It’s not only Bitcoins that we want to protect. It could be any and all accounts that are associated with that phone number of yours. Things like bank accounts, finance, health and other sensitive information is always at risk in a digital world. Your cell phone company should take your security seriously for many reasons, and to be fair they do for the most part, but most of them are falling behind in a few departments.
This includes all the major companies; Verizon, AT&T, Sprint, and T-Mobile. The problem with each of these companies and some other ones like them is that people are getting their phone numbers hijacked and stolen so that the hackers can gain access to other accounts and wreak havoc. That’s not to say that you can’t fortify your account with these carriers, but if you’re paranoid about your cell phone security then you might want to find a more secure option.
A lot of this hijacking has been spurred by the fact that many companies have added two factor authentication using SMS or a phone call when logging into your accounts. This has made your phone a target for social engineering so that the hackers can get access to your phone number and then use it to gain access to your other accounts. With the popularity of Bitcoins and other cryptocurrencies it now makes it even more enticing for hackers to get into your accounts. They can actually steal real value with cryptos.
What are the best options for the best security?
After doing some searching around I’ve found a couple options that you can try out for a good cell service with acceptable security. Both seem to be decent options, but I do think one is a little better than the other at this point in time. You also have a third option in Google Voice.
Your options? They’re Google Fi and Republic Wireless.
I think Google Fi is your best option while Republic wireless is a good option but lagging behind because of a few things I’m going to talk about. If you want to be extra careful (or paranoid) then you should get a new and separate phone account with one of these companies and never use your phone number for anything other than your high risk accounts. This might be overkill, but for about $20 a month you can do just that.
When I was doing my research I contacted Google Fi and Republic Wireless to investigate their security options. This is what I found out.
Google Fi ( The Winner )
Google would be the clear winner for 1 simple reason, and that’s because they have the option for you to use 2 factor authentication (With a U2F key or an Authenticator App) while Republic Wireless does not currently have that option. This alone would push me towards getting Google Fi over Republic Wireless. There really isn’t any other comparable cell phone service to Google Fi that also allows you to use 2FA.
It’s too bad because Republic Wireless seemed to be pretty good with everything else, including their price. Google Fi was the clear choice when it comes to better security though.
Chat session with Google Fi rep
Let’s look over some of the info I got out of a chat session with Google’s chat rep. I tried to ask both Google Fi and Republic Wireless the same questions so I could evaluate who had the better answers in regards to security.
So I asked, “What happens if I forget my password to my account? How am i able to get it? can I use chat? phone support? email support? Is it all connected to my google account? What type of account changes can I do through this chat channel, if any at all, and others like email, and phone channels that I could have picked instead of this chat?”
The Chat got pretty interesting and I learned a few things. Here’s my chat session with some of the sensitive info redacted.
Fi Rep:
Ah, I definitley understand the concerns. Your Project Fi account is connected to your Google Account. So, if you forget your Google Account password, then you would go through the usual Account Recovery process to retrieve it. The account changes you can make depends on the specific issue.
Some things we cannot do for you such as changing payment information but we can still assist you with finding out how to do so. There is no difference in support, but there are some instances where it is better to call in.
Stock:
I have been doing some research on how I can better secure my telco account after learning about others who have had their phone numbers hijacked.
I am at a higher risk of being hacked because I deal with cryptocurrencies. Can you please help me figure out what I can do to protect my number from being hacked?
I’m very security conscious. I use long string passwords with numbers, upper and lowercase letters and special characters. I have a PIN setup too. I wonder what else can I do?
I use 2 factor authentication wherever I can. I guess I can use a U2F key (like yubikey) or an authenticator app (like Authy) with google Fi?
I did setup a PIN at my other provider, but can you tell me about google Fi? do they have a PIN needed for account changes? does it apply to ALL account changes? What happens if I forget my PIN? Have you had any people that had their accounts hijacked by social engineering? How can I make account changes, are they all online or can I do some over the phone?
Can I put a port freeze on my account? Can I put a SIM lock on my account? Can I add a high-risk flag to my account to help thwart hackers trying to socially engineer their way in?
What is the process to port a number to a different phone? I want to understand the process so I can understand how I can better protect myself.
Thank you so much for your help,
At this point I was copy/pasting something I had written in an email to Republic Wireless word for word so that I could get answers from both sides. I was posing as a possible new customer to Google Fi.
Fi Rep:
As I stated, your Project Fi account is linked to your Google Account. So, you would follow the same security measures suggested here: https://support.google.com/accounts/answer/46526?hl=en . You don’t need a PIN for Project Fi account changes, but account changes cannot be completed without access to the Google Account. You will need a PIN however for things like Voicemail access and porting your number to a different carrier.
Stock:
1- Have you had any people at google Fi that had their accounts hijacked by social engineering?
2- Can I do any account changes over the phone?
3- Can I put a port freeze on my account?
4- Can I put a SIM lock on my account?
5- Can I add a high-risk flag to my account to go in my account notes so that customer service reps can see the note when dealing with me or anything to do with my account?
Fi Rep:
No, I have not heard of any user having any issues with someone getting into their Project Fi account. You can request assistance with account changes over the phone but your account will need to be authenticated first. A port cannot be initiated without you requesting it. In order to complete a port out request, you will need the account number and PIN generated during the time of the request. There isn’t a way to “flag” your Project Fi account. We use authentication methods before accessing your account to assist you.
