undergoing the same CASA audit (required to access Google Drive API). And we do have people forking and building the project from source, so one can hope they read what they compile. Strongbox' source code is half-closed (see #784 in their repo) so source-level independent audit is impossible.
Otherwise, no. A third-party audit costs like a year of part-time developer, and at this stage the developer is more useful.
There really has to be steep repercussions for companies that fail to protect user data like this. At this point I can't help but feel that there is wilful neglect with the aim of exfiltrating data with unknowable aim.
Our digital data must be recognized as human rights but lately the world has been vocal about it but silent when it comes to action and enforcement.
More and more reason why people no longer trust cloud hosted solutions. Offline-first, local-first with optional data sync is the only path forward to combat violation of our rights to our own digital data.
Case in point, feeding haveibeenpwned with a bunch of HN user handles reveal a good chunk of you aren't even aware your data has been leaked, especially ironic since I see comments from those handles are very anti-regulation when it comes to user data ownership.
I agree the US in particular should have better data protection laws and consequences.
But phone numbers aren’t something I’d consider confidential in most cases. Hell, we used to publish our phone numbers in physical books and give them to the whole town for free (literally).
The data was even monetized with ads plastering every page. I guess the digital age isn’t all that different from the analog age (in certain ways!)
We didn't use phone numbers to prove our identity back then. It was only used to call you. You often wanted it to be public so you could be reached. Now it's a critical piece of information required to access services online and prove who you say you are.
> Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint. We have taken action to secure this endpoint and no longer allow unauthenticated requests
How do I avoid such problems in my own app? Force authentication for all requests with row-level security? Rate limiting?
Any testing frameworks that would catch this? Something like "given endpoint /user/phone-number-validate make sure only <user> can access it".
One step we have taken is to build an auth system that requires you as the developer to explicitly specify the security of an endpoint using a decorator. If no decorator is provided, then the endpoint is completely locked down even to admins (effectively disabled).
If an endpoint is decorated with something that is considered dangerous (i.e. public access), that triggers additional review steps. In addition, the authentication forbids certain combinations of decorators and access patterns.
It's not perfect, but it has saved us a few times from securing endpoints incorrectly in code.
.NET web apps / APIs have an option where you can require authorization on all controllers (and their actions) by default. If you need an anonymous controller/action, you can use the `[AllowAnonymous]` attribute on it.
It's a common problem. On a previous job, I'd found one unauthenticated endpoint just because I want to add some integration tests on it and my tests failed! After that, I'd created a script which lists all endpoints and curl each one with invalid credentials and expecting them to return 401.
1. build a single endpoint handler that handles auth, then looks up the endpoint on the path.
2. Never create direct endpoints, just register endpoints in the system that the auth endpoint works under.
You know table driven tests?
Use table driven endpoints. It works and makes things so much simpler and secure.
> 1. build a single endpoint handler that handles auth, then looks up the endpoint on the path. 2. Never create direct endpoints, just register endpoints in the system that the auth endpoint works under.
Holy shit why is this even a question?? You. Write. Tests.
You build into your testing framework/library a mechanism that will craft sessions across your range of authentication-levels - unauthenticated (no-session), authenticated but unauthorized, etc. You mandate new endpoints must have permissions test in code review.
Simple, straight forward, and absolutely the bare minimum of competency for any endpoint returning personal data.
And then someone forgets to test that one thing for that one endpoint and no one notices ("mandate in code review" is not going to be fool-proof), or lines get crossed and they test the wrong thing.
This kind of arrogance is exactly how these mistakes get made.
Mh, I'm probably comparing apples to oranges and such.
But the last 2-3 times I setup a config management, I made sure to configure the local firewalls as deny-all by default, except for some necessities, like SSH access. And then you provide some convenient way to poke the necessary holes into the firewall to make stuff work. Then you add reviews and/or linting to make sure no one just goes "everything is public to everyone".
This way things are secure by default. No access - no security issues. And you have to make a decision to allow access to something. Given decent developers, this results in a pretty good minimum-privilege setup. And if you fuck up... in this day and age, it's better to hotfix too little access over losing all of your data imo.
SSM for life. Fun fact, one can also register non-AWS assets as SSM targets, so I could imagine a world in which it makes sense to create an AWS account, wire up federated auth, just to dispense with the hoopjumpery of SSH attack surface and Internet exposure
The break-glass is always a consideration, so it's no panacea but I still hope one day the other clouds adopt the SSM protocol same as they did with S3Api
I believe a lot of folks have had good experiences with Wireguard and similar, but thus far I haven't had hand-to-hand combat with it to comment. We use Teleport for its more fine-grained access and auditing, but I've had enough onoz with it to not recommend it in the same way as SSM
As alternatives: I use Authenticator Pro on my phone and keep encrypted backups whenever I modify it. I know others have pointed out Aegis.
The issue is starting the migration out of Authy. Assuming Authy has no easy export, I suggest you migrate over a few entries at a time (maybe from top down) while keeping account of transfers somehow. You can have authenticators live side by side in the meantime!
It's good. And the introduction of the Passwords app this fall will make it better.
But it seems to me that Apple only supports adding TOTP codes if you have a password for the account. Which is annoying if you want to split your passwords and second factor into two different places. (For example if you wanted Bitwarden for passwords and TOTP/Passkeys in Apple.)
You can of course put a dummy password in Apple. But that is kind of annoying.
I just migrated off of Authy last week but I was probably caught in this breach, ugh. Never liked it but they make it extremely difficult to export your data.
EDIT: it appears this project was actually using the unauthenticated endpoint (used in breach, too) to facilitate exporting, lol. Good luck to anyone trying to get off of Authy, Twilio really doesn't want you to export your data for "security" reasons.
The lack of export in Authy is a really ugly choice they made. When I migrated to Aegis I used some hack that involved a desktop Electron app's javascript console. I wonder if that still works?
Doesn't Bitwarden require you to be on the paid subscription plan to use 2FA? That's what I concluded anyway from trying to research this garbage when Microsoft was threatening to lock me out of my Github account. It's why I ended up on Authy.
> Doesn't Bitwarden require you to be on the paid subscription plan to use 2FA?
I believe they do, yes. Been on the $10/year plan and have forgotten the details on their tiers, though.
> It's why I ended up on Authy.
All 2FA really boils down to is a "otpauth://totp" URL that clients use to generate time based tokens. Once you have those exported somewhere, you can move to any TOTP app you want (desktop or mobile)
> All 2FA really boils down to is a "otpauth://totp" URL that clients use to generate time based tokens. Once you have those exported somewhere, you can move to any TOTP app you want (desktop or mobile)
Has anyone found a single open-source app that supports both mobile and desktop though? That was the attraction of Authy before they killed their desktop apps.
Not really, 2FA is literally just that: a second factor.
It makes it unlikely someone has access to both your password and the TOTP URI. So, if you leak your password on a public forum (for example), the person who gets that is not likely to also have your TOTP info.
i've switched to keepass right after first breach. it's not convenient to store the db on eg gdrive and sometimes it doesn't work, but that is way better than another SaaS app that will eventually leak my passwords/2fa codes.
IMO: I'm pretty sure this is less of an auth issue, than it is a rate limiting issue.
I haven't been able to find anything about the endpoint, but based on the data exposed[0] I think the endpoint they are talking about is the register one which requires a phone number.
I'd bet they didn't rate limit it, and someone just blasted through all phone numbers with it and stored the data for ones that didn't error out.
Jesus fucking Christ. Can these companies learn how to write software? Quality is dropping like dogs. Twilio used to be a good company and now they are utter shite. Such a shame. Leetcode and bad hiring practices have done this to our industry.
Neither bad hiring not leet code is a problem with Twilio properties in my experience. Quality however, that gets railroaded by "deliverables" -- the problem is craftsmanship is hard to maintain and manage as companies scale while priority shifts to product announcements.
There needs to be penalties. Massive penalties for breaches like this. That is the real problem. Nothing will happen to Twilio even though they caused such loss. They need to suffer economically for this, then quality will improve.
It seems much easier to pin the ever-decreasing quality of software on the practice of trying to keep everything secret (propriety). Like, obviously it's not secure if they don't let people audit it...
While this sucks, my phone is in so many data breaches at this point it doesn’t matter.
The spam-to-ham ratio on my phone number is now far worse than any other channel for me. The traditional phone network is at risk of going the way of the fax machine if we don’t do something about the spam problem like we did with email.
If I’m on a call, even with family, it’s now almost exclusively on FaceTime/zoom/meet/etc. I can’t remember the last time I talked on the traditional phone network or received a legitimate call. Which isn’t great because those aforementioned platforms are all proprietary walled gardens with terrible incentives — once they capture the market fully they will eventually dump ads all over your calls. Don’t believe me? Just look at what Gmail did to monetize the lock-in on your inbox.
