Alan

Maybe I am naïve, but it might just be the case that the verification message noted for what account/email address it is for. At which point he can decide rationally.

I tested that after the fact, but it was just a generic message: "This is your verification code: XXXXXX"

Plus, I think there's a policy/law/something that prohibits companies from texting personal identifiable information like e-mails, etc... I might be mistaken on that one

Aha, a lesson for policy makers as well! It is an interesting clash between security and privacy. Also reissuing the same number/ID to a different person is a bad idea in the age of 2-factor auth.

It is indeed, in my head, it all circles back to "there's no airtight system" someone at some point needs to trust something, so an attacker will always try to exploit the trust either socially or technically to gain unauthorized access.

I don't get it why the person believed your story, it feels weak to me. At most I would have asked about the account and for your email to be able to redirect it to you

Maybe it feels weak because you have contexto but if you were to receive a message like this at 8 PM while your guard is down, maybe, you could have said “yeah I’ll do something nice for someone” — or maybe you’re very well trained and you wouldn’t fall for it :)

Yes, you are right, I work in eCommerce. We are "breathing" security thanks to @wneessen

So what happened after? Sounds like theres a good story in there.

I logged in to the account and updated my old number =) The interesting thing is that, realistically, that person had no way to verify that I was who I was claiming to be. I could have hacked his/her account and he/she would have been none the wiser.

Even if there was I wouldn't admit it publicly

Curious to know what happened next

I logged in and updated my number, haha the story is actually true, I used to have that number ~8 years ago.

Aaaaah! I thought this Screenshot was from someone else, hopefully none of your data was comptomised

haha no, I did send the text asking for the 2FA authentication code. Technically, I'm the one accessing my own data, it just so happens that my account was tied to an old number and customer service was already closed.

But don't most 2fa SMS messages contain account information like email addresses/usernames?

Hmm not sure about email addresses or usernames, I once worked with sms and if I recall correctly there were policies against transmitting PII in business communications. I might be mistaken

On the other hand, most services I’ve seen that offer 2fa only send a generic “this is your code: xxxx”

No personally identifiable information in the SMS - but you have the phone number and that's enough to look up users on most services and request a password reset or whatever code.

In other words, the other person could have sent out the key to their own account unknowingly. SMS 2FA is not ideal. I wonder when Facebook will drop it and replace it with U2F, @hillbrad?