1. I believe it began with the hacker getting DOB/SSN.
2. Called wireless provider, and hacker forward all calls and texts to a burn phone. Eventually, the hacker ported my wireless phone to another provider/number (not sure which), and the phone registered to my provider did not work anymore. The landline phone was also forwarding calls to another number.*
3. Hacker gained access to email (as that email was also within the telco's site). At the beginning, the hacker did not reset the password. After I changed the email's password, hacker was still gaining access to our emails and he/she eventually reset the email blocking my access. (reason was all the text and calls was forwarding to his/her burn phone so he/she can reset the pass anytime)
5. Requested 2FA from bank.
6. Gained access to bank account.
This was over a course of 3 months. It was a nightmare to resolve and paranoia still remained. The hacker later on went opening several bank accounts. Fortunately, this was discovered early. The entire situation was communicated to the FBI, local police, and bank institutions, but I do not think anyone cared.
*I saw two numbers that were being used within my wireless account site to forward the calls.
Why would they care? It happens dozens of times a day, and the criminals are out of their jurisdiction.
If only the police, FBI, politicians, etc. could go after the banks and telcos to improve their security. But no... they see it as their job to destroy security, in order to make you "safe".
Liability for data breaches limited to companies over X size would be a good idea though.
Also, only investigating fraud when there's lots of money involved means we're only helping rich people, who need the least help. Losing less money doesn't mean less impact on someone's life if that's all they have.
If your whole account is $2k it might be a different world for you and you might relying on these to pay rent, medical expenses which is more serious than an investor not having access to his $250k.
Not meaning it is fine to steal $250k from wealthy people but that poor ones being affected (at $2k) is more urgent from a humanitarian perspective.
Or it might be your entire life's savings and if you can't get it back you kill yourself from the stress of losing 40+ years of work. It's very dangerous to make assumptions about other people's money.
I'm not saying that investigating the $250k is not important; but just not more urgent than the $2k theft.
>>I'm not saying that investigating the $250k is not important; but just not more urgent than the $2k theft.
Absolutely not. Ignore the case when this 250k was your entire life savings (30-40 years of saving remainder of your salary every month and slowly building savings for retirement).
It could be mortgage money which you are about to buy a house with or it could be company money for payroll. Suddenly employees of a small business don't get paid. Those employees of course have to pay mortgage/rent/medical bills and suddenly paycheck they counted on doesn't come. This could affect many people in very negative ways.
I think $250k stolen should definitely get a priority to be investigated by agents over $2k stolen as it is more likely it will mess up lives of many people in a bad way.
I am going away from SMS based 2FA where I can. For services where it is used, anyone have opinions on using 2FA via a SMS to VOIP number with a provider who has better account security/authentication tools than most telcos (e.g. google, etc)?
Why not? Higher net worth equates to higher taxes paid - the 250k victim has been paying the investigators a more substantial sum, and should receive a more substantial response from them. "Size matters" sums it up to me.
Are you sure? Maybe you believe they shouldn't work that way, but do you believe they truly are blind to the net worth of the offended party?
This is all guessing though, I'd love to see more data on it.
I'd argue that it's a lot more urgent. What if you were paying for a house tomorrow, and the money is gone, so you lose the house? Or you are a small company that has to pay its tax bill for the year, but the money is gone? Or you have to pay for an expensive operation that won't go forward otherwise?
2k is not as important in a way that if you are really short of 2k, then there is a plethora of options to come up with 2k on a short notice(some astonishingly bad like payday loans but there are options) - while if you are out of 250k and need 250k then most likely you are absolutely screwed.
Again, to repeat my final point - don't make assumptions about people's money.
Because it is their job.
We are in dire need of specific cyber security public divisions are people can go to. FBI I believe will have many problems to deal with, and as far as I know, there isn't any cyber-police division capable at the city/state level.
Atleast nothing capable of handling incidents like the one mentioned above. The debate of who's job it is can get hairy. Especially with the future where internet is becoming more pervasive, there can be more damage.
They aren't out to "destroy" your security, it's a liability threshold calculation. At the end of the day secure yourself in life, this include choosing banks that are more stringent based on your needs and what you want to pay.
adb backup com.google.android.apps.authenticator2
there are also more user friendly backup apps such as helium, but adb works quite nicely.
If you're into cryptocurrency, the Trezor will also act as a U2F device.
