My wife and I had an appointment last week to apply for a line of credit. We talked it all through with the clerk and decided to go for it, so he started the whole process on his computer.
His jaw dropped half-way through when he asked for my wife's and my phone number, and I had to tell him that I don't own a smart phone.
Turns out you must have a smart phone because the system sends you some kind of code to verify your identity. Let that sink in: I am sitting in front of the clerk, but in order to identify me, he needs me to give him some phone number.
The only way we could finalize the application is by me asking my mother whether I could use her phone number briefly to get this over with. She forwared the code to my wife's phone. That worked in the end -- but so much for "identifying me".
We should stop accepting this ridiculous excuse. Our phone numbers are not identifiers. How does me telling a bank "My phone number is 123-456-7890" give them any assurance whatsoever that I am the person whose name will be printed on a loan document?
Well, my case is the best proof of that: the phone number I ended up using was my mom's.
It's most definitely baloney because I also had to provide ID. So, certainly there is no way I could identify myself "even more" by giving them a phone number than by giving them a government issued ID.
As the sibling commenter pointed out, in their case, it totally failed to create a meaningful identifier, because he used some other person's phone to get past the ridiculous gate.
2FA presumes user-ownership of the second factor, and that possession of the second factor authenticates that the possessor is the account owner. It's ridiculous because in the OP's case, he literally had someone else temporarily hand him the second factor in front of the clerk: the 2FA didn't really authenticate anything, and the clerk could even see that.
Even if it was useful in OPs case -- which it wasn't -- SMS 2FA is frowned upon by all modern security standards because it has several severe security issues.
I agree it sucks. Sadly, the world we live in. It’s a stop gap. Most people aren’t special enough to have their shit scooped up by some foreign telco operator.
The issue goes far beyond foreign telco operators.
1. It is quite easily to accidentally take over someone's account(s) on various mobile apps when you get a new phone number these days. Many apps will allow you to log in with your phone number, reset password or do one-time login via SMS, etc. Some even do it automatically as a convenience. This isn't an edge case issue -- this happens on several of the top social media platforms, etc.
2. SIM swapping is still a viable fraud vector for identity theft and financial crime.
3. It is very vulnerable to phishing, and its prevalence only has exacerbated that.
It's not necessarily just for the 2FA snakeoil. The worst places snap on a glove and proctologize your network identity metadata (spilled by all the underlying carriers, IIUC), and sometimes even billing records with your name and address (more vulnerable if you're still on a postpaid). The US desperately needs a port of the EU's GDPR, for starters.
I don't think the assumption that SMS is enough is valid anymore.
My wife's elderly aunt has a flip phone that can receive SMS but not MMS. We just went thru an "identity verification" procedure with a major bank last week that sends MMS, not SMS, and could not reach her flip phone.
The whole ordeal was a huge pain in the ass and if my wife and I weren't there to help her it would have been completely impenetrable to her.
>My wife's elderly aunt has a flip phone that can receive SMS but not MMS.
Doubt it, model number?
>We just went thru an "identity verification" procedure with a major bank last week that sends MMS, not SMS, and could not reach her flip phone.
Double doubt it, verification services do not use MMS. It would be against NIST standards and not a single verification software sends MMSs. I work in this space. MMS is being deprecated across the globe, multiple telcos have already entirely disabled MMS at the network level.
You're likely confusing getting a verification number in the banking app, not SMS/MMS.
I don't have the make / model of her phone. I suppose it could be an issue with her phone plan, or settings on her phone. I don't have tons of experience in the wireless telco space and I'm sure I'm abusing terminology.
My Android phone says "SMS" under the "bubble", next to the time, when I send my wife's aunt a message. If I attempt to attach a photo to a message to her (which I've always thought was "MMS") she never receives the photo or any text I send with the photo. Nothing.
re: the identify verification
We had the bank send the message to my wife's phone. She received a message with a link to a website in the native text messaging app on her iPhone. My wife absolutely doesn't have the bank's "app" installed. The website linked in the message used her camera to photograph her aunt's ID and face. I don't know what color the "bubble" was on my wife's iPhone, which I know has some ability to differentiate SMS vs iMessage.
My aunt can receive text messages. She couldn't receive this message. That's what I know.
>Are they just presuming all of their customer can use RCS now? Or am I missing something?
Vast majority presume customers are using WhatsApp or similar apps to share photos and such. RCS rollout has been slow, but picked up on the last few years.
Countries with operators that have discontinued MMS include: India (BSNL; from 1 November 2015),[16] Philippines (Sun Cellular, Smart Communications, TNT; from 28 September 2018),[17] Singapore (Singtel, M1, Starhub; from 16 November 2021),[18] Kazakhstan (Kcell; from 6 May 2022),[19] Switzerland (Swisscom, Salt Mobile; from 10 January 2023),[20][21] Germany (Vodafone; from 17 January 2023).[22]
MMS is ancient. Ancient enough that my carrier disabled it entirely. Maybe the flip phone UI is shitty, or the carrier hasn't supplied the necessary APN info to the phone, or the phone hasn't been set up to use that APN because of a bug, or they're using some kind of modernized, non-standard MMS media type or something, but there's no way that phone can't receive MMS at all.