I think that is intentional, AFAIK phone communication is more protected than other types so allowing spam to continue unabated is in the governments interest. Outsourcing the harassment to 3rd parties, similar to how prison torture is outsourced to the inmates. The government could fix these things but would rather not.
I think we just don't have very much competition in telecommunications so things never get fixed. Why bother? It's easier to extract rent off largely the same offerings as the rest of your market (difficult to understand pricing tiers that function as a congestion tax more than a transaction, often region-specific monopolies or duopolies, indistinguishable quality of service) and bring home large profits, market efficiency damned.
Almost no-one is pro-spam, it’s pretty much universally hated, and in many cases it’s already illegal so it’s more of a matter of enforcement. It is also trivial to detect.
Sure there probably is some regulatory capture but if anything at all can be regulated it’s spam calls / messages. If the government can’t regulate spam then what could it be expected to regulate.
The general population is increasing worried about scam calls for their elderly relatives, it’s already a big deal.
In fact there are really only two groups that are pro-spam: spammers, obviously, and the entities that provide them services from which they may spam.
Oh sure basically any provider of any service be it phone, web hosting, email, etc. will say they don't want spammers, and the email providers may actually mean it what with them not wanting their server's scores trashed and be unable to get email to anyone (though plenty others don't give a shit), but website hosts, telephone companies, and SMS providers? They utterly do not care and in fact go out of their way to not know when spammers are (mis)using their services.
Meanwhile like that other commenter said, everyone is incentivized to enter walled garden services that actually do the barest minimum of enforcement for spam activity. I doubt they're conspiring in a dark room somewhere, but neither side is going to upset at the other in that situation.
Hence my other example of the inability to police prisons enough to prevent abuse, I didn't allege an explicit scheming but a happy little accident. Allowing a problem to fester when it benefits you is totally normal and expected behavior. But if there is a role for government at all it would be regulate such dysfunctions.
> In fact there are really only two groups that are pro-spam
you forgot the entire marketing industry
> everyone is incentivized to enter walled garden services that actually do the barest minimum of enforcement for spam activity
These walled gardens actively spam you—that's how they make money. They only act against competing advertisers.
For there to be an incentive to avoid spam, we would need a social network not funded by it. To my knowledge this is essentially ActivityPub. In order for ActivityPub to be useful, we need an incentive to drag celebrities away from private paychecks that benefit from manipulation of other social networks (twitter, ig, tt). I don't believe there is any such entity or incentivization right now.
> The (US) government does an excellent job of regulating many things, such as commercial airplane design and construction
If the US government wanted a healthy industry, they would have bought one or otherwise directed actual competition. Instead we only have Boeing, which taxpayers also subsidized, which seems incompetent and unwilling to acknowledge fault, which seems to be generally a gargantuan waste of taxpayer dollars compared to a properly efficient and reliable no-profit outfit.
I have no idea what you are trying to say, but you appear not to know that the McDonnell Douglas merger was forced upon Boeing by the US government as a ‘cheap’ way to save McDonalds Douglass. Boeing didn’t really have a choice in the matter.
It would be highly improbable that the people making those kinds of decisions could successfully regulate an airline industry, or even the much easier task of spam.
The US government has also gone to great lengths to protect Boeing from competition by boxing out concord, canadian aircraft, and embraer . I think such companies like Boeing should be considered for-profit arms of the government instead of independent corporations.
It's easy now. It was an unsolved problem two decades ago.
And it's not like there's no technical means for the phones either. Just enforcing caller ID would go a long way to curtail spam. Like in our great Red Tape Europe, even with uptick in recent years we have a tiny fraction of spam calls compared to the United States.
> And it's not like there's no technical means for the phones either. Just enforcing caller ID would go a long way to curtail spam.
A) this is insanely naïve given the international treaties that make up telecommunication agreements. B) "Just enforcing caller ID would go a long way to curtail spam." telecoms don't have any clue who is calling, see above comments about treaties.
I was replying to the comment asserting that dealing with email spam is easier, which it most resolutely wasn't until the advent of statistical filters.
> A) this is insanely naïve given the international treaties that make up telecommunication agreements.
Fun thing about treaties and agreements is they are not laws of nature and can be entered, abandoned and amended at will. A lot of regulation is getting constantly updated.
I make and receive regular phone calls all the time. However I only answer those that are from numbers I have in my address book. I do the same with text messages, I have my default view set to "Known Senders" so I'm not even really aware of others. If I'm expecting an unknown sender message, such as a TFA code, it's easy enough to just look in "Unknown Senders" for it.
How convenient for the data collecting companies that so generously sponsor the new & free services, that our democratically controlled communication infrastructure looses in value.
Advertising is a cancer on modern society. It will metastasize to any new communications medium, public or private, and destroy it from within. People will switch to new medium that offer less spam, but advertisers quickly follow to strip-mine the new channel. A cycle of life, so to speak.
It’s also so annoying circular. We spend money to get more clients but this stops being effective at a certain point so now you’re just spending money to advertise for the sake of it or the status, and could even be losing money by doing so.
In my experience, the fear of missing out is a big driver for companies to continue to throw good money after bad in marketing. Maybe Facebook ads aren't driving as much traffic to your company as it used to, but if you give it up and all your competitors still use it it's pretty understandable to worry about falling behind the market.
I don’t have a problem with advertising generally, as long as I know upfront that’s what funds a tool I’m using, and isn’t disguised like a non-ad (eg. Unlike what Google does, which is outright deception). Advertising and spam are two separate things in my book.
However, my real problem is with what I call “The Google Strategy.” Basically, they take publicly funded infrastructure like HTTP and SMTP, capture the network by dumping “free” products on the market (with basically no advertising), kill off competitors, then monetize their market capture by removing the "free" part, packing these products with ads, making them worse and worse over time in the process. And everyone is trapped, since they captured the network of this public infrastructure. This is the story of Google Search, Gmail, YouTube, etc.
It’s anti-competitive, anti-markets, and quite frankly should have been regulated away as a strategy a long time ago.
Google basically ran Microsoft's classic anti-competitive B2B strategy to capture the consumer internet, and got away with it!
That might be the trendy term for it now, but the strategy is as old as time.
In old school economic terms its called "dumping." When international trade started becoming a major thing, aspiring monopolists would flood foreign markets with goods sold below-cost to push out local competitors, then ratchet up prices and reduce quality once they'd captured the market (basically the Google strategy).
Just like crypto people had to learn that financial regulation was in place for a reason, internet people have had to learn that industrial age anti-trust rules were also put in place for a reason. Now we just need to enforce them.
"Our democratically controlled communication infrastructure" honestly deserves to be deprecated and replaced with some kind of federated voice system that comes out of the IETF instead of the telcos. What kind of antediluvian nonsense doesn't use end-to-end encryption in 2024?
AT&T has a long history with three letter agencies. If they ever did implement e2e encryption it would certainly come with backdoors that make it e2e only by name.
All the more reason to have the IETF do it and leave AT&T out of it.
Any modern system is going to use IP as a transport. Even the traditional phone network is VoIP under the hood in modern networks. The replacement system should be kept as far from the influence of the last mile providers as possible.
The thing that definitely shouldn't happen is that you get your phone number from them. Let it be "user@host" like email or otherwise assigned via DNS.
Is our communication infrastructure democratically controlled? At least in the US, we may have federal regulators but isn't the infrastructure still owned by a few massive telecoms corporations?
> I can’t remember the last time I talked on the traditional phone network or received a legitimate call
Doctors and dentists.
Most of the calls I get are spam, but then the MOST important calls I get are from doctors, labs, and dentists. I do as much as possible online of course, but not all of these professionals have good online systems and phone calls are often required.
Sometimes you know what number they're going to be calling from ahead of time, but often you don't... especially if you're in a large medical network that has different offices for different specialists, etc. It's a really sad situation if you get sick and you're trying not to miss these important calls, especially when it's a long wait for a specialist and then you miss their call when they get to your name on the waiting list.
This will literally cost some people their lives and legislators need to act on making spoof calls impossible -- there's no reason why anyone should be allowed to spoof a number that they can't receive calls at.
> I can’t remember the last time I talked on the traditional phone network or received a legitimate call
Social services are another example. Many services are county-administered and thus don't have a centralized online platform. As always our most vulnerable populations suffer the most from techno-greed. Not the families of software engineers who built the system.
I recently had to help my father organize his medical visits.
Dealing with his healthcare providers was a bit of a pain, but it was way worse because he has stopped answering calls, primarily because of the call spam rate. I think because he owns his own business, he never fails to hand out his contact info when he is shopping, and he owns his own business (so his contact info is published by the city).
His phone provider has a feature to opt into spam filtering, his phone has another, and I downloaded a spam list filtering app for him. I disabled the ringer for numbers not in his contact list. I did similar actions to reduce spam in his text messages.
This was a good triage, but the damage is already done to his psyche. He doesn’t answer the phone anymore.
