My wife and I had an appointment last week to apply for a line of credit. We talked it all through with the clerk and decided to go for it, so he started the whole process on his computer.
His jaw dropped half-way through when he asked for my wife's and my phone number, and I had to tell him that I don't own a smart phone.
Turns out you must have a smart phone because the system sends you some kind of code to verify your identity. Let that sink in: I am sitting in front of the clerk, but in order to identify me, he needs me to give him some phone number.
The only way we could finalize the application is by me asking my mother whether I could use her phone number briefly to get this over with. She forwared the code to my wife's phone. That worked in the end -- but so much for "identifying me".
> in order to identify me
We should stop accepting this ridiculous excuse. Our phone numbers are not identifiers. How does me telling a bank "My phone number is 123-456-7890" give them any assurance whatsoever that I am the person whose name will be printed on a loan document?
Well, my case is the best proof of that: the phone number I ended up using was my mom's.
It's most definitely baloney because I also had to provide ID. So, certainly there is no way I could identify myself "even more" by giving them a phone number than by giving them a government issued ID.
> Our phone numbers are not identifiers.
I think you missed the point. The process creates an identifier, by strongly associating you with the phone number.
This association allows the bank to quickly establish your identity later when you call up or use online services.
As the sibling commenter pointed out, in their case, it totally failed to create a meaningful identifier, because he used some other person's phone to get past the ridiculous gate.
It’s not ridiculous. It’s for you to verify. It’s setting up 2FA. How can you not understand that?
2FA presumes user-ownership of the second factor, and that possession of the second factor authenticates that the possessor is the account owner. It's ridiculous because in the OP's case, he literally had someone else temporarily hand him the second factor in front of the clerk: the 2FA didn't really authenticate anything, and the clerk could even see that.
Even if it was useful in OPs case -- which it wasn't -- SMS 2FA is frowned upon by all modern security standards because it has several severe security issues.
It's not necessarily just for the 2FA snakeoil. The worst places snap on a glove and proctologize your network identity metadata (spilled by all the underlying carriers, IIUC), and sometimes even billing records with your name and address (more vulnerable if you're still on a postpaid). The US desperately needs a port of the EU's GDPR, for starters.
>Turns out you must have a smart phone
Any phone that can receive SMS, not a smartphone. You could purchase a burner flip phone for this purpose.
I don't think the assumption that SMS is enough is valid anymore.
My wife's elderly aunt has a flip phone that can receive SMS but not MMS. We just went thru an "identity verification" procedure with a major bank last week that sends MMS, not SMS, and could not reach her flip phone.
The whole ordeal was a huge pain in the ass and if my wife and I weren't there to help her it would have been completely impenetrable to her.
MMS is ancient. Ancient enough that my carrier disabled it entirely. Maybe the flip phone UI is shitty, or the carrier hasn't supplied the necessary APN info to the phone, or the phone hasn't been set up to use that APN because of a bug, or they're using some kind of modernized, non-standard MMS media type or something, but there's no way that phone can't receive MMS at all.
Like I said in my other comment - She can't receive a message with a photo from me. Just text, she can. It's an old phone, I think a Kyocera, and I believe her carrier is Cricket Wireless.
>My wife's elderly aunt has a flip phone that can receive SMS but not MMS.
Doubt it, model number?
>We just went thru an "identity verification" procedure with a major bank last week that sends MMS, not SMS, and could not reach her flip phone.
Double doubt it, verification services do not use MMS. It would be against NIST standards and not a single verification software sends MMSs. I work in this space. MMS is being deprecated across the globe, multiple telcos have already entirely disabled MMS at the network level.
You're likely confusing getting a verification number in the banking app, not SMS/MMS.
I don't have the make / model of her phone. I suppose it could be an issue with her phone plan, or settings on her phone. I don't have tons of experience in the wireless telco space and I'm sure I'm abusing terminology.
My Android phone says "SMS" under the "bubble", next to the time, when I send my wife's aunt a message. If I attempt to attach a photo to a message to her (which I've always thought was "MMS") she never receives the photo or any text I send with the photo. Nothing.
re: the identify verification
We had the bank send the message to my wife's phone. She received a message with a link to a website in the native text messaging app on her iPhone. My wife absolutely doesn't have the bank's "app" installed. The website linked in the message used her camera to photograph her aunt's ID and face. I don't know what color the "bubble" was on my wife's iPhone, which I know has some ability to differentiate SMS vs iMessage.
My aunt can receive text messages. She couldn't receive this message. That's what I know.
> multiple telcos have already entirely disabled MMS at the network level.
Really? Are they just presuming all of their customer can use RCS now? Or am I missing something?
I could also buy a smartphone. The point is that I shouldn't have to.
Sometimes the code must be received through the bank’s app. I went though this process recently to open a new account (at a bank where I already had other accounts). I didn’t think much of it at the time, but if you didn’t have or want a smartphone, this could be a major problem.
The uncomfortable truth is that they most probably need your phone to check the online accounts you have. I believe most bank applications do it automatically as part of fraud prevention. May I ask, what is the country?
2-factor authentication codes via SMS are pretty common and don't require a smart phone. You haven't run into this before?
No, I don't really use a lot of service that require 2FA and for the ones I have to (e.g. work), there's always been a workaround.
But this might not really have been a 2FA case - I mean, I was physically sitting in the bank.
It’s setting up 2FA.
If the dystopia did not exist man would create it.
Had a similar process when helping my parents settle in after relocating to Spain recently. I ended up having to ask an acquaintance to put down their phone so I could get some verification codes or information about an appointment in order to sign them up for... a Home internet + mobile phone lines bundle.
Cherry on top of this dystopian situation was that the number needed to be a Spanish phone number. Couldn't be from a different country code.
I understand what you mean, however it's still quite hilarious that there is an user on checks notes hacker news, who does not have a phone.
This reminds me of the Japanese cybersecurity minister who did not use a computer.
Bonus points if you work at Apple, or Google and work on iOS or Android. Would explain a lot why they are the way they are.
It's not so hilarious, really; there's nothing like a stint in the sausage factory to put one off one's taste for sausage.
I know I'm in the minority but I value privacy higher than convenience. I'm aware that not having a smart phone does not automatically equal total privacy, but I just cannot get myself to have a personal tracking device on me 24/7.
Many security/privacy nerds don't own end consumer gadgets etc...
Some folks go vegan after seeing how the sausage gets made.
I know Chrome / Chrome-adjacent googlers who swear by Firefox.
What are their reasons? I can imagine a few and I use Firefox myself, but I'd be interested in anything non-obvious.
There's no extension support for Chrome on Android. There's no way to stop Chrome on Android from hiding the address bar when scrolling. Those were mine, not sure if they still apply.
Ahem, more than one ...
Imagine being on hacker news and having an iPhone instead of a Pinephone /jk.
I'm always annoyed when some real-world good or service is only available to people with a smartphone, especially when it wasn't always so. Blue Bikes (rentable bicycles) were in the past usable with a membership card, but it got phased out in favour of an app.