We don't require any identifying information for signup (not even an email address). We take payment in Bitcoin.
We have cheap virtual numbers available where our upstream provider blocks signup verification codes, and more expensive "physical numbers" available to receive verification codes.
How are physical numbers different from virtual numbers? What would be the advantage of using a physical number? Why do they cost 120 times as much as a virtual number? How is this better than using Twilio?
(Virtual number is $5 a month and physical number is $20 a day)
Good questions. Ideally the website would make this clearer upfront.
Our upstream provider of virtual numbers filters out verification codes from services like Google, Facebook, and Twitter.
The advantage of using a physical number is that no messages are filtered out.
They are more expensive because they are more expensive to me. And the typical customer only uses a physical number for one day, where the minimum purchase time for a virtual number is one month, so the effective price to the customer is "only" 4 times as much.
It's better than Twilio because Twilio filter out verification code messages, and because Twilio don't allow anonymous signup or Bitcoin payment.
I've never used this type of service, but I have a question. How do you forbid me from sending a sms to a high toll number, i.e. the ones from where you would buy your bus ticket?
I have no plans to accept payment in anything other than Bitcoin, but can you please explain the advantage of paying for services with other companies' gift cards?
And how would it even work? Would you post the gift cards to the company, and then they'd add to your balance when they receive them?
How is it better for either the customer or the business, compared to Bitcoin?
Plus I hardly spend any money in either Starbucks or Subway, so I'd then presumably need to find someone to sell them on to.
Surely it would be easier for both parties if you posted physical cash than physical gift cards (customer doesn't need to buy the gift cards, and business doesn't need to sell them).
Btw if you have a Thinkpad X250 or other laptop based on a Sierra em73xx modem I wrote a python library to send/receive SMS using that: https://github.com/smcl/py-em73xx
Oops maybe I should remember to check before sharing things like this - I forgot that I have "(TODO, haha!)" in the "Documentation" section of the README. Check the Examples section for how this should work. It's very simple, but admittedly my docs should be better.
> Ironically, Twilio gives you a private phone number for free in the trial account if you provide them with your phone number to receive a verification code. Fortunately you can use any of the temporary phone numbers from the sites above to receive the verification code to activate Twilio trial account.
While we're on the topic, could someone explain the following?
1. Is there any free way to send an SMS "from" a different phone number that you verifiably own, without actually sending it from that number? (e.g. if your service provider charges you for messages sent through them, but the phone number is yours)
2. Beyond that... how do VoIP services go about sending & receiving SMSs themselves? Why can't I do the same thing and bypass them?
Do traditional lines work the same way basically too, in this respect? Or is there a fundamental difference between traditional lines and VoIP lines in this aspect?
I would assume so, although traditional lines were a lot more nationalised. So it would be the same thing, but (international) agreements between national carries rather than private companies.
It's an honour based system. There are companies that'll activate SMS on any number. They verify your access to a number, then they have a contract that lets them assert they are allowed to do SMS for you. The owner of the number (the carrier) has to agree to this system so it's not available for every possible number.
Despite the article's headline, I believe their use-case if for people who have a phone, but don't wish to give their real phone number to any arbitrary website, hence the comparison in the intro with temporary email addresses, and the line "If for some reason you need to receive text messages online from your computer rather than your phone".
<evil hat>What an awesome way to collect SMS 2FA tokens. Plug this into a database of password breaches (an evil version of Have I Been Pwned that stores hashes and passwords, for example) and as soon as you see token-looking-things, hit Paypal/banksites/Amazon with any reversed passwords you have and try the token...
A lot of these services won't be able to receive a lot of those 2FA text messages. Short code SMS isn't universally able to reach all SMS capable services/providers. I found this out the hard way when I ported my number to Twilio and stopped getting commercial SMS messages. I've since ported to Google Fi and many of those SMS messages still don't work.
Do not underestimate the capabilities of a non-technical user wanting to be helpful giving another non-technical user seemingly authoritative advice on an Internet message board. (If it is not obvious, I am not speaking hypothetically here; I have watched this happen.)