I've never had a single spam call on my main phone number, but friends who have got a new number get maybe 20 spam calls per day, with only having given their number to their closest friends and family.
I think one factor that weighs in heavily is if your contacts download thousands of spam apps onto their phones and click YES to every permission. Then your phone number is harvested from your contact's phone and sold. TikTok, for instance, will beg me multiple times on a frequent basis to see my contacts. I don't think you can even install WhatsApp without giving it your entire phone book, can you?
> I don't think you can even install WhatsApp without giving it your entire phone book, can you?
You can. It will cry and beg and nag every chance it gets (same as when you don’t allow notifications) but it will still function without these permissions (for now).
Tested with WA business on a “landline” voip number because I don’t want people to contact me via WA (and they would if I used my cell number for WA)
I don't know about most phones supporting that, probably depends on the market.
But best I can tell, 80% of my spam calls are just war dialing; a new number would get war dialed just as much. Probably wouldn't get collections calls for my deadbeat cousin though.
That's the worst! I had a collection agency keep calling consistently for a particular family member.
I got fed up, told the caller that I hadn't seen her in years and she could be dead in a ditch for all I knew, then asked if he could call me if he got a hold of her.
I do basically this with a subscription to MySudo. I always get funny looks when giving out a number, living in a small town people are surprised when it isn't one of the two or three area codes around here.
It works like a charm though. I have three tiers of numbers - one that I'll keep and goes to only friends and family, one that I will likely keep for a couple years until it starts getting too much spam, and a third tier that I cycle regularly and use for one off things like online orders.
I was still living in Vancouver, Canada when I learned maybe six or so years ago AT&T has removed all roaming restrictions in North America. So a few of us banded together, one of us crossed over to New York picked up a group subscription of sorts and we had very cheap subscriptions. Only the last 1-2 years did Canadian providers caught up, somewhat.
But the real advantage was if anyone called from a "local" number, local to my SIM at least, I immediately knew it was spam. I do not know anyone in Buffalo, I do not do business in Buffalo, there's no authority which has anything to do with me there, nothing. It's spam.
Reminds me of my parents... they live close enough to the US border that they just have a US cell phone plan. The plan is $50/mo/line USD and includes unlimited data/calling/text in Canada/US/Mexico. But because they live so close they're not actually roaming most of the time, and they're snow birds so they're in the US half the year anyway. They found the same thing as you... any calls from the same area code as their phone numbers was definitely not for them since it was somewhere very far away and they don't have any business there.
That doesn't always work. A lot of phone numbers out there are "dirty": they are on various marketing lists and will get spam calls and texts.
Some carriers do try to keep excessively dirty numbers inactive for a while after a customer cancels a plan and returns the number, in the hopes that the spam will fall off after to many "this number is disconnected" responses.
But sometimes they don't bother, and sometimes it just doesn't help all that much, because spammers are just running through the phone number space.
This is a long way of saying that even getting a new number doesn't always work. The number you end up with might already be inundated with spam.
Because the new Sim card is going to be assigned a phone number that’s been used by someone else in the past and will get even more spam. That’s been my experience on several new phone numbers I’ve gotten over the last few years.
I haven't answered my phone for anyone not in my VIP list in a year or two.
I can see when someone is calling and in realtime see them leaving a voicemail via speech-to-text and pick up the call if I want but 99.999% of the time it's spam.
Th topic of this subthread is exactly that one cannot rely on the contact list method because doctors may call from any unknown number. Maybe you haven’t had to deal with that (yet), but once you do you’ll realize that your method doesn’t work for that.
Same with home repair contractors. The person coming over to do the work is unlikely to call from the same number the business hands out that rings an office manager or the owner. Same goes for the person calling me back with an estimate I requested.
I have a business with a published phone number and I probably get 20 spam calls a day, at least half of which leave “voicemails,” some of which are just really loud high pitched noises for whatever reason.
It’s absolutely ridiculous. I wish I would have used a different number than my personal one back when I had started.
>I probably get 20 spam calls a day, at least half of which leave “voicemails,” some of which are just really loud high pitched noises for whatever reason.
Depending on his age the business may be a red herring.
Shady outbound call based operations purchase, trade, and mine data all day long. You can have Equifax directly sell you reams of demographic specific contact information. God help anyone who ordered from a catalog.
My grandparents received easily 30 scam/spam calls a day. Mostly from Medicare scammers and sketchy organizations that operate right at the edge of illegality. Not even counting the outright fraudulent “Microsoft Support” scams.
The problem with that idea is that when you make local calls, people think that you are the spammer.
I too have an out-of-state number after having moved, and I can definitely confirm that when I make a local call, some people will not pick up after seeing the unusual area code on their caller ID. They told me so.
There's another problem too: Even when I leave voicemail for a local business (plumber, dentist, replying to a "for sale" ad), some people will be thinking, Why does this guy need a plumber or want to buy my kayak if they live 1500 miles away?
I've resorted to leaving an explanation saying "Even though my area code is XYZ, I'm in the same city as you".
I moved from British Columbia (250 area code) to the Montreal suburbs (450 area code). The one digit difference was a huge issue: the number of times businesses and government agencies would helpfully "correct" my phone number when I gave it to them or when they tried to call it meant I missed a substantial number of important phone calls. I get it, my French isn't the greatest and I have a thick Anglo accent, but "deux cinq zéro" sounds very different from "quatre cinq zéro." Eventually I just gave up and got a local number (I ported my old one to VOIP.ms and forwarded it so I wouldn't miss calls).
Wow that seems crazy to me. I grew up in the northeastern US where even 3 decades ago, before a large expansion, we had 7 area codes within an hour drive. It would be bizarre to make such an assumption about someone, even then. When I lived in Boston, there was tons. Eastern Massachusetts alone has 339, 351, 508, 617, 774, 781, 857, and 978 as local area codes.
Almost all of the spam calls I receive have the same area code as my phone, which is in a different state from where I currently live.
These people who don't pick up for an unusual area code: don't they know that spammers are more likely to call from a "usual" area code? Am I mistaken?
Exactly, and not just the same area code, the spammers often have the same prefix as my phone number too... so it looks like someone "just around the corner".
That's weird to me, honestly. Does everyone expect you to get a new phone number anytime you move long distances?
Everyone i know has kept their phone number for years. You'd think businesses would be used to people who moved from out of town but kept their number.
I don't call places much aside from doctors/etc tho, so i guess i just haven't had that issue personally.
> I can’t remember the last time I talked on the traditional phone network or received a legitimate call
I think a whole lot more people still make regular phone calls than the ones who don't. Anyone who runs a business for example is usually on the phone ALL the time.
It's high time someone disrupted the damn desk phone network of these hospitals. It's definitely not a technical hurdle in 2024. All calls go on the data network. You route your calls out of the main router and any call that gets routed in such manner will have the ID of the router. Tag the router id to the hospital or hotel and be done with.
Is it not this simple ? With dual SIMs any phone can serve 2 lines so employees officially switch to the hospital e-sim within the hospital premises.
Or maybe telecommunications in general need disruption. Instead of having a number that anyone in the world can call, I should provide an abstract identity to a contact. When I approve that entity to contact me, and they get a unique identifier that only their identity can use to contact me, I decide how important their calls are to me:
1. Phone rings no matter what (doctors and other high profile contacts that I do not want to miss a call from)
2. Phone rings unless sleep mode active (family/friends). A second call within 3 minutes rings through in case of emergency.
3. Call goes straight to pre-recorded message (generic or unique to that identity) that tells them to text me their message/request (or when AI gets good enough, and it doesn't seem like it there yet for all accents, it transcribes their voicemail message).
4. Caller can leave a message but it is completely ignored by me and I don't know they left a message unless I go and check my spam folder.
I can change the call handling of any identity at any time, and there should also be an email and text message layer on top of this system so the same rules apply and I choose who can contact me with those methods as well.
I never get spam calls, but I do get a lot of spam SMS messages - also in Germany. (They're almost always fake 2FA activation messages from some bank I'm not a customer of)
My dentist texts me. My doctor uses MyChart, so I get notifications. Neither one calls me on the phone.
Even if they do want to call, they all have to support deaf people using TTYs, and phones all support RTT (TTY to cell). There's no need to take voice calls from legitimate businesses in the US.
I’ve been impressed with my iPhone and/or carrier (AT&T in the US) for tagging incoming calls as spam or telemarketing. The phone does still ring but I know not to answer it.
My phone number is from a different area code than I currently live in and I know no one from that area anymore. I can filter out 80% of spam just by ignoring calls from that area.
I wind-up using the phone because so many organizations malevolently misfeature they websites - doing what you want to (pay basic bill or whatever) is hard but upselling and new features, those you can do instantly.
America doesn’t have privacy laws that prevent robot spam. Repercussions for violating the SPAM Act are not prosecuted very often.
Personally, the only “spam” I get is flagged by the cellular provider and 99% of the time the calls are silenced. Not really an issue for me. The only people that “call” me are in my contacts list anyways. Everyone else can leave a VM or text message.
