Two Factor Authentication (2FA). The SCAM of the Century. Defensive Strategy | Rob Braxman Tech

Two FA two factor authentication. That’s when some platform decides that they’re going to ask for another way to verify your login credentials. So they ask you for your mobile phone number and then they text you a code. You feel really secure. Now actually, you’ve just been scammed, seriously scammed. Because many platforms do not do this two FA procedure to increase your security. They have other methods available if the real purpose is security. But once they start requiring two FA via mobile phone number, beware. The purpose of this move is KYC. Know your customer. Ever heard that term before? It means it is a way to id you.

There are legitimate security requests for two faaen via phone texting, and there are clues to discover whose requests are valid. But some are intent on trying to id you. Is it okay to be idd by an Internet platform or not? Some Internet platforms will not give you a choice, but it is up to you to decide if you are going to stay with that platform or if you can use some other workaround that cancels out the need for a phone number. Some two FA requests for KYC doesnt mean this is for an evil purpose, so we need to discuss that.

However, we cannot accept abuse. Two FA using phone numbers is an area I push back on in a very big way. This is because it is one of the most invasive attacks on privacy I can imagine. You need to know how to manage two FA properly. How do you respond to platforms asking for a phone number? Do you give in or do you fight back? Lots to learn here. So if you want to know the answer, stay right there. The truth about two FA is that some companies do two FA for actual Internet security, but many use two FA as an id card.

In other words, it is for the purpose of KYC or know your customer. How can you tell which is which? Well, the ones that require you to have a mobile phone are definitely doing it for KYC. Those that don’t have that strict requirement usually have a more traditional Internet security purpose in mind. But regardless of the purpose of the two FA phone number, giving out phone numbers can be risky. And before I give you a strategy, I need to lay out the landscape of phone number tracking, phone number leaks, phone number hacks, and generally why Internet platforms love mobile phones as a tracking device.

The first thing I’m going to do is give you a little background of why giving your actual phone number to any entity for two FA could even be a concern. None of this is obvious to the average person, but without the background, the solutions needed will not make any sense. So let me try to discuss this in an organized way. The reason you should be careful with phone numbers is that it affects our ability to maintain privacy via something called pseudo anonymity. This is when we go to an Internet platform and give a username that is not our real name.

We want to build a separation between what the platform is publicly showing or internally retaining versus your real information. This is an obvious safety measure, since being publicly and openly identifiable can result in more dangerous real life dangers like doxing, stalking, and someone actually being at your doorstep because of what you posted in social media. The problem is that some platforms prevent us from having pseudo anonymity. I recall a publicized case where a woman was alone at a bar and some guy was hitting on her. The woman was disinterested and thought the guy was creepy. Then she went home, pulled up Facebook, and there was that guy being recommended as a friend.

Now both parties know each other’s real name. This is the kind of danger I’m trying to prevent here, where social media interactions can translate to real life encounters because of abusive actions by the platform. Also, the Internet platform itself can be a danger. When you have a known identity, they can then target you via profiling. This is when manipulative messaging is sent to you, or what you see in the platform is modified for some external purpose. Google has been famous for doing this both for targeted messaging as well, identifying people as belonging to political subgroups that could be dangerous profiling for those people.

For example, Google was marking certain people as violent extremists, though no actual violence has ever occurred. And these individuals were identified and shown on actual maps pointing to where they live. So Google and meta platforms are specific users of this technique of always trying to get an accurate identity. But of course it’s worse because it ties this information to your real name, which they already have. The other aspect of pseudo anonymity is tied to my personal revulsion to mass surveillance by government, by generally being on the down low with identities. Less of my data shows up in this surveillance databases.

So the reason we don’t want a platform to identify us is because we lose our ability to keep ourselves pseudo anonymous and separate our lives from external data collection and data classification. In short, it is a guaranteed loss of privacy. Now that ive given you a precise purpose for protecting ourselves from two FA abuse, there are other issues to be aware of. Some sites are themselves not directly important for pseudo anonymity because a they already have your personal information, and b theyre not in the business of social media, where your data is publicized. Heres the list of entities that I want you to think about.

Do you want to hide your phone numbers from them? Banks, credit card companies, healthcare, Social Security Administration, IR’s studentaid Dot gov investment companies, Coinbase ID dot me well, this is an interesting question because these entities already know who you are. Why would you hide your identity from the bank that has your money? Would you want someone else with a fake identity to take your money? How could you possibly hide your KYC from the government that gave you a Social Security number at birth? Are you really going to hide from the IR’s? Sites like Coinbase already ask for copies of your driver’s license, passport and so on.

Your identity is very clear because the government requires that they have those records. By the way, this is why I avoid Coinbase. Then there’s this interesting site called id me, which mostly is used by sites that require full identification, like government sites. That’s what they’re for. Now, there’s a twist to what I will say here. Though. These entities already know who you are, the problem is that some of them may leak your identity with your phone number through third parties. And from the above list, the problematic companies will be banks and credit card companies. I will add other sources of real data, mobile carriers, utilities and cable companies to name a few examples.

