It was reported in the news that an obscure background-check company National Public Data was hacked. Hackers published on the dark web millions of stolen names, dates of birth, Social Security Numbers, current and previous addresses, phone numbers, and email addresses.

This hack follows many other hacks. You should assume by now that your name, date of birth, Social Security Number, address, phone number, and email address are all out in the open. So freeze your credit and protect your tax return (see How To Freeze and Unfreeze Your Credit With Experian, Equifax, and TransUnion and Stop Tax Return Fraud: Sign Up for the IRS IP PIN Program).

Password Reset Attack

We should also realize that many financial institutions use this same set of personal information to handle password resets. Thieves don’t need to crack your complicated long password when they can easily reset the password by giving your name, date of birth, Social Security Number, and zip code.

The best practice to secure your financial accounts is to use security hardware for 2-factor authentication (see Security Hardware for Vanguard, Fidelity, and Schwab Accounts). However, most banks and credit unions don’t support security hardware, which is another reason to ditch banks and use a broker.

Many financial institutions will send a one-time code to the phone number on file. In that case, as someone said on the Bogleheads forum, the security of your account rests in the hands of the customer service rep of your cell phone provider.

If someone has access to my phone number + easy to discover tidbits of information about me (name, date of birth, social security number, and home zip code). They can get my username, reset password, log in to the account, and conduct business as normal. Is that true? Yes, I have tried it myself (and maybe you should give it a try too).

If someone convinces your cell phone provider that you lost your phone, or they trick you into reading them the one-time code from the cell phone provider, they can transfer your phone number to a phone that they control. Now the security codes from your financial accounts will go to their phone. They reset your password and gain access to your accounts.

Use Google Voice

One way to prevent your phone number from being transferred away is to use a Google Voice number for your financial accounts. Google Voice gives you a number that can receive text messages. The messages appear in the Google Voice app or on Google Voice’s website. A Google Voice number can be transferred to another provider only by logging into your Google account. Your Google Voice number is secure after you secure your Google account with a hardware security key.

Google requires some outbound activities on the Google Voice number once in a while to keep the number active. Google will revoke the number if they don’t see such activities. The required activities include:

Making a call or answering a callSending a text messageListening to the voicemail

Only receiving text messages doesn’t count. Google sends a warning email if they don’t see any of these activities periodically. They give you 30 days to generate the required activities to keep your Google Voice number.

Make Google Voice Number Permanent

Generating the required outbound activities after receiving a warning email works fine. Still, it would be a bummer to lose the Google Voice number that you use for important financial accounts if you miss the deadline. There’s a way to make your Google Voice number permanent and not risk having it revoked by Google. It takes a one-time effort and costs a little money but it’s worth it.

Here’s what you need:

A spare old unlocked phoneA month of minimal cell phone service on a new lineA $20 payment to Google

The idea is that you activate a new line for minimal service from a cell phone provider and you transfer (“port”) that new phone number to Google Voice. Google Voice treats a ported-in number as yours to keep. They won’t take it away even if you don’t have any outbound activities on that number.

As a bonus, after you port in a new number to Google Voice, you can keep your original Google Voice number as a secondary number in your account, which is also not subject to the outbound activity requirements. This gives you two permanent Google Voice numbers. You can use one number and have your spouse use the other number, or you can use one number for financial accounts and the other number for non-financial accounts.

You can add a new line for a month to the family plan with your current cell phone provider. If that costs too much, several low-cost cell phone providers offer talk-and-text plans for $10/month or less. They’ll send you a SIM card if your spare old phone needs a SIM card. Or they can work with eSIM if your old phone supports eSIM. You only need to activate the new line and confirm it’s working before you ask Google to port that number to Google Voice.

You’ll need the account number and the port-out PIN from the cell phone provider. Search for the name of your provider and “port-out PIN” to find out how to obtain that information. Google charges $20 for porting the number. It takes 1-2 days to complete. Google will send an email when it’s done. That email also tells you how to keep your original Google Voice number as a permanent secondary number. You can test your new Google Voice number by texting to it and seeing the text in the Google Voice app or website.

I did this last month. Getting a new phone number with minimal service on a spare old phone and porting the number to Google Voice took some legwork. It cost less than $30 and now I have two permanent Google Voice numbers. Knowing those numbers won’t be taken away makes it worth the effort.

***

I use a Google Voice number as the phone number on file in all my financial accounts. Even if an account supports security hardware or an authenticator app, it often still sends security codes and alerts to the phone number on file. I want that phone number securely under my control.

I turn on 2-factor authentication in all accounts:

1. If the account supports security hardware (Yubikey or Symantec VIP token), I use security hardware.

2. If the account supports authenticator apps (Google Authenticator, Microsoft Authenticator, Authy, …), I use an authenticator app.

3. If an account only supports sending security codes by text message, I give my Google Voice number and receive the code in the Google Voice app.

4. If an account doesn’t accept a Google Voice number, I close my account.

Learn the Nuts and Bolts I put everything I use to manage my money in a book. My Financial Toolbox guides you to a clear course of action.Read Reviews

The post How to Keep a Google Voice Number Permanent for 2FA appeared first on The Finance Buff.