It's also far, far cheaper to make calls to US mobiles than mobiles in any other developed country. Like call termination to an EU mobile is 10x+ than a US mobile.
Definitely. I'm American and I've lived in the Netherlands for the past three years. The difference is night and day.
Whenever I visit, I switch to my US SIM card and am immediately bombarded with spam texts (mostly from political parties) and scam calls. In my experience, Android is pretty good at marking calls and texts as "potential scams," but they're still there. In the Netherlands, I've gotten a few scam attempts via WhatsApp. Other than that, I think I've received one phone call soliciting donations to the Red Cross, and nothing else.
Hmm... interesting. Spain should be covered by GDPR so you should be able to say "I reject right to process my personal data" and it should stop...
I had issue with Vodafone here - they were pestering me with calls/messages... even after I switched to Digi they were calling me for a week to try to convince me to stay (it just confirmed my decission to switch ;) )
This is why I have my own mail server and domain. Full control over mail, and access to features that you pay for (ie, unlimited e-mail aliases, control over mailbox size). No more worrying about “google decided to shut your free account down for whatever reason. Bye bye decades of emails and loss to services that use email based OTP or magic link login.
> If I’m on a call, even with family, it’s now almost exclusively on FaceTime/zoom/meet/etc.
I really don't get that. I don't get these, on neither of my phones (I've got two numbers). When it rings, it's virtually always friends or family. Sometimes the bank/insurance/doctor. Very exceptionally do I get a commercial or scam call.
I think it's not an argument good enough to excuse to excuse Authy here: "my phone already leaked, so what's one more leak!?".
> Which isn’t great because those aforementioned platforms are all proprietary walled gardens with terrible incentives
Oh I fully agree. I'm using Telegram for chat but zero FaceTime/meet/WhatsApp here. People want to call me, they usually phone me. Once in a rare while Telegram.
i'm jealous of you. I recently had a day where I got 25 phone calls. 23 were spam. Turning on iOS "ignore unrecognize phone numbers" has been amazing (i assume android has the same feature)
Wow. I was wondering why people were fussing about the odd spam call! The most I have had is 2 in a day and my number is in websites, social media, whatever.
Almost all spam is instantly recognisable. Mostly visa and parcel delivery scams.
In do not block unknown numbers because lots of organisations use them here (UK) This includes people I really do want to be able to contact me if they want to such as the police.
Occasionally I'll get spam from numbers in my contacts. I got a virtual kidnapping call from my wife's number the other day, which would have been terrifying if she wasn't sitting right next to me.
I have 5+ spam calls every day. Looking at my call history it’s been that way as far back as it lets me scroll.
Blocking doesn’t make a ton of difference, as it’s almost always a different number.
I don’t understand what they are calling for either. I’ve answered a few and most of the time it’s a dead line when I answer. Just silence.
Those are usually robo dialers looking for active numbers to resell to spammers/scammers. You answering puts you on their good list. These are also the calls that never leave any type of voicemail. I’m not sure what list VM gets you on.
This sounds intuitive, but isn't true in my experience. It's a natural consequence of aggressive dialing with a limited pool of agents. See my sibling comment: https://news.ycombinator.com/item?id=40882163
> I don’t understand what they are calling for either. I’ve answered a few and most of the time it’s a dead line when I answer. Just silence.
The primary operating goal of a predictive dialing system is minimizing agent downtime. Ideally, when an agent transitions into being ready to talk, they want as little time as possible before they're connected to a live lead.
In above-board telemarketing, where there's a finite list of leads instead of 000-000-0000 through 999-999-9999, the administrator will adjust dialing aggressiveness to minimize the chance that a lead picks up the phone but no agent is available to take the call. Because when that happens, the answering party experiences nothing but dead air, followed by a timeout, and a hangup.
The one nice consequence from this, though, is that if you do answer a spam call and get connected to a live person, chances are very high that several other potential marks got dead air instead. Maybe you saved grandma for another day.
> I can’t remember the last time I talked on the traditional phone network or received a legitimate call
Doctors, dentists, moving companies, home improvement contractors, recruiters, etc. These are some of the most important phone calls I've received in recent memory.
I don't know what world you live in, but I religiously block phone numbers after just one spam call. And I usually don't give out my phone number. (I'm much happier giving out email addresses since I have an infinite supply of addresses.) I never get enough spam calls that I feel like the phone system is going the way of the fax machine.
The solution to phone spam is voicemail transcription. Every call goes to voicemail, I get the transcription in a minute or two, and can call back if I want to.
> The telephone companies make money based on minutes of usage.
I don't see how that could be correct. Once you pay your monthly fee, the fewer minutes you tie up the company's resources the better for them. That's true too for pay-ahead plans.
IMO The problem with data breaches is not the phone number being exposed, it's the other data around it that one can combine with other breaches to make full profiles of a person's comings and goings, their location/purchase history, their associations and preferences, etc.
This is very valuable data to have, not only for advertisers, but also criminals and other bad actors.
Also, the fact that nobody ever questions the authenticity of leaked data should be VERY alarming. Imagine what power someone can hold over someone with manipulated leak data.
Doesn’t even have to be manipulated just incorrect. I share a rather uncommon name with at least two others within five years of my age. I get emails intended for either of them almost daily. One holds political views completely opposite my own. The other is rebuilding his life after a couple years in prison.
I would rather not have my own life intertwined with either of them but undoubtedly it already is to some degree.
The phone network we once knew is useless in terms of answering or bothering with any calls or text from those not in your contacts. If you do .. you do so at your own risk!
I used to get a couple of cold calls per year for surveys, but I got unlisted via GDPR requests and now its down to zero.
Companies do try collecting your phone number, but then I answer NO to the obligatory "do you want the latest offers" question (in the EU, this is opt-in not opt-out). And it doesn't matter if my phone number leaks.
This is similar to my email address use. I used to get emails from recruiters, but after a couple of replies informing them that whatever profile they have is illegal, with my email address not being public, asking them to delete it, the emails stopped. I still get spam, but it's mostly fraud and US companies. Fastmail's spam filters are good enough, BTW.
My phone number works just fine, and the phone network is valuable given the better signal 2G can have, or the fact that not everyone is on the app du jour. And I find it odd when people call me on WhatsApp.
I frequently see US folks criticising GDPR, so I'm guessing this is one of those "the US mind can't comprehend" moments.
>And I find it odd when people call me on WhatsApp.
Given that you're European, do you not have any friends/family outside your country, in neighboring EU countries? Wouldn't they have to pay high per-minute rates to call you?
Looks expensive. What about the regular phone plans? For instance, the plan I use currently in Japan has high per-minute or per-SMS charges for international numbers. The trade-off, of course, is that it's dirt cheap as long as you don't call international numbers, and basically just use it for mobile data. In a place where everyone uses LINE for communication, this works well.
In Finland I see the opposite problem. Traditional calling is dead, so there is absolutely no competition on international calls.
National calls and calls to nordic and Baltic countries are typically included in the subscription. But once you have to call to let's say central Europe per minute rates are exorbitant compared to today's data volume pricing.
Inside the EU / EES we usually have minutes included.
Right now my plan, with Orange, costs 7.5 EUR / month with unlimited 5G (for real), 16 GB of data when roaming, unlimited minutes when roaming in EU/EES, and 600 international minutes in EU/EES. We do have great deals here, BTW, I'm sure it's more expensive in other EU countries.
I'd have to upgrade for another 100 minutes with US / Canada, however, I have another plan from Digi that charges per minute but that's dirt cheap.
I do have acquaintances from US with which I communicate primarily via WhatsApp, but I don't need it for my family within EU.
> Inside the EU / EES we usually have minutes included.
Nowadays... but not so long ago it wasn't like that and the prices were abysmal. And considering that EU is somewhat smaller and there is higher chance of having international contacts make the IMs so popular (especially whatsapp)...
You're right about prices being higher not long ago.
> EU is somewhat smaller
By area? The EU's population is larger than that of the US.
WhatsApp is indeed very popular for IM, and nowadays, SMS is basically just for 2FA (I hoped RCS would change that, but it's too little too late unfortunately).
Everything you mentioned is the beauty of the EU privacy laws (so far), however there is another negative externality you haven't planned for maybe.
Giving your phone number out to all these services also means that it can be used as a single identifier to track you and your behavior across all those services.
> While this sucks, my phone is in so many data breaches at this point it doesn’t matter.
Yes, and this is the slope that we keep sliding down with these data breaches not being taken seriously. First it was your name and email. Now phone numbers. What's the next bit of our private info that we'll normalize leaking?
Currently, any password from more than 6 months ago, names of all my acquaintances, photos of all my paystubs over the last 6yrs (thank you Equifax and dishonest HR platforms), .... Astounding amounts of misconduct are normalized. They're just not widely known yet.