And if you think "Gah, only an idiot would...", read HN threads about law sometime.
It really depends. Not so long ago the humble bundle forced 2FA on me and I had the choice of forfeit my 100 games library or set 2FA. I don't care at all that steam gives them heat about how some steam keys are used, and I care enough about my phone number not to give it away.
Then there was the time when I was traveling and verification SMS would not reach me because my carrier plan does not include receiving SMS internationally.
Then there was a few other times and cases where not using your phone (provided you have one and carrier plan) but a public text service instead.
To me phone based 2FA is mostly a scheme to collect users' phone numbers as there were in the past to collect email addresses. It introduces a pretty serious point of failure by relying on mobile number (no battery, no signal, no phone, changed number, prepaid card, etc.) while only being helpful in fringe cases such as when my password has been stolen.
Moreover it promotes bad security practices instead of fixing security issues, just slap some 2FA on top of whatever exists and now it is secure.
Then there is the question of how do I change my associated number when I change phone number, then what prevents a social engineering pro from changing the number too ?
I'm not sure using a publicly readable text service is so wrong, it mitigates the relying on phone point of failure, protects your privacy better, someone else reading the code may not be a problem as the code alone is useless.
As usual this really depends on what is the threat model you trying to protect from. Neither option will be able to protect you from a nation state targeted attack.
Which means it will happen most likely. Even techies make stupid mistakes, such as me not changing my Skype password the other day, and had the account breeched. Sigh
I checked the article to see if I could do exactly that. Why couldn't the second factor be another web service? Password resets shouldn't be possible with the second factor alone anyway. What's the use-case for a publicly readable text service? I'm not familiar with any such services.
The use case is anything that requires you to provide a number to receive a confirmation text. From registration to a personal data hungry website (facebook, google, etc.) to two factor authentication.
At some point in the past collecting user email addresses became the standard and using disposable email addresses was the answer. More recently the trend seems to have upped to collecting phone numbers to which the answer is those public text services.
What's the use-case for a publicly readable text service?
Abuse, for one -- many services use "prove you control a phone number" as a first-pass filter for "An action which is easy to do once but hard to do 100,000 times" to authorize people to do a wide variety of things.
Apologies. I'm not a native English speaker. Still having a problem imagining in what sense an SMS service might be "publicly available", and how public availability helps in proving control of a phone number :-$
Have you visited one ? https://smsreceivefree.com/ for example. you will understand what publicly available means: they provide a phone number, you use it for whatever and check the site page where all text sent to this number are displayed.
Ohhh, this is wonderful. I'm eternally grateful for whoever runs yopmail.com; I didn't know that something similar exists for text messages as well!
It sounds like something that should be an open source crowd-sourced service!
It imagine it could work like this:
1) Generous people donate a phone number by putting a cheap prepaid SIM into an old smartphone with a special app on it.
2) Everyone else can now use this number to receive messages!
3) The service could end up having hundreds of phone numbers available, with stats (eg. last message received, number of messages received, downtime, etc.)
Just like generous people today run TOR exit nodes, generous people could run an "SMS entry node". (not sure if that term makes sense)
Disadvantage: like TOR, it can and will be abused by spammers.
Advantage: Companies need to come up with better anti-spam measures instead of "give us all your personal data".
As someone who's sick of giving out my mobile number to sites and services, does anyone happen to know which of these might work with Skype, if they've curiously decided to lock you out of your account since they don't have a mobile number for you?
Not listed in the article: I run https://smsprivacy.org/
We don't require any identifying information for signup (not even an email address). We take payment in Bitcoin.
We have cheap virtual numbers available where our upstream provider blocks signup verification codes, and more expensive "physical numbers" available to receive verification codes.
Featured on Indie Hackers here: https://www.indiehackers.com/businesses/sms-privacy
Revenue has now grown to nearly $1200/mo.
Ask me Anything!