Mobile signature (SIM-based)(0) is the most secure method as far as I've seen in banks. Citing wiki: "supporting the authentication on the Internet with a parallel closed network like mobile/GSM and a digital signature enabled SIM card is the most secure method today against the man in the middle attack."
You can manage your risk somewhat by:
1) Using credit and not debit cards for day to day spending.
2) Maintaining your long term wealth in separate accounts at separate institutions and not linking them directly to anything except your checking
account. This minimizes what can be stolen if your checking account is compromised, and makes it less likely that your savings can be stolen directly (account number is used in fewer places).
3) Turning on all the alerting and notification settings you can find, so that you'll hear about unauthorized activity immediately.
In US it seems #freemarket is putting externalities (security) on the customer.
It also provides wire transfers, which are a little more secure because they're push only, but also less secure because they're instantaneous and irreversible. All banks charge at least ~$15 per transaction and they're really only used for high value, time sensitive deals.
Many companies (and individuals) in Europe publish their account numbers on their letter head and website, it really isn't a big deal.
Anything else seems security by obscurity.
And even if you enable it someone needs to forge your signature under direct debit order to allow someone to charge you.
So still no.
I had somebody buying products on Amazon using my company's IBAN numbers. Amazon were super frustrating to deal with. They kept asking for my amazon account details and I kept explaining that the company doesn't have an amazon account. They didn't know how to proceed ! But in the end they did reverse the charge.
My girlfriend had somebody buying groceries using her numbers. They just write numbers in and signed the sheet of paper at the store. The store refused to take responsibility for doing this without ID-ing the person. The police were more understanding.
More like corporatist government regulations are putting the burden on the customer.
I don't deny that there are _corporatist government regulations_ (which largely prevent the best qualified engineers/entrepreneurs from wanting to tackle the consumer fintech problems), but banks are dragging their feet and the #freemarket hasn't developed a viable alternative yet.
A requirement "out-of-band communication [..] before any outbound wire transaction can be attempted" easily turns the processing cost (not price) from $0.02 to $20+ per transaction, a thousandfold increase, and that's assuming that this'd be offered as standard product and not a special case for a single customer.
If it's not made as a standard product, then it's really painful - it would mean that either the whole staff&systems would have to be trained for that customers needs (not likely unless you're bringing 10+% of the whole bank's revenue) or the customer wouldn't be able to use any standard banking channels ever, not the normal branches, not the normal online services, not the normal call centres, only directly through your private bankers.
If you keep your PIN secret it's a very secure system (unless the attacker is very lucky).
If you have enough dollars, a private bank type thing works too.
We [the US] dramatically over-rely on SSN. At least one upside to ubiquitous biometrics will be that we can start layering more authentication measures in an effective and consumer friendly way.
I honestly don't see how you didn't just restate what I said with different language, while simultaneously saying you disagree with me.
Either way, I agree, and don't really think this is worth a cyber-argument so not sure if I should even be responding. Oh well.
The police are so overwhelmed and typically it is out of jurisdiction so their options are 0 to none to prosecute.
The only way to guard against it is to keep your foot print small and give as little info as required.
There is no such thing as "identity theft". You can't steal who someone is, that's bullshit. It's rather some party not making sure it's actually you they are talking to, and then claiming that you are responsible for it anyway because they fell for someone else's scam.
When the name sticks, there's usually nothing we can do. Sad but true.
We should call it what it is: fraud. Whether that's bank fraud, computer fraud or wire fraud, banks should be responsible for compensating individuals for the losses incurred. One way to encourage this change is a change in the language we use surrounding these crimes.
And it's really even worse than that, as you are assigned blame for something that the party blaming you is itself forcing you to do. Like, they won't open an account for you unless you tell them your SSN, but then they blame you if you don't keep your SSN secret.
It's reasonable to some degree to expect that you keep your password secret. It's a different thing altogether to take information that is unavoidably known to lots of parties, or in many cases even outright essentially public info (like, stuff you can just buy as a database) as proof of identity, and then insist that you are legally responsible for a contract or whatever they made with someone who knew your DOB or something.
It's really not much different than just throwing darts at a phone book, and then pretending that the fact they hit your name proves that you now have a contract with them ... no, it doesn't, and it's your fucking problem if you think it does.
After leaving the party with my youngest, I went to the grocery store, and then on home. When I got home my wife was gone, which I expected since she was picking up the older kids from the party.