I’ve found some success is curbing spam calls with the “Silence Unknown Callers” feature in iPhone.
However this presents a few challenges. Mainly missing calls from delivery agents, who's number is obviously not in my iPhone contacts
Easy trick: Every time you get a spam call, answer it. Talk to them until _they_ hang up. String them along. Put them on speakerphone and keep working. Feed them fake credit card numbers (there are generators out there that create numbers that checksum correctly, so they type them into whatever they're using to bill numbers. Hopefully this helps flag them as a bad actor to the processors, idk).
It sounds like a lot of work, but when I started doing this about two years ago it took about two weeks for the calls to just... stop. Now I get a spam call maybe once a month. It's glorious.
My theory is this is the only route to get put on the _real_ do-not-call lists - the ones that spam companies in India have labelled "unprofitable numbers.txt". Seems like once you're on those, you're good.
Every minute they're listening to you use them for rubber-duck debugging is a minute they're not scamming Granny out of her 401k. Be prepared to get called bad names in foreign languages. Bonus points if you learn some phrases in their language to really get under their skin.
Reminds me of Lenny: https://en.m.wikipedia.org/wiki/Lenny_(bot) That one was just a recording of an old person saying weird incomprehensible things and asking for clarification at random intervals. No AI.
Very similar here... same for my primary gmail address... the most annoying thing is the "credit monitoring" that comes with a few of my credit cards is all but worthless... I get constant notices that my "email is compromised" but absolutely no detail on how/where/what exactly is compromised, with is like saying, your email is public.
While I do get a few regular phone calls a week, they're all in my contacts and I don't answer if the number isn't... at least 2/3 the time if I decide to answer as I'm expecting an out of band call, it's spam. On the flip side, I am wanting to setup for "your code is XXXXXX" as a verification on a personal website I'm working on to allow for public users. I know it doesn't add too much, but it's enough to reduce the noise. I'm not even sure what more hoops I need to jump through with Twilio to get to send said messages. I'm not a company, and not sending any kind of marketing campaign.
Anyone who has kids has to answer the phone from strangers routinely. School staff and camp counselors are routinely using their own cell phones these days to communicate with parents.
Doing it the opposite way - tying all outbound school/camp calls to a single callerID - risks blending the important with the automated reminders. LAUSD abuses their automated calling system to the extent that my wife and I have both screened calls from the front office involving an injured child, more than once.
The real issue here is getting to the root cause, which is carriers and their intermediary aggregators having incentives to carry large volumes of spam.
In a number of markets, operators have increased the cost of SMS messages to deter spam, only to find a massive increase in traffic pumping fraud that mysteriously appears in the system of trusted intermediaries. Everyone's making a goddamn fortune off it, and no one actually cares to fix it.
I feel the same way. I get far too many “hey!” Or “Hello?” “What’s up?” messages on my phone that never say another thing. Any family/friend of mine knows me well enough to try more than once to get my attention via messages, and 99% of them should probably be in my contact list already and I’ll hear the beep.
When I tried SendGrid it was super annoying that I had to install yet another Authenticator app on my phone. Now it’s become a point of data loss.
It’s bizarre to me that Twilio decided to get into the Authenticator business at all, especially while SendGrid had plenty enough problems to keep them busy.
and we should do product liability lawsuits on every service that only allows SMS based one time passwords, if they don't allow a client side only option
This doesn’t surprise me. I found an information exposure vuln on the user registration endpoint a while ago (given a phone number of an authy user who had previously registered via another customer, retrieve all other numbers/devices/timestamps, email addresses and other info for that user).
> Twilio has detected that threat actors were able to identify data associated with Authy accounts, including phone numbers, due to an unauthenticated endpoint
That app is so dumb. Completely negated the usefulness of TOTP. Needs just to die already. Some executive over at Twilio signed the check for Authy acquisition and is still trying to justify the expense.
407 comments
[ 3.2 ms ] story [ 284 ms ] threadIn my case, 1 Password can do this now. I believe the same is true for Bitwarden and Apple passwords.
The reason why I started using Authy a long time ago is that it supports multiple devices and isn't linked to any other account (such as Google or Microsoft).
Manage your own sync between devices with syncthing, dropbox or whatever you prefer.
While it’s nice that password managers can handle this as others have mentioned, the whole point of a 2nd factor is to ensure an attacker can’t get in if they somehow get your password. Storing the second factor along with the 1st factor doesn’t make much sense to me.
There are no more excuses other than asking for your phone to be sim-swapped and your bank accounts or your wallets to be drained by call centers.
If this breach doesn't scare you from using phone number for 2FA, then maybe nothing ever will and AI and deep fakes will make this even worse.
Using the device advertisee ID that the user is entitled to change.
// Sorry, for a moment I thought you were serious.
Ignoring the security pitfalls of phone numbers, it really doesn't seem like these advertising IDs are a drop in replacement for using phone numbers.
> It's used to store and retrieve your 2fa secrets in case you lose your device
The phone number doesn't store anything?
But if somehow knowing that phone number is a key to getting your 2FA secrets, you'd have a bigger problem.
Except it often is, and that's the problem.
https://authy.com/blog/understanding-authys-multi-device-fea...
A terrific reason to avoid anything Twilio / Authy
https://www.authy.com/integrations/ssh/
"Someone in your organization doesn't have a smartphone? We got you covered. Authy SSH can send them the token via SMS or a phone call."
I agree, and I say this to whoever asks me too, and I avoid any services that still use phone numbers as a way to associate it to you (Signal, I’m looking at ya!)
However, easier said than done, some services still require you to use a phone number, like banks, some government agencies, insurance companies, etc., the services that actually matter if your data get leaked. I believe there should be a regulation to prevent using the phone in any way to confirm your ID, and never force you to provide one to access such services.
The phone number here just acts as a username.
It's been possible for a very long time now.
Yet, companies keep leaking. And people keep sleeping.
encryption of data at rest is for hard drives that walk off, not for access.
I’m trying see if the issue is some unanticipated issue with the iOS client app itself, or if it is only affecting people who created online accounts with Authy to sync their 2FA credentials across devices.
When companies integrate Authy into their system, they can use it for SMS OTP (also deliverable by phone call + TTS iirc) as well as regular TOTP, Authy's proprietary TOTP, and others.
Your phone number would only be at risk if you used a service which used Authy for SMS 2FA
you probably gave them your phone number at some point if youve got authy on multiple devices.
/Edit: just checked on a clean install. It prompts for a phone number instantly and won't let you scan codes without creating an account. Not sure when that happened, as I haven't really used it in years.
We used Authy for 2FA at my last company and migrated off it to use a complete auth platform. The amount of user (consumer and business) hostile shit we found in the process was astounding.
Twilio was nice to work with way back when it was the only decent API-driven POTS connection service out there. They've steadily gotten worse over the years and acquisitions though. Wouldn't recommend them to my worst enemy these days.
For consumer password/2FA management, Bitwarden and Yubikey.
https://news.ycombinator.com/item?id=20936222
https://authy.com/guides/cloudflare/
Entering your phone number was mandatory. This was what turned me away [1] from Authy to Duo Mobile on my Apple devices.
https://news.ycombinator.com/item?id=33244324
https://www.reddit.com/r/privacy/comments/1d3zqvv/raivo_auth...
https://dangerousthings.com/product/apex-flex/
When it’s not a system I’m deeply concerned about I will just use the 2FA on the password manager.
And you actually know what is going on. Works for GitHub.
https://www.nongnu.org/oath-toolkit/
https://f-droid.org/packages/com.beemdevelopment.aegis/
Or if you have a YubiKey you could also use it for TOTPs
Windows, Linux, Android: https://github.com/Yubico/yubioath-flutter
iOs: https://github.com/Yubico/yubioath-ios
I personally use Bitwarden for TOTPs (with a self hosted vaultwarden instance), it's by far not the most secure way to store your passwords and TOTPs next to each other, but it saves so much time.
I migrated to Aegis a while back because I wasn't happy with how hard it is to get secrets out of Authy, or that someone else is managing them, and they they need my phone number (guess I was right, again).
I use Folder Sync on my Android to sync the Aegis auto-backups to a MinIO bucket I host at home.
Migrating from Authy is a headache, though you don’t have to reset the tokens. I found a way to do it (1), but I had to do it manually because Authy only exported the email/user and the token. Now, if you are like how I used to be, having the same email for different accounts, the exported JSON will be confusing and there's no way to tell which account is for which service. Only in the Authy UI can you tell. I had to follow the order of the JSON and the app, one by one, for my 700+ accounts, and verify that it works by going to the service site and testing the generated code from the new app, and also changing the email to a unique one. It took a whole week!
Edit: to add, I wouldn’t recommend using Yubico or hardware-based ones unless you will have two or more replicas, losing them is easy compared to having your tokens backed up in an encrypted KeepassXC db for example.
(1) https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...