They leak your phone number by supplying the data to public databases, the most obvious ones being credit reporting agencies like Equifax and TransUnion. The result of this is that this data may be accessible by the platforms you’re trying to protect yourself from. Many organizations report your phone numbers to credit reporting agencies like Equifax and TransUnion. And in case you forgot, Equifax was already hacked. So without any special effort, any Internet platform can just acquire the hacked database, which I’m sure is quite available. And on this database there will be complete KYC with names, addresses, Social Security numbers and of course phone numbers.

In addition to this, hackers can of course use this information to attack you. All they have to do is find indications of your real identity in social media. Then they can look you up in a hack database to find your complete information, like emails and phone numbers and addresses. It’s also been reported in the media before that. Certain platforms like Facebook have some relationship with Equifax, where they get supplied credit data, which of course is another backdoor to verifying a phone number. Additionally, platforms like Google, Apple and others have now required links to credit data for participation in developer programs and other paid services on their platforms.

Including buying phones on credit. And of course access to credit data is available too since many people use their phones to pay using features like Apple Pay. So for any interested party it wouldnt be too much of an effort to verify your actual identity to see if it matches the phone number from these public sources. When dealing with platforms that are intent on tracking you on the Internet like Google and meta specifically, I want to describe another tracking mechanism that many of you are not even aware of. This is how your phone numbers are harvested by big tech via contact lists.

Many platforms use this method to create a database of connections between people. For example another original heavy user of this was LinkedIn and then lately TikTok. What happens, for example on a platform like Facebook is that all your friends upload their contact list to Facebook, which if you read the terms of service, is a one time granted permission but is actually executed daily. If you have a Facebook app, the app will upload your contact list to Facebook daily. This is true of all metaproperties including WhatsApp and Instagram. This means that any of your friends and family that know your number will automatically pass that to Facebook.

Facebook will know not only who you are based on your name on the contact list, but will have a crowd verified identity since multiple people will be able to confirm your phone number. This data may also include your birth date, your address and your email if this is known to your contacts. So immediately this information becomes part of off meta. Google uploads contacts too, but also has the ability to automatically build email contacts based on your interactions with Gmail. Now the problem here is that you have no control over your friends contact list. Even if you think you give friends explicit instructions to exclude you from contact lists, they will make mistakes, especially with platforms like TikTok that are extremely pushy with getting your contact list info.

Again, the average person is not aware of the danger of the public switch telephone network or PSTN as I explained in the past video. So just a quick rehash, if you are using a phone number, then you must assume that every activity on that phone number is recorded by the carrier and sent to the government. There are several surveillance programs in place, like the prison program revealed by Snowden, the Calea law which is now integrated into the telecommunications infrastructure, and the FBI DCIS database to name a few. All traffic, all metadata, including every single text message is stored and are available in carrier and government databases.

This data can leak out as well as many companies that have government contracts could have access to this data and many of the big tech platforms have government contracts, for example, companies like Palantir. Now, so far, all I’ve given you is a big picture of all the threats related to phone numbers being tied to identity. But you should also be aware that there are phone numbers that have no identity. There are a few cases of this, and often this will come with some limitations. The first source of non KYC phone numbers is a service I provide, which is Brac’s virtual phone.

This is a voice over IP service which allows you to get a phone line at an inexpensive price. But no information about your identity is ever passed to the PSTN, so the owner of the phone number is always unknown. This service allows for phone calls and texting, but you will need to use some new apps or hardware called SIP SIP to do the phone calls. Or you can receive the calls via voicemail, which can also be forwarded to emails. Another potential source of NokyC phone numbers are prepaid SIM cards. Now, these are not necessarily NokyC. It depends on each carrier, and mostly these are short term.

So you have to either top them up with a KYC base credit card or you physically get them at the carrier store where you are recorded by camera. But I’m sure there will be sources of these with minimal information, especially if you can pay in cash. Now that you have the complete background to the tracking environment with phone numbers, let’s now judge how we will act when giving out our phone numbers for two fa. The general strategy I will describe is phone number isolation. You will need several phone numbers and your use of each will be decided by its purpose.

Where you cannot do phone number isolation, you may have to decide that that platform is too dangerous and leave it for those entities that need KYC and that need is valid. Then be prepared to give those platforms a two FA phone number. These are entities that already know you like banks, governments, mobile carriers, utilities, and so on. I can tell you right now that most of these sites, being that they use the number for KYC, will not accept a voice over IP number. They will want a real mobile number. Unfortunately, this is your proof today that you are a real law abiding citizen.

The only way to protect your identity from leaking to unauthorized third parties is by having a different phone number used only for these entities. I can tell you now that this particular number will have to be from a SIM card. And yes, you will be asked by the mobile carrier to show id and all that. And don’t worry about it. Again, these sites choose this method because it is a way to guarantee that they know who you are or have a way of tracing who you are later on these sites. Understand the KYC attached to a mobile number, but you might ask can this be your current number or do you have to change the number? Considering the data leaks that I’ve already described earlier, I think it is important to plan on a brand new number.

