alt Hacker NewsUnfortunately there are many companies that actually rely on SMS confirmation codes in real-time, which include reading it back to them.
A legitimate and generally well liked company, and its real helpful service representative used this method to verify my identify before they could finish their support effort.
Replies
yeah someone that gets paid a lot needs to talk to someone whos pay depends on implementing that IT consultants directives.
relaying security codes by voice is how the bad guys do it, dont train your users to think its normal.
its probably not a bright idea to have your phones camera pointed at your screen while 2FA-ing or password resetting, or else someone will watch you login, and will see your codes, and use automation to authenticate with your digits faster than you can move a cursor and click.
Probably safe if you call them at a well-published number. If they call you, absolutely not.
I got this interesting pair of messages from Schwab recently - not sure if any other companies do this
On login:
Schwab Watch out for scams. DON'T share this security code with anyone, EVEN IF THEY CLAIM to be from Schwab. Your code for online login is XXXXXX
And then on a later phone call with an agent:
Schwab: XXXXXX is your Schwab security code to confirm your identity with the agent.
This is a nice touch, though I'm not sure how much it would help in a real scam situation for say, my grandma.