U.S. Bank requires Registered Cellular Device (RCD) phone number for authentication

My bank does not like VOIP phone numbers for authentication text messages. Apparently there is a security issue with VOIP phone numbers. I found a thread " Anyone having issues with trying to use your phone number, for services requiring SMS validation?" that describes RW’s phone numbers as a subset of Bandwidth’s phone numbers. Bandwidth is a VOIP provider. From the thread, I gather the VOIP tag is FCC mandated and U.S. Bank will not accept that. The bank wants a RCD (Registered Cellular Device) phone number. Now that I see I am not likely to get RW to change the VOIP label, I have taken second tact.

I have asked U.S. Bank to develop an app that will run on RW and similar VOIP cell phones that will retrieve and display the one time codes for authentication independent of the SMS system. If U.S. Bank controls the app and it’s distribution, a hijacked phone number should not allow a hijacker to get the one-time code, which would a problem with SMS one time codes. I am waiting to see what the bank does.

I hate to beat this topic to death, but this issue with 2FA SMS texts not being sent to RW is an annoyance on an otherwise excellent phone service. Any thoughts?

My mother complained to me a few months ago that she could no longer log into the US Bank app on her phone to deposit checks. It has been working fine the last couple years.
She now has to take a bus, or get a ride to a bank.

Yes, US Bank updated things and they do not accept VOIP numbers.
The app requires a “real mobile number” as it gives error when she tries to log in.
There is no workaround.
This policy set by US Bank, and many others.
There is nothing RW can do.

Myself, i started having issues with my bank, Wells Fargo, aside from the VOIP thing, and changed banks.
I bank with Discover, which is an online only bank account, i do not need a physical bank location.
Discover, as of now, the app uses my fingerprint to log in and i have not had any issues getting texts for 2FA or their verifications.

For my mother, and for many in this situation no doubt, changing banks is a far more not a possibility for them. Which only leave the option of changing to a non VOIP based cell service provider.

I found this thread that also mentions U.S. Bank on this subject. Thank you for your contribution to this topic. A cell phone app that retrieves an encrypted one time code using your cell data from a U.S. Bank Server should not be that hard to do, especially if the customer calls up the app to get the code in the same five minute period the bank’s server would be expecting to deliver one. Being a bank, they could even add all the privacy invading bells and whistles, such as a GPS stamp from the phone to the one time code server.

sigh Now I am content. RW and US Bank are working together on this problem :relaxed:

I hope Alex L. from RW help does not mind me quoting the RW help ticket:

"Hi David,

I hope you’re having a good evening so far - I’m sorry to hear you’re affected by this issue with US Bank and text delivery and I’m happy to assist.

To answer the first question you raise, please know that it isn’t simply a matter of swapping to RCD vs. a VoIP service but rather that US Bank has changed the way they deliver these verification texts and we are working with them to develop a secure process where our members can get verification texts from US Bank. We have a similar issue with Wells Fargo and are also working with them regarding this matter. As security methods change we are working to ensure that our members can still use their phone for verification and other services as we do know our members rely on them.

Eventually, long term, SMS verification will go the way of the dinosaur and so it won’t be an issue at that point, since there are some vulnerabilities and security issues with SMS delivery and other methods will likely be developed that are more secure. However, for the short term we are working with US Bank on this issue and we’ve attached you to that master ticket to receive updates as they become available.

Regards,
Alex"

I should not need to add to this thread. I only need to wait now.

1 Like

I have to think though, that the SMS text code verification system, and the mobile app login to verify your mobile number, are 2 separate things.

US Bank told my mother over the phone that they do not allow VOIP numbers on accounts anymore. To use the mobile app, ypu must have a valid “real” mobile number.

She was also told by the rep that you can not open a new account using a VOIP number either. As it stands, for all new and existing accounts, you are required to have a “real” mobile number inoder to use Mobile Banking app/service. Online banking will also require this sometime in the future, however, the rep could not give a date.

Her number, has been on her account for several years, it was even added to the account and set as primary contact when i got her her first smartphone from RW. The secondary or “Home” number she changed 5yrs ago, when she dropped the local landline and i setup one of those Obi adapters tied into Google Voice which is 100% free phone service.

My mother does not use 2FA ( there isnt even an option to turn that on in her account, i looked). But when she called in to the US Bank line, the person first tried to send a text code to her phone to verify her, she never got it. So they confirmed her or whatever by asking account security question.

Just passing on what her experience was.

Sigh… this may be the issue that pushes me away from RW towards a more traditional carrier, or at least one that doesn’t use VOIP. While some say 2FA by SMS may be going away, I don’t see it happening soon and I’m finding more and more instances where it is being instituted. Oddly enough, it doesn’t always fail for me, although most recently it did when I tried to set up a Twitter account. Oh well, no great loss there. But when I can’t get my money, I’m afraid I’m going to have to switch.

With my rather limited experience in these matters, I imagine that one of the problems with the app is a “stolen” app on a rough smartphone because someone found out the password for the account. I am less than certain how a “real” cell phone would prevent that situation. There is a simple, but not free for the bank, solution. My doctor’s office contracted with a provider to give me access to my medical records. Part of the setup procedure is that I had to visit the doctor’s office and get a printed verification code for the new account from the secretary before they would create the account. The bank could do the same thing for new app installs by having the tellers print an authorization code for the app that one would need to get in person (or perhaps through postal mail). Here again, it costs the bank teller time and customer irritation each time the app is installed, but it would be more secure. I suspect that some of this has to do with the “Know your Customer” rules that banks now abide by and they somehow imagine a “real” cellphone helps them verify the identity of their customers.

jbenAmbassador makes the good point that VoIP is not going away and I am encourage that at least US Bank and RW are making efforts towards resolving the 2FA problem together instead of just pointing fingers at each other and doing nothing.

Message an
Expert customer