This should be far more secure and privacy friendly than a Sim card of a cellular connection. Why isn’t this done more often? What are the Pros and Cons. I bet the price is similar as well.
I’ve been trying to work this out since the beginning of the year. This is anecdotally what I’ve done, what works and what doesn’t.
Most of my solution comes from JMP.chat for my phone number along with the cheogram app for functionality.
Basically I got a number for friends and family. I got a second number to give to businesses that don’t care about VoIP (my dentist etc). ($5 ea). Cons here are that SMS groups are limited to 10 recipients. This doesn’t work for my large family chats (I can get them but can’t respond). Another thing I dislike is since its XMPP based, all contacts are listed as their phone number if in a group, so it’s hard to tell who’s in it. (Solo texts show as names just fine). They have a premium tier that routes differently to allow more than 10 in a group text, but I’ve tried that twice now and the actual phone calling gets screwed up. So I’m still trying to get it all sorted out (and I’m not optimistic) It’s also a service only in USA and CAN.
My original number that I’ve had for 20 years and all big tech have assigned to me, I ported to google voice ($20 fee)
Since my original phone number was a carrier number it is already assigned to all the stringent companies like banks. They continue to use it without knowing its now a VoIP number. I have all SMS messages forwarded to my email so I don’t have to log into google ever. It works perfectly for 2FA. Shortcoming of this is that any group texts the email just says you got a group text, but a single source text the actual text is forwarded. I don’t use it for groups so its not a problem but just mentioning it as a potential con. Then of course, its legacy so opening new accounts won’t work the same way since its a VoIP number now.
I bought a hotspot from calyx. By far the most expensive part of my solution. But it gives me WiFi access without a standard carrier (it does use T-Mobile but calyx doesn’t track you like they do). Check them out to see if it fits your threat model. It works out to about $50/mo but the biggest issue is that its an annual lump sum.
Another option I’ve been trying is 4freedommobile. They have decent plans and are focused on privacy. Everything runs through their app for encryption. But I’ve found the app lacking both in UI and functionality. You can’t do group SMS (which is apparently coming very soon) but my biggest issue is they require google play services for notifications. They state they don’t, but they do. Hands down it just doesn’t work without it. So that’s a deal killer for me.
Honorable mention is the premium service Elfani. I haven’t used it but have considered it. Its very expensive at $99 a month but is secure. However I don’t see much on privacy so I’m not sure how different they really end up being from their base AT&T provider.
Cons:
You absolutely cannot get 2FA authenticator codes from 90% of services. Many services that require a phone number even without 2FA just for “verify you’re a human” or because they want your data or to verify region use shortcode services that also will not work with ANY VOIP provider.
You will not receive their codes. These companies vary from banking institutions to gaming companies to online shopping marketplaces and stores to a Google account (used to be you could get an automated phone call to verify an account, not anymore, must be able to receive SMS from shortcodes that are disabled for VOIP numbers to register and to recover an account) just about anyone you could end up doing business with.
A shockingly large amount of companies demand phone numbers and send verification texts before allowing you to do business with them, to create an account, to recover an account, to delete an account, to place an order, etc.
They really shouldn’t, it’s a bad security practice but companies love it because with a phone number they can lower support costs by just allowing people to do a self-service where they get an automated text and can unlock their locked account. They also love harvesting that data and preventing anonymization with VOIP numbers and the reduction of fraud and increase of reliable KYC that comes with requiring them.
And they all take it as a given that EVERYONE or at least 99% have a cell plan with a non-VOIP number that works with these and the 1% who don’t they don’t care about in the developed world and are an acceptable loss.
You probably shouldn’t be using a service that requires a phone number. More often than not, they use it as a backdoor to bypass your password and it leaves your account super vulnerable.
Can’t I just transfer my existing phone number, from any Pay As You Go SIM?
You can but they’ll find out. It’s reported or flagged or something, they can tell what provider holds a number and they block VOIP ones. Also if a number was ever previously a VOIP number do not try and transfer it back to proper cellular as it will still remain blocked for many but not all of these for years potentially.
I think how often this is a problem varies widely from person to person. I don’t remember the last time I gave a mobile number out to a company, but it was more than a few years ago. The last few that strictly required one were non-essential; I just took my business elsewhere.
90% of American commercial services that is.
Online services or many/most European services have more proper 2FA (TOTP, app-based, card reader OTP, etc…)
Can you name me an EU bank that doesn’t a phone number to signup?
Unfortunately, PSD2 doesn’t support TOTP and other strong 2FA solutions, so they all appear to require phone numbers. This is one area where EU is worse than US
That is a completely separate issue from the above commenter.
You absolutely cannot get 2FA authenticator codes from 90% of services
A shockingly large amount of companies demand phone numbers and send verification texts before allowing you to do business with them, to create an account, to recover an account, to delete an account, to place an order, etc.
They really shouldn’t, it’s a bad security practice but companies love it because with a phone number they can lower support costs by just allowing people to do a self-service where they get an automated text and can unlock their locked account.
Also an issue, but indeed a separate issue from using unsecure SMS as TOTP.
I don’t follow. Banks are required to use insecure SMS for OTPs by PSD2
If you care about security, don’t put a Sim card in your phone.
Personally I don’t have a VoIP plan. For archaic services that I can’t live without and required a phone number, I use google voice or Skype. Its a vulnerability, so avoid if at all possible
If you care about security, don’t put a Sim card in your phone.
Depends on what you mean by security… or privacy. You need to define a threat model before any suggestions can be made.
If you’re worried about someone hacking into your phone via an app, a sim card likely won’t make a difference.
If you’re worried about your location being tracked… that can often be done without a sim card or any cellular service on your device.
Then there are malicious carriers (or ones compelled by a government) that could track you without even having legitimate service activated. All phones at least in the US now are mandated to have (A)GPS receivers.
All depends on what your concerns are.
You can keep your cell number with jmp.chat. Call over wifi or data. They offer eSIM. View text messages on any device/program with XMPP support. 2FA works 100% like normal unlike VoIP. All data, calls, texts are routed through their VPN first, then the cell network. Any other inhouse XMPP chat not going to networks stay within XMPP. I have no affiliation with jmp.chat, I am satisfied with the service.
I would switch to jmp immediately if only it were available in Germany.
Is an eSIM vulnerable to the same security risks as a physical SIM?
What security risks are you considering for physical SIM?
SIM cards are a computing device that can execute closed source code on your device, sent from a cell tower
Most of the zero days used by NSO Group that were reported by Citizen Lab only worked if you had a SIM card. By eliminating SIM cards, you decrease the surface area of attack by magnitudes
Still so much 2FA via SMS where I am in Aus.
I’d prefer to move everything over to something like Signal but I neeed a phone # to register for that but how do u tell the bank my Signal ID is @hanrhan.666
Use SimpleX, no id no phone.
How do you tell your bank to use simplex to send you a verification code ?
Sorry this is not for replacing banks verification
Well I’ve tried, but usually they just don’t respond to my emails
SMS codes as mentioned and cellular data makes something with Sim card or e-sim a necessity. This can be mitigated by using a portable hotspot or cellular router/modem. Had a teltonika router that autoforwards the SMS as email.
Pros is that you don’t need a small, fragile device to use your primary communication method.
But the pros are that it’s usually cheaper if you know what to look for.
You didn’t give any cons
I guess the cons is that you gotta maintain separate cellular data if you want it. And transfer your number.
The only time I call anyone is when my partner can’t find her phone and I have to call it, because we set it so that my number is on the VIP list so it will ring even if it’s on mute or Do not disturb mode.
