Over the past few years I've seen corporate America, especially banks and now even Amazon, begin to use SMS as a mode of verification that you are you. Unfortunately, the current approach, using mobile numbers tied to a mobile operator is both antquated and very faulty.
For many years VoIP companies have had access to text messaging capabilities. Dialpad, whom I use for most of my calling, recently expanded SMS to be global and those of us who use GoogleVoice have also had that capability for years. Unfortunately, the companies providing verification to the banks and others are stereotyping people with Google Voice and Skype In numbers, treating everyone with one of those numbers in a higher risk strata despite some having tied their accounts and numbers to paid accounts with either Google or Microsoft. While SkypeIn numbers likely to be used for call forwarding, a Google Voice number tied to a paid G Suite account is far different, as Google has business history of the account, payment information, etc. In many ways their verification is no less, and likely more rigid than the some telcos.
The second issue revolves around migrating a landline number to a mobile phone. If the number started out as a landline, there's a good chance it won't be verified, even if you can send receive text messages. So even despite number portability, the suppliers, usually companies like Experian will reject the verification. Much like address verification, the Phone Validator relies on information from hundreds of phone companies. Usually they are the mobile operators or the legay local telcos. Chances are your VoIP provider, or Google or Skype isn't contributing to the data pool.
The bigger issue though is the lack of an alternative method of verification to prove you are using an SMS capable phone-regardless of it being a mobile phone or a softphone. This lack of alternative method to prove you are you, such as a utility bill or lease often gets in the way of account establishment, or updates.
Why this Matters
If you've heard about SIM swap theft, the use of a mobile device to be your verification tool lends itself to too much theft risk. Using a non-SIM based number, where you get notified if there are any changes to your account instantly, is a far better way to be verified. By not having any means to get around the verifying who you are we all now run the risk of getting locked out of our own accounts, or losing valuable time when we are at risk.
What's more, if you travel internationally, why pay roaming, just so the bank or Amazon can verify you when the app based softphone or texting app works anywhere in the world. In essence those who need to be verified, beyond carrying RSA keys or using authenticators (like Microsoft, Facebook and Google all do now) is a much stronger way to be verified than the SIM card,
Banks have apps, and Visa now owns Mobile Location Confirmation technology, which banks can use to verify where a person is with their mobile phone when a transaction takes place. Unfortunately, not enough of the banks are using it, and VISA has yet to make the service available to others who could use it, like Amazon.
While it's great banks and Amazon want to verify you're you, they need to get up to date with methods that recognize that our own security and privacy is paramount to their risk management approaches, and they need to change with the times.
Comments