Google Voice Now Receiving Bank of America SMS (Text) Verification Codes

Recommended Posts

Gentleman.Jack.Darby
Posted
Posted

In a rather lengthy old post about receiving bank SMS (text) verification codes, I commented that I'd never been able to receive Bank of America SMS verification codes using my Google Voice number with forwarding to my e-mail account.

I've never given up on trying to figure out WHY as well as trying to find alternatives; as of now, I haven't yet found a solid alternative other than having a SafePass card but, due to frustration, I decided to try once again to receive an SMS verification on my GV number with forwarding to my e-mail and today, for whatever reason, it worked.

I have no explanation as to WHY, but something changed somewhere and it's working.

I know BofA is not particularly loved or popular with folks, but now there is one less obstacle to folks that need SMS verification while outside the U.S. or without a U.S. mobile number.

 

 

  • Like 2
  • Thanks 1
Link to comment
Share on other sites

intrepid
Posted
Posted

Thanks Jack.D  this is great news.  Later today with a little more time I will give it a try with my account.:tiphat:

Link to comment
Share on other sites

Gentleman.Jack.Darby
Posted
Posted
12 hours ago, intrepid said:

Thanks Jack.D  this is great news.  Later today with a little more time I will give it a try with my account.:tiphat:

As I said in my OP, I don't know why it's working now but after thinking about it, it may well be that the change came on Google's side in their handling of SMS 'shortcodes' which would be great news for folks that rely on SMS verifications from senders other than BofA.

From all that I've researched, all of the 'virtual' phone line providers, which is how Google implements GV, have varying degrees of compliance with shortcodes from 'absolutely not at all' to 'best effort and you take your chances', but none I've found seem to be 'as good as a U.S. cell number'.

I was also able to verify my suspicion that some SMS verification senders, especially financial institutions, somehow 'knew' that GV was a 'virtual' number - there are providers out there selling programming libraries or modules that allow senders to determine the type of number someone is using, eg; cellular, conventional landline, 'virtual', etc.

As of now, I tend to think that the change was on Google's end since I can also receive SMS verifications from Paypal which seems to be a big problem for many folks, U.S. Social Security, text banking from Citi, Chase, and BofA and quite a few random others that I chose from the U.S. Shortcode Directory to test.

 

 

  • Like 1
Link to comment
Share on other sites

earthdome
Posted
Posted

FYI, using a cell phone for two factor authentication (2FA) is not as secure as some may think. If you and your cell phone number become known to criminals and you have fame or wealth you can become a target of criminals who break into your online accounts by using the second factor (your cell phone number) to steal your account. They do this by calling your cell phone provider, say AT&T, and using social engineering to make the AT&T customer rep switch the phone number to a SIM that the criminal controls. Then they can use the forgot password links and 2FA to break into your online accounts. I recently saw AT&T named in a multi-million dollar lawsuit where they did this twice to someone. The second time was after the account was flagged as requiring additional verification.

So for your online accounts I recommend using Authy or Google Authenticator as your second authentication method if the online service integrates with those rather than your cell phone number.

https://www.forbes.com/sites/laurashin/2016/12/21/hackers-are-hijacking-phone-numbers-and-breaking-into-email-and-bank-accounts-how-to-protect-yourself/#1485fb98360f

Link to comment
Share on other sites

JJReyes
Posted
Posted

One of my accounts requires voice verification before money transfers above a certain amount. I was asked to say a phrase several times when the account was first opened. The prompt requires me to say the same phrase for authentication. This is a separate step from login and password.

Another security precaution is the need to use the same laptop. If I switched to another one, I need to answer five questions such as, "What is the name of your best friend in high school?" The problem is, with age, my memory is no longer sharp. I made a mistake once and had to visit a bank branch to get things straightened.

On a related subject, my bank informed me that, for our forthcoming trip to Portugal, the withdrawal limit in Portugal is Euro 200.  Are Philippine banks starting to limit the withdrawal amounts? The FBI recently warned banks about a new scam targeting ATMs.

Link to comment
Share on other sites

Gentleman.Jack.Darby
Posted
Posted
31 minutes ago, JJReyes said:

Another security precaution is the need to use the same laptop. If I switched to another one, I need to answer five questions such as, "What is the name of your best friend in high school?" The problem is, with age, my memory is no longer sharp. I made a mistake once and had to visit a bank branch to get things straightened.

I know what you mean about remembering the answers to some of the random questions some businesses are using because they think that it enhances security.

I recently updated my United Airlines frequent flier account and their security questions were of the kind to which my answers were likely to change - for example, one of the questions was 'What is your favorite ice cream flavor?'

