this post was submitted on 06 Sep 2023
375 points (79.4% liked)

Privacy

31609 readers
76 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Gmail prompt to provide phone number sounds like a threat

you are viewing a single comment's thread
view the rest of the comments
[–] DoomBot5 223 points 1 year ago (7 children)

Dumb take. All it's warning you is that without those, you won't have a way to recover your account it you lose your password or if it's hacked and someone changes it.

[–] [email protected] 71 points 1 year ago (1 children)

Yeah, I'm all for bashing companies regarding privacy and whatnot, but this is just informing/warning you about account security.

[–] [email protected] 29 points 1 year ago

People here don't realize how dumb the average user can be. I've helped countless people attempt to recover their accounts to which they forgot the password to because they were logged in on their computer and just went to it, and were shocked once they let the cookie expire.

Backup security questions? "Oh, I put random garbage there, there's no way I remember".

I've known people that end up with a new email more often than they end up with a new phone number for that exact reason. Or worse, they also got a new phone number without thinking about their 2FA SMS and lose a whole bunch of accounts.

With social engineering attacks all over the place, more and more companies just won't help you in the name of security.

Those users absolutely need to be nudged towards adding backup account recovery info.

[–] janonymous 16 points 1 year ago (1 children)

Yeah, probably, but I've noticed lots of sites use security as an excuse to get your phone number. For my work account Google forced me to enable 2FA for security reasons, but wouldn't allow the authenticator, only my phone number, until they had it. Then I was allowed to switch to the authenticator. That was not a setting my employer could change, either, they tried for half an hour.

Phone numbers are used to congregate the your data that's collected on different sites to one profile. I'm pretty sure that is the main reason Google and others are pushing you so hard to give it up.

[–] [email protected] -4 points 1 year ago (1 children)

Nonsense. You don't even have to use Google's authenticator when setting up MFA. You can just scan the QR it gives you using any authenticator app. You can use Microsoft Authenticator, Duo Mobile, Lastpass, WatchGaurd, etc, etc

[–] [email protected] 1 points 1 year ago

I don't think you understand. They don't force you to use Google Authenticator. They don't let you use any authenticator app until you give them your phone number.

This tactic was used in the past by many other sites, off the top of my head LinkedIn, Facebook, Amazon. It's a scheme to get your number because then it can be used to cross-identify you everywhere.

Example: if I were to verify my phone number with Twitch, which is an Amazon company, they would be able to correlate everything I ever bought on Amazon with my gaming habits.

[–] [email protected] 12 points 1 year ago

Phone numbers are an attack vector. Especially for 2FA.

[–] [email protected] 7 points 1 year ago (1 children)

There are other ways to recover an account. Google just wants to have your phone number, security is an excuse and use of fear mongering to get is pathetic and shameless.

[–] Jilanico 13 points 1 year ago (3 children)

Can you describe some alternatives to a recovery phone or email? Honest question.

[–] [email protected] 4 points 1 year ago (1 children)

Secondary e-mail address, security questions, recovery key, physical key fob - from the top of my head. Better or worse, the point is - it doesn't have to be a phone number.

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago)

It's asking for a secondary email address or phone number. Security questions are insecure and probably the worst reset methode there is. Most users don't even know what a security key is so it's pretty pointless to mention it if only like 1% are actually using it and it could cause more confusion than it helps.

Edit: apparently it actually does ask for both. But it's not even mandatory. Its just a warning

[–] [email protected] 3 points 1 year ago (2 children)

I'm curious about their perspectives too.

The only other options I can consider are government-issued ID verification, a bank validation process (a fast transfer to confirm identity), or the use of a debit/credit card.

All of the above alternatives involve significantly more intrusion than requesting a phone number.

[–] Jilanico 3 points 1 year ago

Agreed, or a burner alternate email. If Google didn't give any option other than phone number maybe we could make a case of ill intent.

I think the main driver here isn't that they want your phone (although they're happy to have it, I'm sure), but they don't want the tech support headache of manually verifying and unlocking accounts for tons of people.

[–] [email protected] 2 points 1 year ago (1 children)

Especially when they already have access to your entire email history. If they wanted your phone number for nefarious means it will probably be somewhere in that history already. Your email already requires complete trust in the email provider service, there's so much more sensitive stuff they already have access to.

[–] [email protected] -1 points 1 year ago (1 children)

Having your phone number means that whenever you get a new Android phone they will instantly know who you are even if you don't use the same Google account on that phone, or even if you never use any Google account. How does that sound?

[–] [email protected] 2 points 1 year ago (1 children)

There's also this thing called a phone book which has almost everyone and their number in it. Phone numbers are not sensitive information, period.

[–] [email protected] 1 points 1 year ago

Phone books don't show mobile numbers. In Europe at least mobile registries are private and subject to restrictions. Phone numbers are considered personal identification information under privacy laws, because portability regulations have made it possible for people to carry the same number for most of their lives.

Heck, I'm not sure phone books are still a thing over here, but if they still exist they're not allowed to show numbers for private individuals.

A few years ago there were websites that maintained phone number databases and would let you search who owns a number but GDPR stopped them cold.

[–] [email protected] 0 points 1 year ago (1 children)

Well the alternative to having to recover your account is to prevent you losing access to it which usually comes in the form of 2FA or MFA.

If you're so protective of your personal information that you don't want to hand over your phone number then you should be taking steps to secure your account.

Or don't use Gmail.

[–] [email protected] 1 points 1 year ago

But most users don't have OTP or FIDO.

[–] [email protected] 0 points 1 year ago (1 children)

Wait until they hear about this thing called a phone book.

[–] [email protected] 3 points 1 year ago* (last edited 11 months ago)

[This comment has been deleted by an automated system]

[–] [email protected] 0 points 1 year ago

Actually I had to let go of an email because Google wouldn’t let me login without giving my number or alternative email