This should be far more secure and privacy friendly than a Sim card of a cellular connection. Why isn’t this done more often? What are the Pros and Cons. I bet the price is similar as well.
Cons:
You absolutely cannot get 2FA authenticator codes from 90% of services. Many services that require a phone number even without 2FA just for “verify you’re a human” or because they want your data or to verify region use shortcode services that also will not work with ANY VOIP provider.
You will not receive their codes. These companies vary from banking institutions to gaming companies to online shopping marketplaces and stores to a Google account (used to be you could get an automated phone call to verify an account, not anymore, must be able to receive SMS from shortcodes that are disabled for VOIP numbers to register and to recover an account) just about anyone you could end up doing business with.
A shockingly large amount of companies demand phone numbers and send verification texts before allowing you to do business with them, to create an account, to recover an account, to delete an account, to place an order, etc.
They really shouldn’t, it’s a bad security practice but companies love it because with a phone number they can lower support costs by just allowing people to do a self-service where they get an automated text and can unlock their locked account. They also love harvesting that data and preventing anonymization with VOIP numbers and the reduction of fraud and increase of reliable KYC that comes with requiring them.
And they all take it as a given that EVERYONE or at least 99% have a cell plan with a non-VOIP number that works with these and the 1% who don’t they don’t care about in the developed world and are an acceptable loss.
I think how often this is a problem varies widely from person to person. I don’t remember the last time I gave a mobile number out to a company, but it was more than a few years ago. The last few that strictly required one were non-essential; I just took my business elsewhere.
90% of American commercial services that is.
Online services or many/most European services have more proper 2FA (TOTP, app-based, card reader OTP, etc…)
Can you name me an EU bank that doesn’t demand a phone number to signup?
Unfortunately, PSD2 doesn’t support TOTP and other strong 2FA solutions, so they all appear to require phone numbers. This is one area where EU is worse than US
That is a completely separate issue from the above commenter.
You absolutely cannot get 2FA authenticator codes from 90% of services
A shockingly large amount of companies demand phone numbers and send verification texts before allowing you to do business with them, to create an account, to recover an account, to delete an account, to place an order, etc.
They really shouldn’t, it’s a bad security practice but companies love it because with a phone number they can lower support costs by just allowing people to do a self-service where they get an automated text and can unlock their locked account.
Also an issue, but indeed a separate issue from using unsecure SMS as TOTP.
I don’t follow. Banks are required to use insecure SMS for OTPs by PSD2
My EU bank never ever used my phone number to verify anything. They only used it to contact me on some occasions. 2FA is done through their app.
Oh, right, their closed source app. Thats allowed. So it requires a phone.
So the OTP is still transmitted to satisfy the requirements of PSD2. But TOTP (a more secure system that doesn’t transmit the OTP at all) is not allowed.
Can’t I just transfer my existing phone number, from any Pay As You Go SIM?
You can but they’ll find out. It’s reported or flagged or something, they can tell what provider holds a number and they block VOIP ones. Also if a number was ever previously a VOIP number do not try and transfer it back to proper cellular as it will still remain blocked for many but not all of these for years potentially.
You can buy for cents phone numbers online for one time verification purpose or even rent the number for long term if you need. It’s better to use these anonymous cheap throwaway numbers if you want privacy instead of your real phone number for everything.
You probably shouldn’t be using a service that requires a phone number. More often than not, they use it as a backdoor to bypass your password and it leaves your account super vulnerable.
Still so much 2FA via SMS where I am in Aus.
I’d prefer to move everything over to something like Signal but I neeed a phone # to register for that but how do u tell the bank my Signal ID is @hanrhan.666
Use SimpleX, no id no phone.
How do you tell your bank to use simplex to send you a verification code ?
Well I’ve tried, but usually they just don’t respond to my emails
Sorry this is not for replacing banks verification
I’ve been trying to work this out since the beginning of the year. This is anecdotally what I’ve done, what works and what doesn’t.
Most of my solution comes from JMP.chat for my phone number along with the cheogram app for functionality.
