It was reported in the news that an obscure background-check company National Public Data was hacked. Hackers published on the dark web millions of stolen names, dates of birth, Social Security Numbers, current and previous addresses, phone numbers, and email addresses.
This hack follows many other hacks. You should assume by now that your name, date of birth, Social Security Number, address, phone number, and email address are all out in the open. So freeze your credit and protect your tax return (see How To Freeze and Unfreeze Your Credit With Experian, Equifax, and TransUnion and Stop Tax Return Fraud: Sign Up for the IRS IP PIN Program).
Password Reset Attack
We should also realize that many financial institutions use this same set of personal information to handle password resets. Thieves don’t need to crack your complicated long password when they can easily reset the password by giving your name, date of birth, Social Security Number, and zip code.
The best practice to secure your financial accounts is to use security hardware for 2-factor authentication. I wrote about this in Security Hardware for Vanguard, Fidelity, and Schwab Accounts. However, most banks and credit unions don’t support security hardware, which is another reason to ditch banks and use a broker.
Many financial institutions send a one-time code to the phone number on file. In that case, as someone said on the Bogleheads forum, the security of your account rests in the hands of the customer service rep of your cell phone provider.
If someone has access to my phone number + easy to discover tidbits of information about me (name, date of birth, social security number, and home zip code). They can get my username, reset password, log in to the account, and conduct business as normal. Is that true? Yes, I have tried it myself (and maybe you should give it a try too).
If someone convinces your cell phone provider that you lost your phone — by giving your name, date of birth, Social Security Number, and address — or they trick you into reading them the one-time code from the cell phone provider, they can transfer your number to a phone that they control. Now the security codes from your financial accounts will go to their phone. They reset your password and gain access to your accounts.
Use Google Voice
One way to prevent your phone number from being transferred away is to use a Google Voice number for your financial accounts. Google Voice gives you a number that can receive text messages. The messages appear in the Google Voice app or on Google Voice’s website. The only way to transfer a Google Voice number to another provider is to log into your Google account. Your Google Voice number is secure after you secure your Google account with a hardware security key and remove SMS as 2FA for your Google account.
Be sure not to forward text messages to your Google Voice number outside Google. Doing so defeats the purpose of keeping the messages secure. Only read the messages in the Google Voice app or on Google Voice’s website.
Google requires some outbound activities on the Google Voice number once in a while to keep the number active. Google will revoke the number if they don’t see such activities. The required activities include:
- Making a call or answering a call
- Sending a text message
- Listening to the voicemail
Only receiving text messages doesn’t count. Google sends a warning email if they don’t see any of the required activities periodically. They give you 30 days to generate some activities to keep your Google Voice number.
Make Google Voice Number Permanent
Generating the required outbound activities after receiving a warning email works fine. Still, it would be a bummer to lose the Google Voice number that you use for important financial accounts if you miss the deadline. There’s a way to make your Google Voice number permanent and not risk having it revoked by Google. It takes a one-time effort and costs a little money but it’s worth it.
Here’s what you need:
- A spare old unlocked phone (or an available eSIM slot on your current phone, see comment #8)
- A month of minimal cell phone service on a new line
- A $20 payment to Google
The idea is that you activate a new line for minimal service from a cell phone provider and you transfer (“port”) that new phone number to Google Voice. Google Voice treats a ported-in number as yours to keep. They won’t take it away even if you don’t have any outbound activities on that number.
A Google Voice account can have more than one number. As a bonus, after you port in a new number to Google Voice, you can keep your original Google Voice number as a secondary number in your account, which is also not subject to the outbound activity requirements. This gives you two permanent Google Voice numbers. You can use one number and have your spouse use the other number, or you can use one number for financial accounts and the other number for non-financial accounts.
You can add a new line for a month to the family plan with your current cell phone provider. If that costs too much, several low-cost cell phone providers offer talk-and-text plans for $10/month or less. They’ll send you a SIM card if your spare old phone needs a SIM card. Or they can work with eSIM if your old phone supports eSIM. You only need to activate the new line and confirm it’s working before you ask Google to port that number to Google Voice.
You’ll need the account number and the port-out PIN from the cell phone provider. Search for the name of your provider and “port-out PIN” to find out how to obtain that information. Google charges $20 for porting the number. It takes 1-2 days to complete. Google will send an email when it’s done. That email also tells you how to keep your original Google Voice number as a permanent secondary number. You can test your new Google Voice number by texting to it and seeing the text in the Google Voice app or website.
I did this last month. Getting a new phone number with minimal service on a spare old phone and porting the number to Google Voice took some legwork. It cost less than $30 and now I have two permanent Google Voice numbers. Knowing those numbers won’t be taken away makes it worth the effort.
