zlacker

>>wut42+(OP)
> The court orders show the government telling Google to provide the names, addresses, telephone numbers and user activity for all Google account users who accessed the YouTube videos..

Hopefully that clarifies for some folks why these big tech/social media companies insist on having your phone number as a “2FA for security” despite all the sim-swap attacks.. simply for this moment, because you might be using a VPN, and address/name aren’t in your google account, but definitely your phone number is there, it’s even worse if you’re using an android too, as they probably will pull out all your app/browsing history..

>>tamimi+ya
I'm not saying that there aren't other motives, but there are legitimate security concerns.

Credential stuffing is a huge issue for large providers and requiring 2FA is a huge mitigation. Sure, a targeting attack will make the SIM swap, but that is a huge difficulty upgrade from generic credential stuffing.

>>kevinc+fG
Source - am a fairly experienced security engineer.

It’s a nonsense argument to say Google can’t handle credential stuffing without SMS 2FA in place, as in not pushing all 2FA via Google Authenticator and using the very wide reach and talented security team for baseline cred stuffing. Sec tools for this, even without being Google and their very talented sec team, are pretty good.

Wanting a hard phone number is a pure identification play and also about the more likely pragmatic concern (than cred stuffing) of using Google for burner accounts.

>>dogman+f61
How do you handle credential stuffing? Attackers will use a huge number of regular residential IPs or VPNs that you would expect to see logins from. How do you tell a credential stuff from a regular login? They are both coming from unknown IPs with normal login rates and they have valid credentials.

>>kevinc+H61
Because there’s a bit more to it than just tracking IPs and rates.