Does anyone know anything about the security with regard to using other providers (e.g. twilio or google voice) as a recovery number?
Let's say my recovery number is actually a google voice number that's connected to a separate google account, but not forwarded to my actual cellphone (i.e., I'd have to login to my other google account to view the recovery code). Thoughts?
The specific flaw exposed in this story is not exploitable with providers like Twilio and Google Voice, because they don't assign phone numbers to devices with SIM cards.
Verizon is the bad guy here, since they agreed to re-route SMS traffic from the account holder's device to a new device without properly confirming that the request was coming from the account holder.
Technically there's nothing stopping a motivated attacker from attempting the same social engineering attack against a Twilio or Google Voice number, but getting those providers to re-route SMS isn't as simple as just calling and saying "my iPhone broke, I need you to assign my number to my new phone" like you can with Verizon.
The attacker would need to know some particulars of the SMS routing protocols of Twilio and Google Voice to achieve a similar result.
Let's say my recovery number is actually a google voice number that's connected to a separate google account, but not forwarded to my actual cellphone (i.e., I'd have to login to my other google account to view the recovery code). Thoughts?