***
I use a Google Voice number as the phone number on file in all my financial accounts. Even if an account supports security hardware or an authenticator app, it often still sends security codes and alerts to the phone number on file. I want that phone number securely under my control.
I turn on 2-factor authentication in all accounts:
1. If the account supports security hardware (Yubikey or Symantec VIP token), I use security hardware.
2. If the account supports authenticator apps (Google Authenticator, Microsoft Authenticator, Authy, …), I use an authenticator app.
3. If an account only supports sending security codes by text message, I give my Google Voice number and receive the code in the Google Voice app.
4. If an account doesn’t accept a Google Voice number, I close my account.
Say No To Management Fees
If you are paying an advisor a percentage of your assets, you are paying 5-10x too much. Learn how to find an independent advisor, pay for advice, and only the advice.
Robert Jones says
Using text messages for 2FA is never secure, even if Google controls the number, because SMS can be hijacked directly, without touching your phone number. See this article for more details:
https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80
Harry Sit says
If a financial institution only uses text messages for 2FA, we don’t have a choice unless we refuse to do business with that institution. Even if an institution supports hardware or authenticator apps for 2FA and we enable it, they still send text messages in many scenarios and we have no way to stop them. The best we can do is to make the number as secure as possible.
Marty says
I have a Google voice number I got from Google. I like the number and would like to keep the number so I think I need to accept the risk that I could potentially lose it if I don’t use it. Having said that, if I decide to use the Google number for one time verification codes, based on the advice in this article I should secure it with a security key. what are the pros and cons of getting a USB c key versus the USB a? I suppose if my phone is stolen the USB C key would not be helpful on the other hand with the US b a key I need to be near a computer?
Harry Sit says
USB-C and USB-A are both for the computer. Phones use NFC to read the key. Whether get USB-C or USB-A depends on what port you have on your computer(s). Macs and newer computers tend to have USB-C. Older computers have USB-A.
Harry Sit says
A Google Voice account can have more than one number. After you port in a new number, you have the option to keep the number you got from Google and remove the risk of losing it. You don’t have to use the newly ported-in number if you like your original number.
James Poon says
What brokerages have you found that work with google voice text verification?
I use an OOma voip line and Schwab, scholarshare cannot even call me by voice.
Harry Sit says
Both Fidelity and Vanguard work. I don’t have a Schwab account but this list says it works:
https://www.reddit.com/r/Googlevoice/comments/1c571kw/crowdsourced_list_of_google_voices_2fa/
sally says
GV works with Schwab and can’t recall any accounts that won’t allow VOIP, maybe its gotten more liberal overall.
Bigger issue is things like IRS’s id.me and such will fail silently if on a VPN, which many are who are overseas, but use a US endpoint.
ofc, the 2FA recovery process, is the one folks can’t get their head around, hardware tokens without a back up of “SMS” are accidents waiting to happen, also don’t really like authenticator apps on the phone, though I use one, its a trade off, too secure can end in a time consuming recovery disaster. More “secure” isn’t always necessary or of value imho.
I guess if you get a hardware token get it with FIDO2 which may someday be “passwordless” , like google’s new thing
Anyway, so which provide might I use for doing this for <$30 , please save me even more time, should I decide to do it. appreciate all your ideas , working on the id.me now, and CMA I guess.
Harry Sit says
The easiest is to use your current provider. Just add a new line with the lowest month-to-month plan. It isn’t worth opening a whole new account for only one month. I used US Mobile because I already use them for existing lines.
Fuseboy says
Google voice works for about half of my accounts. The other half say something like virtual numbers can’t be used.
Jim says
You can look up the data that was leaked in the NPD breach here: https://npd.pentester.com/. I was stunned to find that old addresses from decades ago were on the list.
KD says
What happens if the Google account is compromised?
IRS didn’t accept Google voice number for authentication. But, yes, financial institutions did accept it.
Harry Sit says
They read your email and find where you have accounts. They reset your password and wire your money out. That’s why you need to secure your Google account with hardware security keys. See PSA: Secure Your Email Account to Prevent Wire Fraud.
The IRS uses ID.me. ID.me supports hardware security keys.
Ouzel says
I’ve used Google Voice since 2010, so I thought I knew all the tricks, but I did not know that if you port in a number and already have a GV number, you can keep them both. Thank you, Harry! I wish I had known this last month, Grrrrr! 😄
By the way, I haven’t tried it recently, but a few years ago Wells Fargo would not use my GV number for 2FA texts.