Understand that your friends and family know this number. Later on it will be important that people who know you don’t call this number and I don’t know how you can stop them from calling you. If this number is known, it is also known to hackers. So the correct plan is to slowly make the old number fade away and this becomes your hardly used but valid number used for your id. As I explained earlier, your friends and family will leak your phone number to the various Internet platforms through contact lists. So the best way to stop that is by giving them a completely different phone number.

And here I propose a completely different solution. I highly recommend that for this use you switch to a Nokyc phone number. You can use Brac’s virtual phone for this and since it is for heavy use, I would recommend doing an unlimited calls and text plan for this. I’m going to make another video that really explains the use of voiceover IP for journal use since you can have landlines at home and use apps when not at home. These apps and landlines are called sip apps and sip phones. There is a huge benefit in privacy when doing this switch, but there is a learning curve once you do this switch.

Let me explain the effects. Of course your friends and family will update their contact list and then those contact lists will appear on meta, Google, TikTok, LinkedIn and so on. But now that that number is new, it will not appear on credit reports and will not appear as two FA on any platform. This then breaks the identity connection between whatever Internet account you create and your real public identity. Because this is a line that is not part of the PSTN, then this phone number cannot leak from the usual sources like government and carriers as well. Again, I caution you against using a second SIM card for this since the number could be shared to the credit reporting agencies.

Use a non KYC line like I say here. Now we’re left with the final group of entities where it is your choice to give them access to your two FA phone number. What number should you give this group? I recommend having another no KYC phone number like Brac’s virtual phone for this kind of use, but this would be very low volume and mostly for texting only important point. You can also use this line for people you don’t know, not just Internet sites. Fortunately, many sites do accept voice over IP phone numbers such as Amazon, eBay, PayPal, Signal, Telegram, TikTok, to name a few.

Now you will discover that some Internet sites will not accept a NokyC number and this is where you need to draw a line in the sand. There are frankly sites that I would never give a phone number to and these are meta platforms. You know, Facebook, WhatsApp and Instagram and Google. I don’t have a solution for meta. This is an absolute spy machine so I don’t recommend any alternative to it other than not being on these platforms. Maybe have a shared SIM card between several people on some extra phone? That’s the best I can do. There are other platforms that will not take a voiceover ip number for two fa like Twitch, Discord, Craigslist, Uber, Lyft for example.

Understand that they’re using these for KYC, so be distrustful. I don’t know why these sites deserve to know your identity, so my vote will be to dump them. If you’re an Uber driver then they would be an employer, so you would give them phone number one. Be careful who you give your Sim card line to. Definitely never Google. But you do not have to give a phone number to Google instead of giving them a phone number. The options include passkeys which are available on Windows and macOS. Then the next option as a two FA replacement is to use a hardware security key like Yubikey, which is useful when you’re using Linux.

This is also accepted by Google, Amazon and eBay. Finally, Google accepts using the Google app notifications as two Fa. To use this you have an old phone that’s set for Wi Fi only, no SIM card, and you log into the Google app on that phone. It will then act as two FA when needed by responding to the notification. If a site requires two FA with a mobile phone, you have the choice of using your SIM card phone number one for that site. Just measure the risk of them knowing your identity if that matters. Again, it doesn’t matter so much.

For sites that already know you though, I make an exception for meta which will always find a way to zuck you, but the number you should protect at all times is the number you give to your friends and family. It is important that this be a completely different number and KYC free. What about info known from the past? This is a very good question. If you already gave a tainted phone number to a platform in the past does it require you to set up a new account? This is a case by case issue. It depends on how much the platform already knows about you.

If it’s an account you have used with little or no historical information to profile, then it is probably low risk to just change the number. If you have extensive history with the site and it is tainted with an identity via the phone number, I would really just start fresh with a new account. If the site has nothing to do with social media, then there’s likely little risk to just changing the phone number without further action. I understand that it is an arduous task to change numbers. You have to tell everyone you know. You have to update your phone numbers on multiple Internet platforms and it can take a while.

But if you do nothing, you just put yourself at risk every day because it translates to someone, some third party knowing everything you do on the Internet and some knowing where you live and could be watching you outside your window. Scary stuff to imagine folks. As I mentioned in this video, I created some products to support our need for privacy and these products are available on our platform on Brax me. There are several products there that were created to support our privacy battle. I’ve already talked about the Bracs virtual phone which is a Nokyc phone number.

We also have Brax Mail so you can give each platform a different email address. One account can handle that. We have the Google phone so that the link to the Google id is eliminated. We also have a VPN service bytes VPN to protect your ip address. Join the over 100,000 people who are on our app, all of which are interested in privacy and talk about these issues daily. Thank you very much for watching and see you next time.
[tr:tra].

See more of Rob Braxman Tech on their Public Channel and the MPN Rob Braxman Tech channel.