This one[1] seems the most up-to-date, by a German research group. You'd share the link as text to the KeePassDX app, search for the entry it's for, and it populates it with the HTOP/TOTP secret.
There are iOS Keepass clients that support this as well, though from what I can tell there's some drama with source code[2][3] in the landscape.
[0] https://f-droid.org/en/packages/com.kunzisoft.keepass.libre/
[1] https://f-droid.org/en/packages/com.secuso.privacyFriendlyCo...
[2] https://github.com/MiniKeePass/MiniKeePass/issues/606
[3] https://keepassium.com/articles/keepass-apps-for-ios/welcome...
And other allegations under the ethics & transparency sections of KeePassium's list of iOS alternatives https://keepassium.com/articles/keepass-apps-for-ios/
Is Keepassium audited?
Otherwise, no. A third-party audit costs like a year of part-time developer, and at this stage the developer is more useful.
Overall a good app, but if you want true Open Source KeePassium is the app to choose.
Our digital data must be recognized as human rights but lately the world has been vocal about it but silent when it comes to action and enforcement.
More and more reason why people no longer trust cloud hosted solutions. Offline-first, local-first with optional data sync is the only path forward to combat violation of our rights to our own digital data.
Case in point, feeding haveibeenpwned with a bunch of HN user handles reveal a good chunk of you aren't even aware your data has been leaked, especially ironic since I see comments from those handles are very anti-regulation when it comes to user data ownership.
But phone numbers aren’t something I’d consider confidential in most cases. Hell, we used to publish our phone numbers in physical books and give them to the whole town for free (literally).
The data was even monetized with ads plastering every page. I guess the digital age isn’t all that different from the analog age (in certain ways!)
How do I avoid such problems in my own app? Force authentication for all requests with row-level security? Rate limiting?
Any testing frameworks that would catch this? Something like "given endpoint /user/phone-number-validate make sure only <user> can access it".
If an endpoint is decorated with something that is considered dangerous (i.e. public access), that triggers additional review steps. In addition, the authentication forbids certain combinations of decorators and access patterns.
It's not perfect, but it has saved us a few times from securing endpoints incorrectly in code.
> that triggers additional review steps
Is this done by some sort of a linter running in CI?
1. build a single endpoint handler that handles auth, then looks up the endpoint on the path. 2. Never create direct endpoints, just register endpoints in the system that the auth endpoint works under.
You know table driven tests?
Use table driven endpoints. It works and makes things so much simpler and secure.
So like, an authn/authz middleware ?
1. Everyone tests authenticated user can do the right thing.
2. Can <wrong|expired> authenticated user access the data?
3. Can an unauthenticated user access data?
If there’s a testing framework that does this scaffolding automatically, I’d love to hear it.
You build into your testing framework/library a mechanism that will craft sessions across your range of authentication-levels - unauthenticated (no-session), authenticated but unauthorized, etc. You mandate new endpoints must have permissions test in code review.
Simple, straight forward, and absolutely the bare minimum of competency for any endpoint returning personal data.
This kind of arrogance is exactly how these mistakes get made.
But the last 2-3 times I setup a config management, I made sure to configure the local firewalls as deny-all by default, except for some necessities, like SSH access. And then you provide some convenient way to poke the necessary holes into the firewall to make stuff work. Then you add reviews and/or linting to make sure no one just goes "everything is public to everyone".
This way things are secure by default. No access - no security issues. And you have to make a decision to allow access to something. Given decent developers, this results in a pretty good minimum-privilege setup. And if you fuck up... in this day and age, it's better to hotfix too little access over losing all of your data imo.
SSM for life. Fun fact, one can also register non-AWS assets as SSM targets, so I could imagine a world in which it makes sense to create an AWS account, wire up federated auth, just to dispense with the hoopjumpery of SSH attack surface and Internet exposure
The break-glass is always a consideration, so it's no panacea but I still hope one day the other clouds adopt the SSM protocol same as they did with S3Api
I believe a lot of folks have had good experiences with Wireguard and similar, but thus far I haven't had hand-to-hand combat with it to comment. We use Teleport for its more fine-grained access and auditing, but I've had enough onoz with it to not recommend it in the same way as SSM
The issue is starting the migration out of Authy. Assuming Authy has no easy export, I suggest you migrate over a few entries at a time (maybe from top down) while keeping account of transfers somehow. You can have authenticators live side by side in the meantime!
https://support.apple.com/guide/iphone/automatically-fill-in...
But it seems to me that Apple only supports adding TOTP codes if you have a password for the account. Which is annoying if you want to split your passwords and second factor into two different places. (For example if you wanted Bitwarden for passwords and TOTP/Passkeys in Apple.)
You can of course put a dummy password in Apple. But that is kind of annoying.
I used this project for exporting: https://github.com/alexzorin/authy
EDIT: it appears this project was actually using the unauthenticated endpoint (used in breach, too) to facilitate exporting, lol. Good luck to anyone trying to get off of Authy, Twilio really doesn't want you to export your data for "security" reasons.
Also, if anyone is going either direction, Android <-> iOS, both of these open source options allow easy export.
I believe they do, yes. Been on the $10/year plan and have forgotten the details on their tiers, though.
> It's why I ended up on Authy.
All 2FA really boils down to is a "otpauth://totp" URL that clients use to generate time based tokens. Once you have those exported somewhere, you can move to any TOTP app you want (desktop or mobile)
And how do I do that in Authy
It makes it unlikely someone has access to both your password and the TOTP URI. So, if you leak your password on a public forum (for example), the person who gets that is not likely to also have your TOTP info.
The main purpose is that people won't get phished as easily or if they reuse passwords it can't be abused. Or if password was to leak for any reason.
This is truly unacceptable for an authentication product.
An authentication product that doesn't implement authentication correctly in their own APIs?
I haven't been able to find anything about the endpoint, but based on the data exposed[0] I think the endpoint they are talking about is the register one which requires a phone number.
I'd bet they didn't rate limit it, and someone just blasted through all phone numbers with it and stored the data for ones that didn't error out.
[0]
The CSV data columns:
account_id
phone_number
device_lock
account_status
device_count
The spam-to-ham ratio on my phone number is now far worse than any other channel for me. The traditional phone network is at risk of going the way of the fax machine if we don’t do something about the spam problem like we did with email.
If I’m on a call, even with family, it’s now almost exclusively on FaceTime/zoom/meet/etc. I can’t remember the last time I talked on the traditional phone network or received a legitimate call. Which isn’t great because those aforementioned platforms are all proprietary walled gardens with terrible incentives — once they capture the market fully they will eventually dump ads all over your calls. Don’t believe me? Just look at what Gmail did to monetize the lock-in on your inbox.
Yes, I'm exaggerating. No, it's not by much.
Sure there probably is some regulatory capture but if anything at all can be regulated it’s spam calls / messages. If the government can’t regulate spam then what could it be expected to regulate.
The general population is increasing worried about scam calls for their elderly relatives, it’s already a big deal.
In fact there are really only two groups that are pro-spam: spammers, obviously, and the entities that provide them services from which they may spam.
Oh sure basically any provider of any service be it phone, web hosting, email, etc. will say they don't want spammers, and the email providers may actually mean it what with them not wanting their server's scores trashed and be unable to get email to anyone (though plenty others don't give a shit), but website hosts, telephone companies, and SMS providers? They utterly do not care and in fact go out of their way to not know when spammers are (mis)using their services.
Meanwhile like that other commenter said, everyone is incentivized to enter walled garden services that actually do the barest minimum of enforcement for spam activity. I doubt they're conspiring in a dark room somewhere, but neither side is going to upset at the other in that situation.
you forgot the entire marketing industry
> everyone is incentivized to enter walled garden services that actually do the barest minimum of enforcement for spam activity
These walled gardens actively spam you—that's how they make money. They only act against competing advertisers.
For there to be an incentive to avoid spam, we would need a social network not funded by it. To my knowledge this is essentially ActivityPub. In order for ActivityPub to be useful, we need an incentive to drag celebrities away from private paychecks that benefit from manipulation of other social networks (twitter, ig, tt). I don't believe there is any such entity or incentivization right now.
The (US) government does an excellent job of regulating many things, such as commercial airplane design and construction. Oh wait...
If the US government wanted a healthy industry, they would have bought one or otherwise directed actual competition. Instead we only have Boeing, which taxpayers also subsidized, which seems incompetent and unwilling to acknowledge fault, which seems to be generally a gargantuan waste of taxpayer dollars compared to a properly efficient and reliable no-profit outfit.
I don't understand what this has to do with spam.
It would be highly improbable that the people making those kinds of decisions could successfully regulate an airline industry, or even the much easier task of spam.
The US government has also gone to great lengths to protect Boeing from competition by boxing out concord, canadian aircraft, and embraer . I think such companies like Boeing should be considered for-profit arms of the government instead of independent corporations.
