The problem with using a VOIP number is that most app and websites won't let you use anything but a regular carrier number for verification -- they specifically restrict VOIP numbers from use. I presume this is to prevent spammers or just regular users from creating multiple accounts, but I think they're mistaken as it's trivial to buy a temporary "real" carrier number on the internet if you're fine using a somewhat-shady site.

I've been the person at the app banning voip numbers. The problem is there are some services that make it very easy to obtain a voip number at no cost to the user; if they don't have effective protections against bulk registration, spammers abuse them to get thousands of numbers and then use those numbers to abuse the service I was at.

Forcing spammers to have a non-voip number raises their costs, sometimes significantly, reducing their ROI and their interest in spamming our users.

We tried to make exceptions where we could, but it does suck for real people using voip numbers for whatever reasons.

Unless you're doing a dip of the number against proprietary telecom data sets, you have no idea if the number is a "VOIP" number, due to North American number porting laws, you can take any number that was a "Verizon landline" or whatever and move it to a VOIP provider that can overlay SMS capabilities on it. Even if you dip and see that it belongs to a VOIP provider, it's a completely legit use case for some to own their phone number through Bandwidth, Twilio, Telnyx, Messagebird, whatever.

There are DBs that can get you that info. Some even tell you when the number was ported which is useful to catch mobile number takeovers. Things have moved beyond NPA/NXX lookups.

Of course, that’s what I was referring to. The consumer still has to subscribe to those data sets, keep them updated, and understand which lesser-known company names are “legit” telecom providers (as many large providers are non-household names and have VOIP offerings) vs whatever kind of VOIP provider he feels he needs to protect against.

My point being that if he’s doing it right, he’s probably spending more time and money than it’s worth, and if he’s not, he’s banning legit users for the crime of not having a big-4 provider.

There are companies that will sell you the ability to look up this information and/or determine if you should trust this number.

How can an arbitrary number be used to abuse your service? At least for SMS "2FA" you only need to be able to send a message to an number associated with an existing account.

As long as you aren't using SMS as your rate limiting step to aquire an account then then it doesn't matter if someone has 1 phone number or 1000 numbers. In the case that SMS verification is the rate limiting step, why not switch to an open captcha or similir system?

They're also mistaken in their filtering oftentimes.

I have a smaller lesser known telephone operator friendly to a more advanced users, and my SIM-bound mobile phone number is rejected by big services like Google.

Not that I care anymore, I'll certainly not go to great lengths to use services which start their onboarding by blocking my number and forcing me to use big telco's services or some shady website.

They also don't mention that Venmo (and presumably PayPal also) won't actually let you sign up with a Google Voice number. They check to make sure it's an actual cell phone.

You can (or at least used to be able to) sign up for PayPal with an email address. Or at least I'm fairly sure, since PayPal keeps prompting me to put in a mobile phone number, and so far I've always been able to exit out of that dialogue without entering anything.

Venmo, on the other hand, I will never use because of this "feature".

I created a Venmo account this week because it was the easiest way to get out two payments to friends who I can't see face to face at the moment. The next day Paypal added my new Venmo phone number to my Paypal account that previously didn't have a phone associated. Good times.

Usually the account phone number and the password reset number can be different. I don't know if Venmo does that.

I’ve heard stories where an account PIN or other “enhanced security” was still bypassed during fraudulent SIM swaps.

Presumably, the PIN is supposed to be verified by the tech support advisor which can get social-engineered or bribed.

Maybe the solution is to actually have real technical support that is tech-savvy and paid a good wage instead of the monkeys we currently have?

Yep, we had a PIN in place before and it did no good, because the transfer is initiated from outside of Verizon - and for some reason Verizon just allows it (without the enhanced security). We were told that Verizon's enhanced security requires actually having to provide photo ID in person at a corporate Verizon store to allow a number to be transferred out.

PIN does not block customer service's ability to do something that affects the account. It prevents an automated system from being able to affect customer's account without the PIN.

A CS agent can continue without a customer providing a PIN. It is the case for AT&T, T-Mobile and Sprint. I do not have a personal experience with Verizon but someone I know who works selling phones at a major retailer says that all PINs are just flags that pop up a message on screen.

At the native company stores for AT&T a customer must authorize everything with a PIN in addition to the ID.

I tried using a Twilio number with my bank. I found out that any service that uses SMS shortcodes for their SMS '2FA' won't work as this kind of service. SMS shortcuts are a value addon that carriers provide that is only suppose to work with real numbers.

It's possible that services more centered around VOIP vs an automation plateform might work. It's also possible that using a foreign VOIP number might work but that also might also cause issue if you try using it with a US bank.

And I'd rather not have some half baked solution using Google Voice.

If anyone knows how to get an shortcode enable number (not a short code number but rather a number that can recieve SMS from shortcodes) on Twilio or similar platform, it would be very easy to set up an SMS 2 EMAIL gateway. Perhaps if a number is ported to Twilio it will retain shortcode capabilities?

Besides finding a solution to the above problem, I suppose I could just get a GSM usb modem & SIM card for this purpose.

>If anyone knows how to get an shortcode enable number (not a short code number but rather a number that can recieve SMS from shortcodes) on Twilio or similar platform

you can use jmp.chat, which is a SMS to XMPP service.

What's "half baked" about Google Voice for this purpose? Verification code shows up in email and hangups client, select and paste into snake oil annoyance. This has worked everywhere I have tried it (number originally ported from Sprint).

Plus the more people that give out Google numbers, the harder it will be for banks to push back on this.

I've started using a dual sim phone with a second number that I do not give out to anyone being used for companies that insist on SMS authentication.

Be sure to enable a SIM PIN on it, in the event that it's stolen/taken an attacker can't simply put the SIM in a new device to request the code.

I did not think of this. Thank you!

Hi, I’ve actually used BurnerApp to get a number that you pay monthly for. Something along the lines of 5$ for every 90 days I believe.

I tried Burner, Twilio, Textra and voip.ms. None of them played well with SMS 2FA services. Voip.ms was the best for reachability but its time to deliver for SMS messages was pretty bad.

I switched to a dual-SIM phone.

I used Google authenticator for 2fa for PayPal. I don't recall if PayPal have my mobile number. If they do am I vulnerable?

According to this post [0] on /r/verizon, it's not available to Prepaid and Business accounts.

[0] https://old.reddit.com/r/verizon/comments/eve25m/comment/fkq...

OK but I'm very suspicious about their ability to do that properly. I want a solution that cannot be socially engineered around, which I fear is the case here.

Thank you! I didn't know this existed, it puts my mind at ease for now.