Extremely luckily, they did not lock me out of my Yahoo e-mail, because if they had, I am not sure I would have had any way of retrieving it. I was able to remove my phone as an authentication mechanism for this account.
Now after reporting the incident to the carrier, I am in the process of trying to remove this phone number from other financial accounts and have been met with the following scenarios:
- Easily switched to a different phone number verified only with the last 4 digits of my SSN. (Which feels ways TOO easy, IMO.)
- Website allows doing it, but fails with an error when attempting it. Customer service lines are closed.
- Website does not allow removing it without a verification via SMS to the stolen phone number. Customer service lines are closed.
- Website login does not not have a 2 factor workaround that will prevent me alerting people who have stolen my phone number that I am trying to access an account that they might not be aware of.
None my investment accounts seem to allow third party 2FA.
I am left awe struck with how poor industry best practices are and also how vulnerable we can quickly be made with a loss of access to a phone number and email address.
Is anyone aware of financial providers (specifically banks and investment brokerages) out there that have sensible security measures and incident response?