They are if you point out ads are just spam by another name
And it's not like there's no technical means for the phones either. Just enforcing caller ID would go a long way to curtail spam. Like in our great Red Tape Europe, even with uptick in recent years we have a tiny fraction of spam calls compared to the United States.
If this were true we wouldn't have spam
> And it's not like there's no technical means for the phones either. Just enforcing caller ID would go a long way to curtail spam.
A) this is insanely naïve given the international treaties that make up telecommunication agreements. B) "Just enforcing caller ID would go a long way to curtail spam." telecoms don't have any clue who is calling, see above comments about treaties.
I was replying to the comment asserting that dealing with email spam is easier, which it most resolutely wasn't until the advent of statistical filters.
> A) this is insanely naïve given the international treaties that make up telecommunication agreements.
Fun thing about treaties and agreements is they are not laws of nature and can be entered, abandoned and amended at will. A lot of regulation is getting constantly updated.
Absolutely disagree, email is the spam king. Just the fact that you can contact someone without consent breaks the entire system.
However, my real problem is with what I call “The Google Strategy.” Basically, they take publicly funded infrastructure like HTTP and SMTP, capture the network by dumping “free” products on the market (with basically no advertising), kill off competitors, then monetize their market capture by removing the "free" part, packing these products with ads, making them worse and worse over time in the process. And everyone is trapped, since they captured the network of this public infrastructure. This is the story of Google Search, Gmail, YouTube, etc.
It’s anti-competitive, anti-markets, and quite frankly should have been regulated away as a strategy a long time ago.
Google basically ran Microsoft's classic anti-competitive B2B strategy to capture the consumer internet, and got away with it!
You should, honestly.
In old school economic terms its called "dumping." When international trade started becoming a major thing, aspiring monopolists would flood foreign markets with goods sold below-cost to push out local competitors, then ratchet up prices and reduce quality once they'd captured the market (basically the Google strategy).
Just like crypto people had to learn that financial regulation was in place for a reason, internet people have had to learn that industrial age anti-trust rules were also put in place for a reason. Now we just need to enforce them.
Any modern system is going to use IP as a transport. Even the traditional phone network is VoIP under the hood in modern networks. The replacement system should be kept as far from the influence of the last mile providers as possible.
The thing that definitely shouldn't happen is that you get your phone number from them. Let it be "user@host" like email or otherwise assigned via DNS.
Doctors and dentists.
Most of the calls I get are spam, but then the MOST important calls I get are from doctors, labs, and dentists. I do as much as possible online of course, but not all of these professionals have good online systems and phone calls are often required.
Sometimes you know what number they're going to be calling from ahead of time, but often you don't... especially if you're in a large medical network that has different offices for different specialists, etc. It's a really sad situation if you get sick and you're trying not to miss these important calls, especially when it's a long wait for a specialist and then you miss their call when they get to your name on the waiting list.
This will literally cost some people their lives and legislators need to act on making spoof calls impossible -- there's no reason why anyone should be allowed to spoof a number that they can't receive calls at.
Social services are another example. Many services are county-administered and thus don't have a centralized online platform. As always our most vulnerable populations suffer the most from techno-greed. Not the families of software engineers who built the system.
Dealing with his healthcare providers was a bit of a pain, but it was way worse because he has stopped answering calls, primarily because of the call spam rate. I think because he owns his own business, he never fails to hand out his contact info when he is shopping, and he owns his own business (so his contact info is published by the city).
His phone provider has a feature to opt into spam filtering, his phone has another, and I downloaded a spam list filtering app for him. I disabled the ringer for numbers not in his contact list. I did similar actions to reduce spam in his text messages.
This was a good triage, but the damage is already done to his psyche. He doesn’t answer the phone anymore.
Offer the second number with much greater discretion.
I've never had a single spam call on my main phone number, but friends who have got a new number get maybe 20 spam calls per day, with only having given their number to their closest friends and family.
I think one factor that weighs in heavily is if your contacts download thousands of spam apps onto their phones and click YES to every permission. Then your phone number is harvested from your contact's phone and sold. TikTok, for instance, will beg me multiple times on a frequent basis to see my contacts. I don't think you can even install WhatsApp without giving it your entire phone book, can you?
You can. It will cry and beg and nag every chance it gets (same as when you don’t allow notifications) but it will still function without these permissions (for now).
Tested with WA business on a “landline” voip number because I don’t want people to contact me via WA (and they would if I used my cell number for WA)
But best I can tell, 80% of my spam calls are just war dialing; a new number would get war dialed just as much. Probably wouldn't get collections calls for my deadbeat cousin though.
I believe most reasonably modern phones should support at least one active eSIM in addition to the physical SIM now.
I got fed up, told the caller that I hadn't seen her in years and she could be dead in a ditch for all I knew, then asked if he could call me if he got a hold of her.
They never called again.
I switched to low population area codes and that helped a lot. Currently getting 0-3/mo.
308 is low pop. https://en.wikipedia.org/wiki/Area_code_308
It works like a charm though. I have three tiers of numbers - one that I'll keep and goes to only friends and family, one that I will likely keep for a couple years until it starts getting too much spam, and a third tier that I cycle regularly and use for one off things like online orders.
I was still living in Vancouver, Canada when I learned maybe six or so years ago AT&T has removed all roaming restrictions in North America. So a few of us banded together, one of us crossed over to New York picked up a group subscription of sorts and we had very cheap subscriptions. Only the last 1-2 years did Canadian providers caught up, somewhat.
But the real advantage was if anyone called from a "local" number, local to my SIM at least, I immediately knew it was spam. I do not know anyone in Buffalo, I do not do business in Buffalo, there's no authority which has anything to do with me there, nothing. It's spam.
Some carriers do try to keep excessively dirty numbers inactive for a while after a customer cancels a plan and returns the number, in the hopes that the spam will fall off after to many "this number is disconnected" responses.
But sometimes they don't bother, and sometimes it just doesn't help all that much, because spammers are just running through the phone number space.
This is a long way of saying that even getting a new number doesn't always work. The number you end up with might already be inundated with spam.
I can see when someone is calling and in realtime see them leaving a voicemail via speech-to-text and pick up the call if I want but 99.999% of the time it's spam.
For doctors offices, it's a whole different bag and a true pain... you'll get voicemails with half a message that has none of the important details.
It’s absolutely ridiculous. I wish I would have used a different number than my personal one back when I had started.
That sounds like fax spam.
Shady outbound call based operations purchase, trade, and mine data all day long. You can have Equifax directly sell you reams of demographic specific contact information. God help anyone who ordered from a catalog.
My grandparents received easily 30 scam/spam calls a day. Mostly from Medicare scammers and sketchy organizations that operate right at the edge of illegality. Not even counting the outright fraudulent “Microsoft Support” scams.
My phone is out of state due to my previous address, and 95% of spam i get is spoofed to that old town or the surrounding area.
No doctors office/etc calls me from that area. It works pretty nice
The problem with that idea is that when you make local calls, people think that you are the spammer.
I too have an out-of-state number after having moved, and I can definitely confirm that when I make a local call, some people will not pick up after seeing the unusual area code on their caller ID. They told me so.
There's another problem too: Even when I leave voicemail for a local business (plumber, dentist, replying to a "for sale" ad), some people will be thinking, Why does this guy need a plumber or want to buy my kayak if they live 1500 miles away?
I've resorted to leaving an explanation saying "Even though my area code is XYZ, I'm in the same city as you".
The area code wouldn’t be a red flag for me, but this absolutely would.
These people who don't pick up for an unusual area code: don't they know that spammers are more likely to call from a "usual" area code? Am I mistaken?
Everyone i know has kept their phone number for years. You'd think businesses would be used to people who moved from out of town but kept their number.
I don't call places much aside from doctors/etc tho, so i guess i just haven't had that issue personally.
I think a whole lot more people still make regular phone calls than the ones who don't. Anyone who runs a business for example is usually on the phone ALL the time.
Is it not this simple ? With dual SIMs any phone can serve 2 lines so employees officially switch to the hospital e-sim within the hospital premises.
1. Phone rings no matter what (doctors and other high profile contacts that I do not want to miss a call from)
2. Phone rings unless sleep mode active (family/friends). A second call within 3 minutes rings through in case of emergency.
3. Call goes straight to pre-recorded message (generic or unique to that identity) that tells them to text me their message/request (or when AI gets good enough, and it doesn't seem like it there yet for all accents, it transcribes their voicemail message).
4. Caller can leave a message but it is completely ignored by me and I don't know they left a message unless I go and check my spam folder.
I can change the call handling of any identity at any time, and there should also be an email and text message layer on top of this system so the same rules apply and I choose who can contact me with those methods as well.
Complain to your government.
I settled on never answering my phone if not in my contact list, if the caller is not a spammer they leave a voicemail.
The number in my main phone changes every 90 days.
I get a new starter SIM every month.
Or we may end up in a world when doctors send us important Tiktoks.