James says
I didn’t have a spare unused cellphone, but I did have my iphone SE (3rd generation) phone as my main phone. And it has a slot for a physical SIM card, that I don’t use anymore. I use the internally wired eSIM. And on this edition I can have at least 2 cell service providers services installed. I went into settings and chose to add a new eSIM cell provider to my existing eSIM (along with the first provider). It worked. I then went to my Google Voice account and chose a local number. Then I requested a re-port number from that new cell service provider, and used it at the Google account settings, to port the new number to Google as a new number with them. That porting is now pending for the usual 1-2 days, and maybe 3 days to have texting port thru too. And I’ll also try to remember to follow the email from Google when that porting is finalized, for choosing to have that first Google Voice number also to be made permanent. Then, lastly, to use the new, secure Google Voice number on all of my important financial companies that use text as the 2nd authentication method.
Harry Sit says
Nice, and you’re lightning fast!
wj says
Some companies and government agencies refuse to acknowledge the validity of internet-based (sic) Google Voice numbers. Otherwise, works well on my computer as messages are forwarded to e-mail, so I do not have to depend on cellphones.
Jim says
Contrary to an earlier comment, I have no problem logging into id.me when using the Proton VPN with a US server.
Jason says
I work in IT security, and the topic of MFA is one I wish more were connected to the value and purpose. It’s primary intent is to validate you are who you say you are, and the best way to do that is by validating proof of possession – something you have like a hardware key (Yubikey, etc). Unfortunately Google Voice and anything SMS is highly insecure and many financial institutions know this and prevent utilizing them to reduce fraud. I personally use Schwab & Fidelity. Schwab currently does a better job of security, being able to push MFA to your Schwab app (Something you have). Great topic for awareness.
Harry Sit says
Fidelity also has the app push option for MFA, in addition to Symantec VIP token and authenticator apps.
https://www.fidelity.com/security/extra-security-login
Both Fidelity and Schwab still send SMS text messages when you use Symantec VIP or app push for MFA. Google Voice is for those messages.
sally says
I did Not need to unfreeze my credit reports, however, there were multiple steps, last ended up being a video call with some agent of id.me, they wanted DL both sides(also a 2nd form of ID) and a selfie with it. By video call the agent then records it and one holds up the DL in front of one’s face and move it towards the camera. Ironically, at one point one also enters their SS #.
id.me is probably worth doing anyhow as a back up to login.gov, either of which is Now required to login to social security.
I do have a 2nd GV # that I never use. Google lately emails to inform you of an expiring GV number, lately this seems to be about every 60-90 days, if it is not used, so they seem to be ramping up recovering numbers.
id.me also has an authenticator app for one’s mobile phone, as an alternative to Authy , for app-based 2FA . id.me allows one to choose 3-4 types of 2FA as backups.
GV may reduce the risk of ‘man in the middle’ type SMS attacks? or so I’ve heard
sal says
[Summary by the editor: Vanguard allows using two Yubikeys on the website but it still uses text messages in its mobile app. Give Vanguard a Google Voice number for those text messages.]
https://www.bogleheads.org/forum/viewtopic.php?t=349826&start=650
John says
So then for Vanguard, is it better to disable SMS codes completely or is it better to enable SMS codes directed to a Google Voice phone number? There’s a comment on the Bogleheads thread that if you disable SMS codes, the Vanguard app cannot function (which is okay with me because I don’t use the app). But someone else said that if you disable SMS codes, Vanguard will let a malicious actor into your account with just your username, password, and the answer to one of your security questions.
Harry Sit says
It’s better to enable SMS codes but send them to your Google Voice number on top of using two Yubikeys for the website. Vanguard uses the phone number on file in password reset.
https://www.bogleheads.org/forum/viewtopic.php?t=385253
Kevin says
Great post, thank you! Another benefit of using Google Voice is that you can receive codes without having cell coverage, as long as you have internet access.
You mentioned using two Yubikeys for the Vanguard website. Is that in case you lose one?
For Google, what is the best way to protect against losing access to the account if you lose all of your Yubikeys?
It looks like there are two main lines of Yubikey, the 5 Series and the Security Key Series. Is there a reason to get the more expensive 5 Series?
Harry Sit says
Yubikeys are addressed in Security Hardware for Vanguard, Fidelity, and Schwab Accounts. Register backup keys and store the backup keys separately.
Christopher Green says
YubiKeys are not secure. https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/
Harry Sit says
“when an attacker gains temporary physical access to it.” So keep it at home and don’t let an attacker touch it?
Christopher Green says
I would never carry it on a keychain. Keep it stored in a safe place.
Peter says
You can also buy a cheap number on numberbarn and port that in instead of buying a cellphone service.
joe anon says
I would advise against this path, but ymmv , i’m trying to get a refund atm.
https://help.numberbarn.com/hc/en-us/articles/360022319274-How-to-port-a-number-to-Google-Voice