Basically I got a number for friends and family. I got a second number to give to businesses that don’t care about VoIP (my dentist etc). ($5 ea). Cons here are that SMS groups are limited to 10 recipients. This doesn’t work for my large family chats (I can get them but can’t respond). Another thing I dislike is since its XMPP based, all contacts are listed as their phone number if in a group, so it’s hard to tell who’s in it. (Solo texts show as names just fine). They have a premium tier that routes differently to allow more than 10 in a group text, but I’ve tried that twice now and the actual phone calling gets screwed up. So I’m still trying to get it all sorted out (and I’m not optimistic) It’s also a service only in USA and CAN.
My original number that I’ve had for 20 years and all big tech have assigned to me, I ported to google voice ($20 fee)
Since my original phone number was a carrier number it is already assigned to all the stringent companies like banks. They continue to use it without knowing its now a VoIP number. I have all SMS messages forwarded to my email so I don’t have to log into google ever. It works perfectly for 2FA. Shortcoming of this is that any group texts the email just says you got a group text, but a single source text the actual text is forwarded. I don’t use it for groups so its not a problem but just mentioning it as a potential con. Then of course, its legacy so opening new accounts won’t work the same way since its a VoIP number now.
I bought a hotspot from calyx. By far the most expensive part of my solution. But it gives me WiFi access without a standard carrier (it does use T-Mobile but calyx doesn’t track you like they do). Check them out to see if it fits your threat model. It works out to about $50/mo but the biggest issue is that its an annual lump sum.
Another option I’ve been trying is 4freedommobile. They have decent plans and are focused on privacy. Everything runs through their app for encryption. But I’ve found the app lacking both in UI and functionality. You can’t do group SMS (which is apparently coming very soon) but my biggest issue is they require google play services for notifications. They state they don’t, but they do. Hands down it just doesn’t work without it. So that’s a deal killer for me.
Honorable mention is the premium service Elfani. I haven’t used it but have considered it. Its very expensive at $99 a month but is secure. However I don’t see much on privacy so I’m not sure how different they really end up being from their base AT&T provider.
I have decided this approach is such a pain and hassle that I have had to change forms. Mostly due to modern societies infrastructure making it truly impossible.
I moved all phone related things, programs, apps, anything but dumb flip phone calling and texting to a x86 based tablet. (Even a wwan or 5g sim capable device doesn’t have a cellular modem so the easiest route is this)
Hotpot or cable tethering from sim card 5g/4Glte/volte from a smart phone, with your carrier sim of choice, best to pick a device matching their cellular band support in your part of the world. Routing calls /texts to the desktop Linux device of your choice laptop/tablet, 2in1, device of your choosing basically. Using the phone for nothing except internet period…, perhaps a backup device if ever needed worst case if your main goes down or breaks.
Secure and private as one could get, and totally power userable due to linux desktop capabilities and granular controls of literally everything, while still having the best reliable internet coverage, with traditional calling and texting for 2fa and other big corpo stuff. Yes the sim is tied to your real identity, but the actual day to day is much more private and secure than mobile, seperate device, vpn, LUKS drive, veracrypt, all desktop x86 (distro of your choice) Linux abilities. Close as one could get without living under a rock daily. Backups full and snapshots offsite sent to NAS or true cloned drives.
What do you think?
Then you harden the hardware further (so many ways to list again device dependant), and software as well (depends on your OS and needs/wants). (Qubes is too beefy to run all day as a phone replacement regardless of hardware. Batteries are the weak link) That being said pick any distro you feel good about and go.
This form is the most stable method, while being realistic to the goal. I have my own personal preferences for which devices, distros, settings, etc. That I can use daily.
I don’t see how a hotspot for internet is going to be any different from using data directly on the smartphone.
If you don’t want it always on you can just enable airplane mode when you don’t need a connection. And turn off the GPS, wifi, and bluetooth if you don’t want those used for location stuff.
Yeah that’s the thing. Hotspots are not any different require the same sim cards except if you choose satellite Starlink. That’s it. So the reasoning behind going the route i have is to completely cut out the mobile aspect and every part within except the 5g sim card since modern infrastructure doesn’t allow it basically.
