Ask HN: Text messages as identity verification a bad idea?
So this morning I'm having some fun. Someone tried to gain access to my Gmail account by turning on a feature I didn't even know AT&T had; web messaging. AT&T claimed on the phone with me that it can only be enabled via the phone, but I didn't enable it and my phone was sitting next to me on my desk, locked. So clearly there's a way to enable it through the web.
The message I got telling me AT&T web messaging was enabled for my account was shortly followed by a Google verification code. So someone was trying to use that feature to access my Gmail account.
Which got me thinking; which is the big mistake? Allowing a way to intercept text messages via the web, or assuming that text messages are a secure means of verifying identity?
Text messages as identity verification has become fairly common place, but in light of the fact that they can be intercepted on the web, is that at all a good idea?
3 comments
[ 2.4 ms ] story [ 28.3 ms ] threadMy credit union previously offered a text message code when registering a new computer, now they call me directly.
Again it's not much, but I can only imagine they switched it for a reason.