
Ask HN: Is there a security-centric US Mobile Carrier you'd recommend? - mdu
Mobile Carrier is one of the biggest weak points for many 2FA.<p>Unfortunately, most of the sites I use do not leverage U2F or TOTP, and I&#x27;m forced to use SMS for 2FA.<p>Is there any mobile carrier that is more security and privacy centric? Such that someone can’t just impersonate me and gain access to my SMS through the phone carriers?
======
bronco21016
I believe the insecurity of SMS comes from the design of mobile network
protocols. Not from individual carrier’s implementation.

Can you change online services if you’re that paranoid? Can you
compartmentalize in a fashion that if one site is compromised the rest will
remain intact? The main services I would be concerned about are financial
institutions and the e-mail accounts tied to them. Switching banks in the US
is relatively easy. Also, good password practices would limit exposure to
risk.

------
Eridrus
As others have said, the protocols are kind of crap, but it sounds like your
concern is more about account takeover through customer service.

Maybe Project Fi? I don't know that they're better, but Google takes security
pretty seriously, and you can probably lock down your Google account.

There's still a risk with phone number portability where someone tricks
another carrier into porting your number somewhere else, and I kind of doubt
that even Fi does anything here.

~~~
mdu
I was looking into Fi. It's true the number portability can be exploited as
well. It's too bad many of these financial institutions that I'm required to
used only do their 2FA via SMS.

Someone should try and create a secured layer on top of SS7.

------
cremp
None.

SS7 itself is bad, and proven time and time again that it can be used
maliciously.