All comms, apps, services, everything moved to a Linux x86 device and simply cable tether for internet. It’s still identity tied due to SIM (same with hotspots due to sim so a cell is lighter and better equipped to run lean even flashing custom ROMs add to control factor) but again it’s realistically as close and hassle free as one can get for daily use as a total phone replacement for a normal person. The entire phone is disabled aside from data and that’s behind VPN.
Anyone have suggestions on better paths or methods?
From only thinking about it for a minute I’m not sure using a Linux x86 device vs a smartphone with a custom ROM changes anything, since all the traffic from websites, chat apps, etc is encrypted with SSL already. There could be other benefits I didn’t think of maybe…
IMO the best option is grab a google pixel, flash GrapheneOS, use a VPN, and only install open source apps that aren’t full of analytics. You can throw it in airplane mode if you don’t want to be tracked by the cell carrier.
A phone with graphene is also MUCH more secure than a Linux x86 device in terms of law enforcement searches or theft of the device. And is safer against malware and having your data potentially stolen.
I happen to disagree here. I’ve used Gos for years it lacks so many fundamental features and has a lot of issues. The entire project has really silod itself into some issues they aren’t addressing. Let me explain by pulling from some of my posts.
Edit: You can’t see everything you’ve ever posted only a brief history. Basically some issues with Gos are lack of full backups/device to device, which in so many ways is a deal breaker… Seedvault works I’ve hopped from model to model phones for years the problems you run into are plentiful and haven’t been addressed in years, each profile must be backed up individually not on the same ssd either, seperate drives as the restoration isn’t possible without seperate drives due to backup limitations. The easiest I have found it to backup like usual with a flash drive for each profile which is super cumbersome to keep up with at the frequency one really should.
I’ve restored and tried everything including dev talks, and their forums, they plan to try to fix some issues but it’s been 3 years so far since we talked in depth and nothing yet, lack of granular networking controls for almost all reasons possible this is an issue most people think connect to a VPN and your solid. A VPN is a single tool in the chain of tools, compatibility and software issues are numerous. Anyone who has used Gos and really daily drove all the functionality aside from flashing a single device for years knows the pains I am talking about the power users.
The project has silo’d itself into security, when that is just one aspect of any system. It’s really not the white knight everyone thinks it is. Yes it has merit, yes it’s well done so far, but to truly utilize in all your cases you mention and average person scenarios for daily life given what people try to use it for and or avoid from say confiscation, seizure, etc etc.
There’s so many issues aside from just losing your device, your life’s data is tied into an OS that well is secure mostly, but you’ll never see your data back again once it’s stolen or lost or taken.
I can’t remember some of the things I have wrote down in my comment history and it’s late in my time zone to rack my memory that deep. But there’s a lot of reasons most people don’t know enough about, or understand why Gos is not the end all be all OS. It’s good and has great features for security but lacks most fundamental features of a modern x86 based system. Mobile attack surface is bigger and harder to control, mobile has limitation issues fundamentally on all sides. So does x86 or ARM etc. Understand your threat model and work accordingly. If you want to continue this I will update the post as I remember Gos limitations and problems.
If your internet connection is coming from hotspot tethering to your phone you’ll want to put it in a Faraday bag when not in use since your phone will be trackable at all times even if off. If you use a hotspot instead the cell signal and WiFi are still trackable but the lack of Bluetooth and GPS aids greatly in keeping the tracking to a minimum.
Sounds pretty good actually. I repair electronics, I wonder about just removing the GPS chip from the phone?
Either way with internet your going to be tracked the point is to minimize as much ss possible. Triangulation will always be an issue.
I’m not some giant target. Just a daily privacy conscious user like anyone, who wants to support FLOSS projects. I think in my use case I found the least hassle solution. I have no real use for insane amounts of solutions like a journalist or whistler. Just a normal person doing the best they can.
The GPS is usually part of the SOC.
But you can just turn GPS off in the settings.
Yeah I just seen that. GPS is literally the backbone of phones. Wild. Software is the only way to spoof and or disable the feature. Custom ROMs are the only method essentially to gain the control you need. G-OS, lineage, etc etc which means the device also runs leaner and battery lasts days. It’d really the best solution far as I can tell.
Any android phone lets you disable the GPS and use airplane mode, so custom ROMs aren’t needed for that.