Like I said in my other comment - She can't receive a message with a photo from me. Just text, she can. It's an old phone, I think a Kyocera, and I believe her carrier is Cricket Wireless.
Sometimes the code must be received through the bank’s app. I went though this process recently to open a new account (at a bank where I already had other accounts). I didn’t think much of it at the time, but if you didn’t have or want a smartphone, this could be a major problem.
What for? It was a mandatory step but my wife and I will manage the credit through an app on her phone. Minimally, I should have the option to waive it.
You’re both signing up and aren’t one singular entity. She might be the one actually using the app and whatever line of credit but you’re still signing up with the bank. They need a way to do 2FA for you and not just her. If you divorce, how are they going to do 2FA when you’re separated? If it was her phone number then she could imitate you and get more credit or do whatever.
Etc. etc.
Genuinely no idea why you’re not considering this.
The uncomfortable truth is that they most probably need your phone to check the online accounts you have. I believe most bank applications do it automatically as part of fraud prevention. May I ask, what is the country?
Had a similar process when helping my parents settle in after relocating to Spain recently. I ended up having to ask an acquaintance to put down their phone so I could get some verification codes or information about an appointment in order to sign them up for... a Home internet + mobile phone lines bundle.
Cherry on top of this dystopian situation was that the number needed to be a Spanish phone number. Couldn't be from a different country code.
I know I'm in the minority but I value privacy higher than convenience. I'm aware that not having a smart phone does not automatically equal total privacy, but I just cannot get myself to have a personal tracking device on me 24/7.
There's no extension support for Chrome on Android. There's no way to stop Chrome on Android from hiding the address bar when scrolling. Those were mine, not sure if they still apply.
The extensions are of course one of my reasons for using Firefox. I'm occasionally mildly annoyed by the auto-hiding address bar, but didn't know that it's configurable, so thanks - I've changed the setting!
Imagine being on hacker news and having an iPhone instead of a Pinephone /jk.
I'm always annoyed when some real-world good or service is only available to people with a smartphone, especially when it wasn't always so. Blue Bikes (rentable bicycles) were in the past usable with a membership card, but it got phased out in favour of an app.
Amazing - an acquaintance of ours when we lived in Germany a couple of years ago had a similar idea. But she found that telemedicine + prescription drugs (and possibly advertising law) are among the most regulated areas in a country already known for its red tape.
I didn't follow up what became of her startup idea, but there's no way she could have ever gotten it off the ground in just two months, like the guy from the article and his brother. More like two years...
This was quite a popular business in the US during covid. I had someone prescribe benzos after a 15 minute call where they didn’t seem to be paying attention. I believe they’re shut down down due to legal issues
I think there's a place for it, there are services that help people access things naltrexone and baclofen for alcohol addiction or finasteride for hair loss and probably many other potentially life-changing scripts that can sometimes be difficult to access even by those who need them. Its a lot easier to get a dr to continue a prescription than to initiate it if you dont have a great dr who listens and works with you
Agreed. I will say that poking around a bit more on that site it looks like a temporary restraining order involving the same parties was granted, so perhaps there's some more history to this dispute than just what is visible on said link.
"Workplace violence restraining orders" in California appear to be a type of restraining order that can be filed by an employer on behalf of an employee, to protect said employee from a third party
Back when I went to school in Germany, we had a locker at school, but I just took the books I needed for assignments home with me. I haven't heard of schools that don't let you take (loaned) books home.
Of total users 5% is a substantial number of consumers and some would argue a non-trivial amount of market share to ignore when making a product.
This also goes without saying that the more adoption we see, the better these alternatives will get as we see consumers and businesses view Linux as worth the investment.
Exactly, 5% isn't much, but it's enough to compel developers to make sure their game runs well through Proton, which is all is necessary these days. Ports aren't really worth it, especially if they aren't going to be as well maintained in the long (cough, Valve, cough).
- Power supply: Solar inputs: up to 60 V, mains current 230 V
- Protection rating: IP67
- Material: Solar modules: glass and aluminium frame
- Inverter: Cast aluminium
- Dimensions: approx. L 172.2 x W 113.4 x H 3 cm (per solar module)
approx. L 25,3 x W 22.2 x H 3.5 cm (inverter)
- Weight: approx. 56 kg
- Scope of delivery: 2 x Premium solar panels, each 440WP, Black, Bifazial; 1 x Premium inverter 800 Watt with WiFi; 1 x connection cable (5 m), safety plug; Quick start guide
I have as much love for solar as the next hippy, though I can't be the only one put off by a lack of an open API and, *gasp*, a complete set of physical controls.
For Emacs, I agree with the maintainer's analysis that this is really a git bug: what happens is that Emacs runs `git ls-files` and that triggers a script execution.
So, the attack vector here is the following: attacker provides a malicious script in a .git directory, packaged for download. If the user unpacks the the package and merely opens a file, Emacs runs `git ls-files` which in turn executes the malicious script.
However, while I agree that this is a flaw in git, and Emacs should rightfully expect that running an "ls" command should be considered harmless, I do not agree with the stance that this does not require a reaction on the part of the Emacs maintainers: Now that you've been made aware of this unfortunate git behavior, I think some steps should be taken to not trigger it. That is, the functionality that runs `git ls-files` should be double checked (do we really need it? can we avoid the malicious side-effects? etc.)
reply