Republic Wireless number not accepted for security verification codes on banking sites and by other services


#1

I tried logging into my retirement account at my.vanguardplan.com, and as part of a security refresh they are requiring a phone number to send verification texts or calls to. I entered my number several times, and it was rejected each time. I called their help line, and the rep asked, “Do you happen to have Republic Wireless?”, and said that is the only carrier they won’t support, due to security concerns over their use of VOIP. Has anyone experienced anything similar? Back when RW used sprint, I think there used to be a “hidden” sprint number that would sometimes work, is there something similar now? Vanguard has told me that I just won’t be able to access my account online, and has switched me to paper statements. I’d love to be able to get access to their site again, and I’m a bit concerned that RW is somehow less secure than all other carriers.


Republic number rejected for online SMS security verification
RW failing to properly communicate text capacity of our phones causing core functionality problems
Republic number not accepted by twitter
What app works like WeChat on Republic?
Twitter won't send a text message to my phone to verify account
#2

Call him back and tell him they should block T-Mobile too since 80% of their calls are VoLTE and, like VOIP, all LTE traffic is in the form of IP packets.


#3

This is quite intellectually dishonest. Bill summarizes it quite well, but I guess they also won’t allow Google Voice Numbers, Viber Numbers, FreedomPop Numbers, Vonage Numbers, Xfinity Home numbers, Verizon FiOS numbers, Every single cable providers home numbers, etc.


#4

I don’t actually have their full reasoning. The rep didn’t really understand it, she just said that RW numbers weren’t accepted “due to their use of V…O…I…P…” (obviously uncertain what that was). I agree that it seems like a pretty silly restriction. That said, sending security codes over SMS has been shown to be insecure, so if they were really concerned they should force the use of a 2FA app like Google Authenticator.

I guess I was just wondering if anyone had ideas of how to deal with this without having to pick a fight with whoever is in charge of this decision at Vanguard.


#5

I think the only things you can do are work up the ladder in their support group until you get to someone you can reason with or switch banks. If you choose to switch banks please tell them why you are switching.


#6

Does RW use encryption? I don’t believe they used to and if not then that could be the issue. If you are using your phone over public WiFi, there is no security and anybody on that network can get listen in. Then again, there are fake cell towers that can do pretty much the same things.

https://www.tomsguide.com/us/imsi-catcher-catcher,news-19438.html


#7

I wonder if anyone as tried to use a Republic Wireless phone number to set up the ‘My Social Security’ with the Social Security Admin?

Unfortunately, I can’t use my RW number to test, as my Wife signed me up and used her iPhone as the 2 factor number, and it requires a web+snail mail time delay for changing


#8

Yes. It continues to work quite well.

Even with your qualifier, I’m old.


#9

It has absolutely nothing to do with this. Republic text messages are delivered to the phone over an SSL secured connection, so whether on wifi or cellular, encrypted.

Generally, Republic numbers aren’t accepted for one of a few reasons:

  1. The provider simply doesn’t understand that many VoIP numbers are text enabled and treats them like any “wireline” number, considering them incapable of receiving texts.

  2. In many cases, it has nothing to do with it being a VoIP number (such as the IRS). In this case they don’t accept any pre-paid numbers (Republic, Cricket, MetroPCS, etc) no matter the technology they use. This is because they are trying to use the number as a means of identity verification. Since pre-paid carriers don’t verify identity, their numbers can’t be used for this purpose.

  3. Finally, some providers are worried about “throw-away” VoIP numbers. There are plenty of places online you can get 1 or 100 numbers cheaply. You can then use a US number from Iran or Florida. They lump all VoIP numbers into the same category, failing to differentiate between a cell phone provider like Republic and an online or app only provider.


3rd party payment app needs to verify my Republic cell number
#10

I’ll throw in SMS is inherently insecure on any platform VoIP or cellular as is the PSTN itself: https://www.theverge.com/2017/7/10/15946642/two-factor-authentication-online-security-mess


#11

Now that we have provided evidence that the SSA (Social Security Administration) accepts Republic Wireless VoIP numbers for their 2 Factor Authentication we should start referring users to tell their banks etc that?
See update above from @olyolson


#12

Speaking as a former banker, I don’t think it’s the security of the transmission that’s in question. As I and others have said SMS is inherently insecure (the SSA’s opinion notwithstanding). The security issue with VoIP numbers is usually a variation of bullet point 3 in @louisdi’s post here. It’s largely an overrated concern in my opinion but it exists.


#13

@jben, I would like to clarify my previous response. When one looks up a Republic number in commercially avaialble databases to determine if it might be VoIP, wireline, wireless, etc. typically one doesn’t see that it’s a Republic number. One sees the carrier, Bandwidth.com. Based on that, the conclusion is correctly VoIP. Generally, the concern with VoIP numbers from a security standpoint is they’re too easy to get.

Advising banks and others (Viber is another example) that profess to have concerns about VoIP numbers being too easy to get that the SSA accepts VoIP (I’ll presume it isn’t limited to Republic) numbers probably won’t (in and of itself) impress them. Again, from my point of view, these concerns are overblown but it is what it is.

I also agree with others here that if one is serious about 2FA, SMS being one of the factors is inherently insecure. And, government, doesn’t exactly have the best reputation when it comes to information security. Someone actually attempted to highjack my Mom’s Social Security benefits using (in part) SSA’s telephone verification. Hopefully, overall security processes there have improved since.


#14

Thanks for the additional stuff … it all helps
It looks like 2FA is on its way out according to this article: 2FactorAuthentication and one of the references in that article point to NIST Digital Identity Guidelines that provides more info and in Out-of-Band Devices (Section 5.1.3) specifically addresses VoIP exclusion.
Web Authentication Working Group provides info on the soon to be released W3C standard (including how to enable in FF & Chrome)


#15

Well, this is very interesting to me, since I have my retirement account at vanguard, and have a republic phone that is used as the security code texting destination. Of course, my phone NUMBER is an old number that I transferred over, not a “republic wireless” number.

Whoever created that security policy is ignorant of phone number portability, as well as current phone technology.


#16

Chances are if you gave Vanguard the number before porting to Republic, it will continue to work.

Agreed!


#17

I am unable to use online services (like the IRS) which perform security verification via text message. These services claim my Republic number does not exist or cannot receive SMS. I have had this problem with the IRS and with a local government emergency service alert system.

I send and receive SMS and MMS with no problem all day long from anyone who I want to communicate with, but again some entities outright reject the Republic number.

My phone is a Nexus 6P running Android 8.1.0. My Republic plan is ‘My Choice + 1 GB’.


#18

Hi @dalem.rwuq0f,

I moved your post into this topic so we can focus the conversation in one place.


#19

I’m not certain if this would work in these cases, but how about creating a Google Voice number and pointing it at your RW phone? I only give out my GV number, and have never had an issue with authentications.


#20

I have had the same problem with Zelle money transfers through Capital One. I tried to escalate the issue, but tech support responded back the system was working as intended. I had to switch to Paypal. Paypal had no problem sending me an auth code via txt.