Throughout this afternoon I had not been checking my phone in an attempt to be a bit less connected on the weekends.
About half an hour later my wife comes home totally freaked out and frazzled.
Apparently after I had left, someone went into a T-Mobile store and somehow convinced the associate that my number was theirs. I had received a couple of texts from T-Mobile with a pin number where the store associate had attempted to do something, but I was not aware of them until later.
Once this person had my number, they called my bank, reset my online password, and transferred all of our money from various accounts into one of my checking accounts. The bank then put a hold on everything (thank god).
My wife happened to have been paying bills online while this was happening, and saw it all go down. Her first thought was to call me, then when I didn't answer to call the mom throwing the birthday party.
Birthday party mom told my wife I had left, so my wife assumed that myself and our 3 year old were being mugged or something. The police were involved and she spent a good amount of time freaking out trying to find me.
All in all I had a pretty good afternoon :P
For real tho, it was a freaking mess. Took weeks to get our accounts safe, and we try to avoid using phone numbers for 2fa now.
I had to regain access to an employee's phone a few months ago. T-mobile gave me account control after providing them a phone number that phone had dialed "recently". I am disappointed, but not shocked.
I recall a case where an important customer was stuck abroad with everything stolen; they were sent replacement tokens and cards to be received at the embassy, which could properly ID them.
I mean, any bank with proper procedures doesn't really have the concept of "online password" that's sufficient to do anything and makes 2FA mandatory; I believe in EU now it would be forbidden for a bank to have simply a username-password authentication.
I think it's a fine approach balancing security and convenience.
How that can happen? When I visit my cell provider's store, nobody is going to talk about any account details while you haven't provided a government issued ID to prove that you are an account holder. Sure, it's not 100% bulletproof method, but if somebody went a great lengths to counterfeit my ID, phone number is the least of my worries then. I assume, this happened in USA, so is ID check so unpopular there or it's easily circumvented somehow?
The point is that by using an SMS as 2fa, is placing much of your security in underpaid cell phone store workers.
Neither they are here (in EU), but nobody is going to talk to you unless you provide an ID anyway. Asking for ID doesn't seem too hard, even for non-trained personnel. You don't have to be a detective to match name/code on ID with the name/code on account.
It may happen with certain large scale scams involving organized crime, but not for small amounts; it simply doesn't show up in practice. What does happen is use of real IDs that are stolen (or bought from homeless people), but most places that have some risks have access to registries where they can verify if the ID has been reported as stolen.
I mean, as soon word would get out that some company allows that, they'd be exploited for free stuff in large amounts; all of the obvious loopholes have been tried and plugged in the last couple decades. USA has the problems only because they treat it as "stolen identity" instead of "someone defrauded a company with fake ID", and don't have proper universal IDs and try to make do with a mishmash of driver licences, names, addresses, SSNs, etc.
The fact that the T-Mobile employees can get hold of your mobile phone number is disturbing and a red flag for using your phone number for sensitive stuff (such as money). You should always assume malice from unknown actors.
I am generally of the philosophy that you should trust no one to do the right thing, but these cases seem to be overlooking the obvious that the phone companies are fucking up on security.
I'm starting to worry about similar weak process security on the part of the IRS and Social Security. You can theoretically opt out of using a cell phone, but it's far harder to opt out of government programs that are forced on you with the threat of state force.
1. Do NOT secure your sensitive accounts (facebook, primary email, bank accounts, twitter, etc) with your telco phone #. Telco Phone number is NOT secure!
"Create a brand new Gmail email account. Do not connect it to any of your existing email accounts. (When signing up for a new Gmail, you don’t need to enter a phone number or current email, although there are fields for you to do so. Leave them blank.) Once you’ve created the new island-unto-itself email address, create a new Google Voice number." Use this Google Voice # to secure your primary accounts, and don't have your telco # listed in any of those accounts.
But, make sure your New Gmail account is super secure, with a security key, as mentioned in the article.
2. Check the password recovery methods for all your sensitive accounts and make sure the answers aren't duplicated from any other site. Actually, it's best to remove them, if you can.
If any security experts want to chime in, please do.
The problem with this otherwise good idea is that google will not allow you to keep this account as an island.
Eventually you will get the "we've noticed something suspicious about your account" dialog which requires entering some other, unrelated phone number. You're locked out until you do so.