But de-googled ROMs do indeed have less/no data going to google, although the apps you install will be the same either way.
You can keep your cell number with jmp.chat. Call over wifi or data. They offer eSIM. View text messages on any device/program with XMPP support. 2FA works 100% like normal unlike VoIP. All data, calls, texts are routed through their VPN first, then the cell network. Any other inhouse XMPP chat not going to networks stay within XMPP. I have no affiliation with jmp.chat, I am satisfied with the service.
I would switch to jmp immediately if only it were available in Germany.
I could see this being a problem for me
Note: While JMP does provide phone numbers and voice/SMS features, it does not provide 911, 112, 999 or other emergency services over voice or SMS.
How do you deal with it?
That is true, but there is a good reason. For example, you may call 911 in North America without any cell plan, or without a SIM. As you long as you are within physical range of any cell tower (whether your phone shows bars or not) the 911 call will go through. This is required by law. So, like your quoted text indicates, 911 calls would just need to be routed through your phone’s native dialer instead of, let’s say, Cheogram’s dialer (jmp.chat’s phone/message app).
Ohh I see.
Is an eSIM vulnerable to the same security risks as a physical SIM?
What security risks are you considering for physical SIM?
SIM cards are a computing device that can execute closed source code on your device, sent from a cell tower
Most of the zero days used by NSO Group that were reported by Citizen Lab only worked if you had a SIM card. By eliminating SIM cards, you decrease the surface area of attack by magnitudes
Thanks for enlightening me. That is certainly concerning. I am not knowledgable enough to say if eSIM would be outside the scope of that attack. There are some differences in how the tech is implemented, but heck my eSIM still connects to the cell tower at the end of the day (and to multiple carriers, at that, unlike physical SIM). If there is a surface area, there is a chance for attack vectors.
Pros is that you don’t need a small, fragile device to use your primary communication method.
But the pros are that it’s usually cheaper if you know what to look for.
You didn’t give any cons
I guess the cons is that you gotta maintain separate cellular data if you want it. And transfer your number.
You’d only be able to make calls if you have a wifi connection though, right?
Unless you want to maintain separate cellular data.
Why not is the question and that comes down to guessing. Sheep do what they are told so don’t need to guess much there. Those who are not sheep have to go through a long journey to gradually keep increasing their privacy and unlearn the sheep habits we’ve been conditioned to have.
The end goal is to throw away your phone because you can do everything on your computer instead including buying a phone number, using voip and take and make calls. Phones are unnecessary spy devices used by sheep.
Hmmm… Or maybe people just like making calls easily man. Not everything is an ideology war.
privacy is about making effort to protect it. With your logic you should just use google chrome browser and be signed in to google because it makes an easier experience. Then install alexa in your home and make it a smart home, it also makes life easier.
Privacy is about being comfortable.
Not addressing your main points. Just wanted to point out you can have a smart home with purely local devices. No cloud.
SMS codes as mentioned and cellular data makes something with Sim card or e-sim a necessity. This can be mitigated by using a portable hotspot or cellular router/modem. Had a teltonika router that autoforwards the SMS as email.
The only time I call anyone is when my partner can’t find her phone and I have to call it, because we set it so that my number is on the VIP list so it will ring even if it’s on mute or Do not disturb mode.
If you care about security, don’t put a Sim card in your phone.
Personally I don’t have a VoIP plan. For archaic services that I can’t live without and required a phone number, I use google voice or Skype. Its a vulnerability, so avoid if at all possible
If you care about security, don’t put a Sim card in your phone.
Depends on what you mean by security… or privacy. You need to define a threat model before any suggestions can be made.
If you’re worried about someone hacking into your phone via an app, a sim card likely won’t make a difference.
If you’re worried about your location being tracked… that can often be done without a sim card or any cellular service on your device.
Then there are malicious carriers (or ones compelled by a government) that could track you without even having legitimate service activated. All phones at least in the US now are mandated to have (A)GPS receivers.
All depends on what your concerns are.
My location isn’t being tracked. Not having a SIM card is part of the reason why.
I’m not worried about apps on my phone owning my device. I would be worried about a SIM card owning my device.
