
2 Factor Auth Bypass: Protect yourself with $$ - DanBlake
http://harknesslabs.com/post/142709023779/2-factor-auth-bypass-put-your-money-to-work
======
extrapickles
The problem with you calling them is that is possible to social engineer some
phone companies to put a forward on the phone line (as a bonus it doesn't
prevent outbound calls). USPS mail forwarding is easy to setup online if the
attacker has their credit card number. Calls should be made regardless so if
the attacker couldn't do this, they can be alerted to the fact that someone is
trying to spoof them.

If the fee that you charged was a random amount under $100, then you can use
that as part of the auth key process. In addition, one should also overnight
the rest of the password via UPS or other method where forwarding is forbidden
so an attacker cannot have the token sent to them. You can recover the costs
of mailing via the random fee.

It all boils down to there are very few methods right now for securely getting
a hold of someone when they have forgotten passwords or have a broken/lost
2factor device.