The suspicious behavior is, of course, signing up without a live phone number.
Ironically, they will accept any number you input with no verification that it is related to the account in any way. They just want to see a live, carrier number input.
(This has been my experience from within the US)
This is not true in general. It probably at least depends on the country you try to sign-up from probably other factors.
I think you can use Google Voice number on everything other than your main Gmail account.
So, to be extra safe, after you've set up your 2FA for gmail, make sure to change your recovery phone # to something other than your main telco or google voice number.
This is how 2FA was meant to work. It should always require a physical device only you have access to. Otherwise it's just using 1FA two times.
Too bad they really dumbed down the interface - it's not possible to delete messages from the new site.
As I required to upgrade my Micro SIM to a Nano SIM, I went to one of my provider's shops and asked for a Nano SIM for phone number X. I was then asked to verbally confirm my name and address — and that's it. No ID card confirmation, no nothing. "Here you go sir, your new SIM card will be active within a few minutes. Can I help you with anything else?". What. the.
Great customer service experience, but horrible security.
When it's online, there's almost no risk because they're probably in Russia and leave no physical evidence.
And there is absolute gold in those datarooms if you know where to look.
"iDeals proposes to protect your account with 2 factor authentication. It means that each time when you will be accessing the project/ changing your password/ accessing the protected versions of documents in the data room - an sms code will be sent to your cell phone. "
This after me pointing out that SMS for 2fa is not a good idea.
PayPal only supports SMS based 2FA, or, if you dig through their old website with archive.org, you can find a way to use one of their proprietary 2FA devices.
Support for TOTP? HOTP? Nope.
You can use a tool such as https://github.com/dlenski/python-vipaccess to use google authenticator/freeotp etc. to access paypal.
That said... I believe you still need a mobile number enrolled to enable a token.
You can still use Symantec’s VIP (Validation & ID Protection) authenticator app instead of SMS. I just set it up a few moments ago following these instructions:
then deactivated the former SMS-based Security Key.
In my case, PayPal could take every cent from my account before I’d even get a message. And that’s why 2FA is so important.
Not sure a lot of the companies providing these services actually do that though. And all-in-all, non-SMS based MFA is going to be better anyway.
Tbf, I've had a handful accounts in a few different countries. I've had proper 2FA in most of them (the one I've started with around 2005 uses printed one use codes), SMS codes in one and no 2FA in one.
The problem is that nearly every single 2fa setup out there does something radically stupid such as use your 2fa method for password reset, or a combination of 2fa + email. This is horribly, horribly broken and worse than "no 2fa at all." All it takes is a SIM clone to steal your phone #, which you use to reset the email, and then email + phone/SMS can be used to reset nearly every single credential under the sun. The only exceptions are those that use proper 2FA such as one-time password apps -- but not Authy which just syncs your OTP/2fa credentials to the cloud and happily transfers to the cloned device :(
1) after adding the devices I wanted to add, I've disabled multi-device (which keeps the existing devices, but prohibits adding new devices),
2) for new devices, it requires a backup password (once) to decrypt the credentials retrieved from the cloud, and
3) IIRC, it requires authorisation from one of the trusted devices to add a further device.
All in all, it seems much better (in terms of the security/availability trade-off) than Google Authenticator. But I've read opinions similar to yours a few times, and I wonder where they come from, whether they've been reasonable in the past, and whether they still are.
1) I trust them ever so slightly more than your average off-shored telco rep.
2) AFAIK, they do not hold the credentials in unencrypted form, they're only decrypted on the device with the backup password.
My current two banks don't have direct 2FA enabled. As far as I remember, the questions available to one of my banks (credit union) are simple enough that you could probably find out by doing a public info search somewhere, and the other bank (Chase) has SMS 2fa, but outside of that it's just public database questions (I know this because I had my card number stolen recently, I currently don't have access to my phone as I'm out of the country, and they asked me a few different questions from a public database, like if I had ever lived at ABC Dr., do you know this person, and what is the full name, etc.). I'd much rather be able to give the banks some kind of information that they are required to verify before they can access my account, like a verbal passphrase, but I don't think that's possible (as in, I wouldn't be able to access my account over the phone without the passphrase).
And most Sparkasse branches will use actual hardware tokens. So the reality is not as bad as the list suggests.