My real answer to that is 'Whatever flavor is being served right now' but, of course, that answer wasn't an option.

Seriously, with the number of userIDs one is now required to have, the best practice that each password be unique and complex, and the additional requirement that some websites use of answering security questions, the only way to keep track of it all is to use a good password manager.

A few years ago I started using LastPass, which is incredibly secure, will generate random userIDs in addition to complex random passwords, and will allow one to store information, such as security questions and their answers and any other pertinent information about a website or account as a 'random note' in the program. Now I no longer need to rely on my memory, which isn't as good as it once was.

 

Link to comment
Share on other sites

Gentleman.Jack.Darby
Posted
Posted
2 hours ago, earthdome said:

FYI, using a cell phone for two factor authentication (2FA) is not as secure as some may think. If you and your cell phone number become known to criminals and you have fame or wealth you can become a target of criminals who break into your online accounts by using the second factor (your cell phone number) to steal your account. They do this by calling your cell phone provider, say AT&T, and using social engineering to make the AT&T customer rep switch the phone number to a SIM that the criminal controls. Then they can use the forgot password links and 2FA to break into your online accounts. I recently saw AT&T named in a multi-million dollar lawsuit where they did this twice to someone. The second time was after the account was flagged as requiring additional verification.

So for your online accounts I recommend using Authy or Google Authenticator as your second authentication method if the online service integrates with those rather than your cell phone number.

https://www.forbes.com/sites/laurashin/2016/12/21/hackers-are-hijacking-phone-numbers-and-breaking-into-email-and-bank-accounts-how-to-protect-yourself/#1485fb98360f

The editor responsible for that article must have been sleeping the day he allowed that reporter to write that article and, worse yet, publish it - it's a confusing mess clearly written by someone that doesn't understand the first thing about the subject of which she writes.

Simply having the second factor (something one has - a numeric code) in a well designed two-factor authentication scheme is absolutely worthless (no matter where it comes from) without having the first factor (something one knows - userID and password).

For example, even if the bad guy knew my e-mail address (gentlemanjackdarby@someemail.com) AND had the second factor (numeric code) that he got from wherever (SMS verification, Google Authenticator, etc.) and used the 'forgot password' link on the e-mail website login page, most major e-mail sites require that someone wishing to reset a password enter more information that they know, usually the recovery e-mail address associated with the first e-mail account.

And assuming the bad guy knew THAT, he would still have to know the credentials for that account and probably have the second factor (numeric code) for THAT account  in order to log in and use the reset password link for the first account. Not at all likely!

As well, most websites for things really worth protecting, such as banks, brokerages, credit card companies, etc. don't allow the use of an e-mail address as a userID anyway in an attempt to eliminate one avenue for bad guys to to get a 'first factor' - something one knows.

And to illustrate further, most of my banks have instituted TFA without calling it that for telephone calls - usually when I call them, in addition to asking me the usual many 'things that I know', they have also started asking me for 'something I have' - information from my bank debit card.

At the end of the day, the reason that we read about celebrities (and a whole lot of folks we DON'T read about) whose e-mail, Fakebook, Instagram, etc. accounts are 'hacked' is because most folks use easily guessed weak passwords with no TFA whatsoever AND they reuse credentials (userID and passwords) at other websites.

Although referencing the poor, it would have been helpful if it had also been recorded in the Bible, as a reminder to those of us who forget:

For ye have the stupid and the lazy with ye always, and whensoever ye will, ye may educate them; however, ye cannot fix the stupid and likely not the lazy!

While I agree that SMS two-factor authentication isn't the most secure form of TFA and has other limitations that make it onerous for folks to use, thereby increasing the likelihood that folks WON'T use it unless forced, SMS TFA is a hell of a lot better than NOT using TFA.

 

 

 

Link to comment
Share on other sites

OnMyWay
Posted
Posted

OK, I need some advice!

I read the original post and immediately decided to try it on my Capital One CC account.  However, by coincidence, I could not even get into my account!

CapOne offered 3 choices for the TFA:  E-mail code or text code or call by phone code.  I have been using the e-mail option since they introduced TFA a year or two ago.

Today I tried to sign in, and the e-mail option was gone!  The text and call options don't work for me because I don't have a current phone in their system.

You might recall I went through a long process to install a mobile phone at my sister's house, with an app on it to forward text to me.  That was the phone # that CapOne has.  However, the app was cancelled and then I didn't use the phone and the SIM expired.

I will call CapOne tomorrow but I'm not sure what angle to take with them.  If they canceled the e-mail option for TFA that is a problem for me.