Even if they do want to call, they all have to support deaf people using TTYs, and phones all support RTT (TTY to cell). There's no need to take voice calls from legitimate businesses in the US.
I wind-up using the phone because so many organizations malevolently misfeature they websites - doing what you want to (pay basic bill or whatever) is hard but upselling and new features, those you can do instantly.
Personally, the only “spam” I get is flagged by the cellular provider and 99% of the time the calls are silenced. Not really an issue for me. The only people that “call” me are in my contacts list anyways. Everyone else can leave a VM or text message.
Whenever I visit, I switch to my US SIM card and am immediately bombarded with spam texts (mostly from political parties) and scam calls. In my experience, Android is pretty good at marking calls and texts as "potential scams," but they're still there. In the Netherlands, I've gotten a few scam attempts via WhatsApp. Other than that, I think I've received one phone call soliciting donations to the Red Cross, and nothing else.
Luckily at the moment, there's still a delay after you answer the call as (I assume) you're being connected to a human. How long will this last....?
Currently, when I don't hear a voice within 1s or so, I hang up. A legitimate caller will (hopefully) call back pretty quick.
I had issue with Vodafone here - they were pestering me with calls/messages... even after I switched to Digi they were calling me for a week to try to convince me to stay (it just confirmed my decission to switch ;) )
They target the US, and to some extent the UK, Gulf countries like UAE where English is the de facto language.
This is why I have my own mail server and domain. Full control over mail, and access to features that you pay for (ie, unlimited e-mail aliases, control over mailbox size). No more worrying about “google decided to shut your free account down for whatever reason. Bye bye decades of emails and loss to services that use email based OTP or magic link login.
I really don't get that. I don't get these, on neither of my phones (I've got two numbers). When it rings, it's virtually always friends or family. Sometimes the bank/insurance/doctor. Very exceptionally do I get a commercial or scam call.
I think it's not an argument good enough to excuse to excuse Authy here: "my phone already leaked, so what's one more leak!?".
> Which isn’t great because those aforementioned platforms are all proprietary walled gardens with terrible incentives
Oh I fully agree. I'm using Telegram for chat but zero FaceTime/meet/WhatsApp here. People want to call me, they usually phone me. Once in a rare while Telegram.
Almost all spam is instantly recognisable. Mostly visa and parcel delivery scams.
In do not block unknown numbers because lots of organisations use them here (UK) This includes people I really do want to be able to contact me if they want to such as the police.
I think it's mostly just an issue in the US/North America
I don’t understand what they are calling for either. I’ve answered a few and most of the time it’s a dead line when I answer. Just silence.
The primary operating goal of a predictive dialing system is minimizing agent downtime. Ideally, when an agent transitions into being ready to talk, they want as little time as possible before they're connected to a live lead.
In above-board telemarketing, where there's a finite list of leads instead of 000-000-0000 through 999-999-9999, the administrator will adjust dialing aggressiveness to minimize the chance that a lead picks up the phone but no agent is available to take the call. Because when that happens, the answering party experiences nothing but dead air, followed by a timeout, and a hangup.
The one nice consequence from this, though, is that if you do answer a spam call and get connected to a live person, chances are very high that several other potential marks got dead air instead. Maybe you saved grandma for another day.
Doctors, dentists, moving companies, home improvement contractors, recruiters, etc. These are some of the most important phone calls I've received in recent memory.
I don't know what world you live in, but I religiously block phone numbers after just one spam call. And I usually don't give out my phone number. (I'm much happier giving out email addresses since I have an infinite supply of addresses.) I never get enough spam calls that I feel like the phone system is going the way of the fax machine.
Which will definitely end up in some data breach at some point.
Spam callers are likely the most lucrative customer of the telephone network for the telephone companies.
I don't see how that could be correct. Once you pay your monthly fee, the fewer minutes you tie up the company's resources the better for them. That's true too for pay-ahead plans.
This is very valuable data to have, not only for advertisers, but also criminals and other bad actors.
Also, the fact that nobody ever questions the authenticity of leaked data should be VERY alarming. Imagine what power someone can hold over someone with manipulated leak data.
I would rather not have my own life intertwined with either of them but undoubtedly it already is to some degree.
I used to get a couple of cold calls per year for surveys, but I got unlisted via GDPR requests and now its down to zero.
Companies do try collecting your phone number, but then I answer NO to the obligatory "do you want the latest offers" question (in the EU, this is opt-in not opt-out). And it doesn't matter if my phone number leaks.
This is similar to my email address use. I used to get emails from recruiters, but after a couple of replies informing them that whatever profile they have is illegal, with my email address not being public, asking them to delete it, the emails stopped. I still get spam, but it's mostly fraud and US companies. Fastmail's spam filters are good enough, BTW.
My phone number works just fine, and the phone network is valuable given the better signal 2G can have, or the fact that not everyone is on the app du jour. And I find it odd when people call me on WhatsApp.
I frequently see US folks criticising GDPR, so I'm guessing this is one of those "the US mind can't comprehend" moments.
Given that you're European, do you not have any friends/family outside your country, in neighboring EU countries? Wouldn't they have to pay high per-minute rates to call you?
Example from one provider: nope with 100 countries. Including the US, Canada, China etc.
National calls and calls to nordic and Baltic countries are typically included in the subscription. But once you have to call to let's say central Europe per minute rates are exorbitant compared to today's data volume pricing.
Right now my plan, with Orange, costs 7.5 EUR / month with unlimited 5G (for real), 16 GB of data when roaming, unlimited minutes when roaming in EU/EES, and 600 international minutes in EU/EES. We do have great deals here, BTW, I'm sure it's more expensive in other EU countries.
I'd have to upgrade for another 100 minutes with US / Canada, however, I have another plan from Digi that charges per minute but that's dirt cheap.
I do have acquaintances from US with which I communicate primarily via WhatsApp, but I don't need it for my family within EU.
Nowadays... but not so long ago it wasn't like that and the prices were abysmal. And considering that EU is somewhat smaller and there is higher chance of having international contacts make the IMs so popular (especially whatsapp)...
> EU is somewhat smaller
By area? The EU's population is larger than that of the US.
WhatsApp is indeed very popular for IM, and nowadays, SMS is basically just for 2FA (I hoped RCS would change that, but it's too little too late unfortunately).
Yes, by area, which second part of the sentence implied when I mentioned it's easier to end-up in different country without driving miles on end :)
Giving your phone number out to all these services also means that it can be used as a single identifier to track you and your behavior across all those services.
I'm not sure that GDPR is helping us a lot there.
Yes, and this is the slope that we keep sliding down with these data breaches not being taken seriously. First it was your name and email. Now phone numbers. What's the next bit of our private info that we'll normalize leaking?
I still don't recommend to do that and just toss those that demand your phone number away. Get a business phone if your work demands it.
It sounds like a lot of work, but when I started doing this about two years ago it took about two weeks for the calls to just... stop. Now I get a spam call maybe once a month. It's glorious.
My theory is this is the only route to get put on the _real_ do-not-call lists - the ones that spam companies in India have labelled "unprofitable numbers.txt". Seems like once you're on those, you're good.
Every minute they're listening to you use them for rubber-duck debugging is a minute they're not scamming Granny out of her 401k. Be prepared to get called bad names in foreign languages. Bonus points if you learn some phrases in their language to really get under their skin.
I started doing this as well.
I mimic the Jolly Roger call service and they usually hang up in less than a minute.
Ex…
- Act like you can’t hear them
- Ask them to restart what they were saying
- Start a conversation with a fictional person in the background
It’s fun and makes getting spam calls enjoyable.
https://jollyrogertelephone.com/
While I do get a few regular phone calls a week, they're all in my contacts and I don't answer if the number isn't... at least 2/3 the time if I decide to answer as I'm expecting an out of band call, it's spam. On the flip side, I am wanting to setup for "your code is XXXXXX" as a verification on a personal website I'm working on to allow for public users. I know it doesn't add too much, but it's enough to reduce the noise. I'm not even sure what more hoops I need to jump through with Twilio to get to send said messages. I'm not a company, and not sending any kind of marketing campaign.
Doing it the opposite way - tying all outbound school/camp calls to a single callerID - risks blending the important with the automated reminders. LAUSD abuses their automated calling system to the extent that my wife and I have both screened calls from the front office involving an injured child, more than once.
The real issue here is getting to the root cause, which is carriers and their intermediary aggregators having incentives to carry large volumes of spam.
In a number of markets, operators have increased the cost of SMS messages to deter spam, only to find a massive increase in traffic pumping fraud that mysteriously appears in the system of trusted intermediaries. Everyone's making a goddamn fortune off it, and no one actually cares to fix it.
It’s bizarre to me that Twilio decided to get into the Authenticator business at all, especially while SendGrid had plenty enough problems to keep them busy.
It took them two years to fix it.
Isn’t it what you are describing?
Definitely some similarities though, I’d love to see some concrete technical information on it.