But listing "Sparkasse" as one German bank is misleading as there are 400 independent banks sharing that brand with different policies. They use at least a few different backends for their online system although there seemed to have been some consolidation in recent years.
They've grandfathered in existing members who wouldn't qualify today.
I also find it odd Facebook, and other sites will let you signup solely with a phone number. There's prepaid cell phone providers that recycle phone numbers, etc. Just seems so stupid to rely on a phone number for authentication alone, but two factor I'm okay with since you still need to know the password. Twitter has a developer product where you can be texted a code to login using only a phone number, which to me just seems wrong to do.
It'd be nice if trying to port a number, change important info, etc if they had to actually call you or text you first to confirm. But one of the problems is people will lose their phones, and need a new sim or phone... That I think I'd have a requirement to actually visit the store - but that doesn't work to well with prepaid phone providers without physical stores selling via other stores like Walmart, Target, etc. Maybe in that case without nearby stores, partner with your retailers to verify ID or fax a ID in.
This isn't limited to prepaid phone companies or even cell phones. This practice has gone on for years. (I worked at GTE/Verizon around the time of the merger). My understanding is that the bigger issue is that it is fairly easy to run out of phone numbers if we never repeat. If I remember correctly, most hold the number unused for 3-6 month and fewer folks change now since they can port numbers to a new company at times, if the company that owns the number allows for it. (Yes, the phone company at least used to own the number).
Conversation with one of my banks the other day:
Them: Can we please verify a code sent to your phone number?
Me: Umm, sure, although that won't verify anything. Use something else to verify that it's me.
Them: Can you please verify your phone number?
Me: Umm, I don't know what phone number I used with you? Try XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, XXX-XXX-XXXX, and XXX-XXX-XXXX? They all belong to me depending on where I am.
Them: Can we use XXX-XXX-XXXX? Do you have this phone with you right now so we can we send a text message with a verification code?
Me: Send your insecure SMS to any of my numbers. They all go to my e-mail inbox. [I don't need to have my "phone" with me -- my "phones" are virtual.]
They didn't make this policy, and I'm sure they think its just as stupid as you do.
The problem is that the phone company owns your phone number and you just get access as part of a service. Unlike a domain name where you own it.
If we change the law we'd bring more accountability.
Note - Don't use Dotster (specifically) for your domains. If you're using them now, switch away. Saying that because if you experience any trouble with your domains, you'll be wanting to contact competent staff who can fix problems. Dotster's can't. :(
Not exactly an easy thing to do with a phone number.
Absolutely. In the UK, I could easily port someone or many someone's landline number and slap a trunk on it. Sadly though I would also end up paying the bill for it. However its much easier to simply fake your outbound CLID to show the call centre you are the mark.
I have no numbers for this but I'll bet that CLID is used by banks etc as part of the security checks for your identity.
There are many, better and more secure options for communicating these days.
I have had two phones die on me that was my 2FA device, plus OS upgrades, so I have gone through resetting 10-20 2FA accounts a few times. Though with upgrades usually I foresaw that and downgraded my 2FA before hand.
All I wish for was that resetting 2FA would be a very very slow step by step process and spammingly broadcasted to all emails, sms, postal etc associated with the account. But I know for cost cutting customer services departments that wont happen.
I've started getting a recovery code for each of my major accounts, printing it out, then literally putting it in a safe.
Yes, it's a problem that security questions turn hacking into a simple public records search.
BUT most terms of service have a line like 'you warrant that you've been entirely truthful with us' or something. If you give the wrong security question to your bank, they potentially have grounds to freeze your money or screw you later.
Why isn't the answer 'consumers have the power -- punish services that don't support FIDO by not using them'.
At best this article is saying 'don't connect anything to anything'.
After they asked the question I said "oh it's a giant random string of crap, hold on..." The person replied "yeah that's good enough" and started the next step before I even had a chance to find the actual string!
“This account must never be unlocked over phone, chat, or email.”
“Never reveal any information about this account (such as address or CC numbers) via support channels”
“The person you are discussing with is a hacker trying to illegally access this account”
Sometimes, I enter random phrases.
Never anything that would actually be true.
I was almost there once. Authenticator device had died, and to my horror the primary backup was corrupt as well. I had a secondary backup (and even an off-site tertiary one, although it's somewhat dated), so I was able to recover... But I also had the idea that I won't ever have to use recovery processes and even though I hadn't, after the incident my certainty it's not so iron-clad.