Can someone try to login to their Cap One account and see if they get the e-mail option?

Back to the Google Voice, I never got that to work before so I wanted to try it.  That article seems to indicate that GV should be fine for the TFA.

Link to comment
Share on other sites

earthdome
Posted
Posted
20 minutes ago, Gentleman.Jack.Darby said:

The editor responsible for that article must have been sleeping the day he allowed that reporter to write that article and, worse yet, publish it - it's a confusing mess clearly written by someone that doesn't understand the first thing about the subject of which she writes.

Simply having the second factor (something one has - a numeric code) in a well designed two-factor authentication scheme is absolutely worthless (no matter where it comes from) without having the first factor (something one knows - userID and password).

For example, even if the bad guy knew my e-mail address (gentlemanjackdarby@someemail.com) AND had the second factor (numeric code) that he got from wherever (SMS verification, Google Authenticator, etc.) and used the 'forgot password' link on the e-mail website login page, most major e-mail sites require that someone wishing to reset a password enter more information that they know, usually the recovery e-mail address associated with the first e-mail account.

And assuming the bad guy knew THAT, he would still have to know the credentials for that account and probably have the second factor (numeric code) for THAT account  in order to log in and use the reset password link for the first account. Not at all likely!

As well, most websites for things really worth protecting, such as banks, brokerages, credit card companies, etc. don't allow the use of an e-mail address as a userID anyway in an attempt to eliminate one avenue for bad guys to to get a 'first factor' - something one knows.

And to illustrate further, most of my banks have instituted TFA without calling it that for telephone calls - usually when I call them, in addition to asking me the usual many 'things that I know', they have also started asking me for 'something I have' - information from my bank debit card.

At the end of the day, the reason that we read about celebrities (and a whole lot of folks we DON'T read about) whose e-mail, Fakebook, Instagram, etc. accounts are 'hacked' is because most folks use easily guessed weak passwords with no TFA whatsoever AND they reuse credentials (userID and passwords) at other websites.

Although referencing the poor, it would have been helpful if it had also been recorded in the Bible, as a reminder to those of us who forget:

For ye have the stupid and the lazy with ye always, and whensoever ye will, ye may educate them; however, ye cannot fix the stupid and likely not the lazy!

While I agree that SMS two-factor authentication isn't the most secure form of TFA and has other limitations that make it onerous for folks to use, thereby increasing the likelihood that folks WON'T use it unless forced, SMS TFA is a hell of a lot better than NOT using TFA.

20 minutes ago, Gentleman.Jack.Darby said:

 

With all the data being collected about people online and all the financial and account data being stolen from hacking servers it is very likely that criminals can find out a great deal more about you than you think they might know. For example all the data stolen from Equifax. Twice and perhaps three times now with Equifax I have had major personal data stolen. One was data stolen from the VA the other was from my employer.

Unfortunately most websites and institutions lag way behind the criminals when upgrading their security procedures and individuals can be lazy when managing their own security measures. Taking over someone's cell phone number is a real security issue that does occur often enough to have become a known security problem. Therefor if you have the choice, use another option like Authy or Google Authenticator to improve the security of your online accounts.

 

Link to comment
Share on other sites

OnMyWay
Posted
Posted
On 8/17/2018 at 11:47 PM, OnMyWay said:

OK, I need some advice!

I read the original post and immediately decided to try it on my Capital One CC account.  However, by coincidence, I could not even get into my account!

CapOne offered 3 choices for the TFA:  E-mail code or text code or call by phone code.  I have been using the e-mail option since they introduced TFA a year or two ago.

Today I tried to sign in, and the e-mail option was gone!  The text and call options don't work for me because I don't have a current phone in their system.

You might recall I went through a long process to install a mobile phone at my sister's house, with an app on it to forward text to me.  That was the phone # that CapOne has.  However, the app was cancelled and then I didn't use the phone and the SIM expired.

I will call CapOne tomorrow but I'm not sure what angle to take with them.  If they canceled the e-mail option for TFA that is a problem for me.

Can someone try to login to their Cap One account and see if they get the e-mail option?

Back to the Google Voice, I never got that to work before so I wanted to try it.  That article seems to indicate that GV should be fine for the TFA.

Ok, I think I have some more good news about Google Voice numbers.

As described above I could not get into my Cap One account due to the e-mail option being gone.  I called them today and that is gone forever.  She said I would have to use a phone number and not an international number, then she helped me get into my account.  I changed the number to Google Voice, and it works!  Google voice send the text on to my G-mail, and I get it there.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...