Stock:
Can you tell me about the authentication methods used that you are talking about? How would my account be authenticated over chat, phone, or email for example ( I assume I could use any method I choose to make changes?)
Fi Rep:
When chatting in, your account is typically authenticated via your gmail address. So, if you are signed into your Google Account already, and initiate a help request through your account, then no additional authentication is needed. This is typically the same for email assistance. Phone calls are different.
Stock:
That makes sense, but what about if I was not using the same google account but a different one? and phone calls, yes please do tell
Fi Rep:
I am not a phone agent, so I can’t speak in detail, but there are additional methods Project Fi would use to authenticate your account. This typically involves a security code you would find on your account or a registered device on your Google account. So, the only way to authenticate the account access is via the Google account itself. If you were not contacting us with the account in question, then you would need to sign into that account.
Stock:
So the only way to get into an account that isn’t mine without signing in would be by using the phone method. Can you tell me about this security code you speak of? What exactly is that? and what would be an example of a registered device on my google account?
Fi Rep:
You will have access to this security code once you get signed up to Project Fi. It will be view-able on your Project Fi account page. As for deices, here is a reference from the Google Account help center on how you would add and remove devices: https://support.google.com/accounts/answer/6264236?hl=en
Stock:
Perfect, that makes sense! Thanks.
You implied I could use a registered device instead of the security code when you said “or” so how would I use a registered device to authenticate exactly?
Fi Rep:
Right, we would send a prompt to your device to confirm that we are speaking to you as the account owner.
Stock:
What if I removed all my “Account recovery options” and I didn’t have access to my previous devices and I forgot my security code for Fi?
Fi Rep:
As a Project Fi agent, I wouldn’t be an expert with your Account Recovery options, but I am certain that there is a way to request assistance with getting into your account by reaching out to the Account Recovery team.
Here is that link: https://support.google.com/accounts/answer/6236295?hl=en . No worries, you don’t need to worry about remembering the security code. A new one is generated each time and can be retrieved by logging into your Project Fi account.
If you no longer have access to your Project Fi account, then you will want to proceed via the Account Recovery process to get back into your Google Account.
As a Project Fi agent, I cannot confirm the exact process, but I do know that they would be completing an investigation and then following up with you via a secondary email. You would be unable to reach them via chat or phone.
For more Google Account related questions, check out the following Help Center: https://support.google.com/accounts#topic=3382296 .
What do you learn from this?
Yes, yes, yes, Google will “complete an investigation” before giving you access to your account. This might seem harsh is you’re just trying to get back into your account, but if you’re a hacker this makes it that much harder to get in.
Unfortunately when it’s easier for us to recover an account that we can’t get into then it’s also easier for hackers to get into our accounts with a little social engineering. I was very happy to hear about an “investigation” that would take place. Another thing I liked about it is that they would only do it through email. No chat or phone. This gives google time to run a real investigation into the account. It makes me wonder how often hackers try to get in this way.
Republic Wireless responds with their own answers
I had mostly similar answers at Republic Wireless. Everything seemed mostly locked down except for the no 2FA at login.
I was told by a Republic Wireless Rep, “The PIN you set up keeps anyone who does not have your PIN from being able to access your account. No one can port your number out without knowing the PIN. If you happen to forget your PIN, you can have an e-mail sent to you and reset the PIN. If you forget your Republic Wireless account password, an e-mail can be sent to you as well allowing you to reset that.”
I then proceeded to ask a few more questions.
1- I use 2 factor authentication wherever I can. Is there a way I can do that with my Republic Wireless account access to online? I would prefer to be able to use a U2F key (like yubikey) or an authenticator app (like Authy). Is that an option for me? Will it be an option in the future if it isn’t already?
2- Have you had any people at Republic Wireless that had their accounts hijacked by social engineering?
3- How can I make account changes, are they all online or can I do some over the phone? Does Republic wireless do phone support or is it all online?
4- Can I put a port freeze on my account?
5- Can I put a SIM lock on my account?
6- Can I add a high-risk flag to my account to go in my account notes so that customer service reps can see the note when dealing with me or anything to do with my account?
The RW Rep answered:
1- 2-factor authentication. No, we do not currently have any such service available.
2- hijacked accounts. No. To my knowledge, this has never happened with our service, but I imagine that may be due to our relatively small customer base.
3- support options and account changes. Changing your plan, and Updating your payment info are the only two changes that can be made from the phone. If you need instructions, they can be found pretty easily in our community. And currently, we offer email and chat support for our members.
4- freezing an account. No, we do not currently have any such service available
5- SIM lock. While this isn’t something we can do for newer phones, the older 1.0 and 2.0 compatible phones that were programmed with our software from the ground up are locked.
6- High-risk flag. This isn’t something we do regarding the status of our members. We try to treat all our members fairly, and equally
I liked all of these answers except that they didn’t have 2FA. With no phone support it makes it harder for hackers to get into my account. They’ll have to deal with email or chat.
While Republic Wireless gave me no information about account recovery and how I would go about getting back into my account if I didn’t have access to my phone (it was lost), and I couldn’t get into my account online (Forgot password) I’m still probing them for answers and should have things figured out soon.
In any case, not having 2FA for a phone account that has to be accessed from the internet seems like a misstep in my opinion. I wish they would fix this problem, but other than that they seem to be more secure than any of the other big names in phone service.