My recovery scenario is either to socially engineer the support channel myself, or start over with a fresh account.
Yeah, I just use a passphrase generator in keepass.
"Wait, you actually use real answers instead of passwords for security questions?"
- I lost my health insurance for 6 months because I couldn't dig up my 'secret answer' in time to activate COBRA.
- My credit card expired while I was traveling and I couldn't reactivate it because I didn't know what answer I had given to 'mother's maiden name'. (In the end I convinced them I didn't need a secret answer to verify my identity, which in its own way is even worse).
- Some company had a form that stripped numbers from the secret answer and mine had numbers in it (hilarity ensues).
Instead of working around institutional nonsense, we should fire bad companies and hire / start good ones.
Most security questions are either trivial for someone else to figure out with a little research or I don't know what my real answer would be. Name of my first pet? Well, I had several that could meet that definition, and I definitely don't remember the name of the first one.
Consider what would happen if you're accidentally exposed to a malware that steals data from the password managers (by introspecting process memory after the data was already decrypted)
Better keep those eggs in the different baskets (Update: Point was, I think 1Password doesn't have multiple databases, does it?)
My idea is to have two password databases. One is the usual, for the passwords. Another is infrequently opened and is used for the recovery codes and insecurity questions.
I don't see how a secondary normally-closed password vault would degrade security. It's still encrypted, and safe. On the contrary, it should increase security a little - for the abovementioned local malware scenario. Price paid is that because database is rarely used, it could get corrupt without user noticing, or access details could be forgotten.
Or I'm missing something important? Why the 3x risk?
1/3rd / 3x was based on the idea of splitting my passwords across 3 databases. Let's take your idea instead.
My concern was that if there is a risk of compromise, by using two different software solutions you've doubled the odds that a vulnerability will expose your data. (I once consulted for a company that had two data centers for high availability, but they had split their production services across the data centers, effectively doubling the odds of an outage instead of reducing their exposure.)
If instead you use the same software and two different data stores, I can see a benefit in having a store that you rarely open, but I'm not sure it outweighs the extra work, at least for me. If someone grabs my password store, having the security questions and answers protected would only help for a few accounts (admittedly, my bank being an important one) and the protection would only last as long as it took an attacker to social engineer their way past it.
I admit, now that you've raised the issue I'm going to at least think about moving my bank q&a info, but I doubt I'll go to the trouble; I suspect I'd either end up forgetting how to get to the credentials or leaving them somewhere someone could get at them.
This will bite me when I lose a password, and also when the web site uses security questions for anything else than password recovery. The latter almost bit me once on Adobe's forum website, when right after creating an account I wanted to change my initial password to something more secure. Luckily, I hadn't closed the window with the data yet, so I could still recover, and saved the random strings in the notes field of my password manager.
The best way he came up with to secure services that insist on using SMS for 2FA (or credential reset) was to register the number of a pre-paid phone for those services.
Inconvenient? YES. But a pre-paid phone number can not be ported by a negligent (or willfully criminal!) operator.
I have enabled proper 2FA on my Google account with U2F, but I haven't disabled everything else yet because I only have one token, and I still need something like TOTP for stuff that uses Google accounts, but doesn't support U2F.
As a closely related remark, I wish U2F would just get popular enough, it's pretty convenient, isn't vulnerable against the kind of attack SMS-based 2FA is, and protects against phishing. But almost nobody outside Google supports it, and OS/Application support is rather incomplete or requires additional setup.
Basically, the safest is, add Google Auth via App to your account, then remove all the phone numbers from Google. If any phone number is linked to your account, no matter what your account recovery options are, Google will always give you option to "recover" it by SMS.
And remove SMS from the listing. I currently have 3 2FA mechanisms listed: Security-Key/Yubikey (default), Authenticator App (set on two devices), and Backup codes which I downloaded (and at some point will print and place in a safe deposit box).
Losing access to my two gmail accounts would be a complete nightmare---more so than my bank/brokerage accounts. Some brokerages like TD Ameritrade do not even offer 2FA. In my case, paranoia mode for email accounts is completely warranted.
I really wish U2F becomes the standard across all web services. It seems insane that, in some scenarios, the only barrier against financial ruin is the gullibility of your cell-phone provider's customer service rep.
I don't recall ever having a problem with this setup. Are there services that require a Google account to sign in, but don't work if you don't have a phone number?