I think only good alternative to mobile numbers is email

Your banks won’t use signal, but they will use email.

And that’s why I think strengthing the mail protocol is the way to go. Pgp >>>>

I have researched mobile numbers here and recent techlore video about cape is wrong, new carrier won’t fix anything, but jmp.chat might. There is a community wiki here as well.

I am actively researching the mail protocol and might release an email client of my own.

But I need some discussion here about emails in general, what do you think?

Many still want to and prefer using numbers.

There already is some discussion on this if you research.

1 Like

I think the only good alternative to either is simply an old fashioned user name. Select any name and that’s your username. Why must it be for the other two for authentication?

But for communication, the banks will argue that because real phone numbers require KYC and PII, they are better to use to authenticate and prevent fraud.

1 Like

Agreed, but they already have KYC & PII through gov docs.

Ok so these are stuff I found that seems relevant

2 Likes

Are jmp.chat #’s and proton email aliases (proton pass, simple login) not good enough? With legacy institutions some compromise is the norm.

Here’s the thing. You need a normie persona. Its who you are with the legacy institutions and the gov, its your national identity. There is nothing wrong with that. Keeping it minimal is ideal; you can compartmentalize your life., if you care to do so. Have your national/normie persona. Have your social persona. Have your online persona. Not that hard and there are some good tools to make it easy. What you (no offense, its a shift we are ALL working through as privacy-conscious people in an ever-invasive-digital-world) are trying to do is combine them all into You. We’re past that point my friend. We need to fight of course, but the new focus shall be on personas; and in all reality i think it’s better that way. They forced us into it, little did they know it’s better for us.

1 Like

The issue people are running into is how to compartmentalize. That’s where some research and tools come in, but while doing so don’t get sucked back into the idea that you are trying to privatize all of you…. you’re not, you shouldn’t be….just isolate and privatize as needed, and you as you can flow between them.

1 Like

An adversary can still attack via ss7 and fetch SMS and voice calls if number is known

Compartmentalization is nice to have but all of us don’t have multiple personality disorder (just a pun, sorry mods)

Leaks are easy

Forward email though seems interesting because they have encrypted sqlite files for each mailbox but have to look if the password encrupts the mail settings and subsequent aliases and passwords.

Password as key

I don’t think VOIP numbers are vulnerable to SS7, IIRC ss7’s entry is MNO’s 2/3G infra, and VOIP services are not running on cell network Infra. Same for triangulation. It doesn’t run on a SIM, so it does not has a IMSI for IMSI catcher to snatch.

However, you cannot connect to the internet with a VOIP service, so you still need a cell service/ wifi service to connect. Therefore IMO a good balance would be VOIP + Data only eSIM (with no phone number, only IMSI)

1 Like

I think even silent.link has e.164 identifier.

If the esim does not come with a phone number, I wonder how it has a identifier that follows a [+][country code][area code][subscriber number] structure?

I just confirmed with silent.link support that their IMSI do indeed have e.164

Nick emailed me this:

Thank you for reaching out and for your interest in helping! Great questions — here is exactly how it works in our 100% open-source codebase:

Yes, your emails are encrypted with your SMTP password (the alias password you generate). The SQLite database file is encrypted at rest using ChaCha20-Poly1305, and the encryption key is your password. Our staff cannot access your mailbox contents.

Here’s the code that enforces this:

  1. SQLite Encryption (PRAGMA cipher + key):
    forwardemail.net/helpers/setup-pragma.js at d087cd6816be680d38f74c63fe1f5630a8c4741b · forwardemail/forwardemail.net · GitHub

    • Line 36 sets the cipher to ChaCha20-Poly1305
    • Lines 37-41 set the PRAGMA key using your decrypted password
    • Line 74 enables secure_delete=ON (overwrites deleted data with zeros)
  2. The encrypted SQLite driver (better-sqlite3-multiple-ciphers):
    forwardemail.net/helpers/get-database.js at d087cd6816be680d38f74c63fe1f5630a8c4741b · forwardemail/forwardemail.net · GitHub

  3. Password is encrypted in-memory during auth (never stored in plaintext in Redis or on disk):
    forwardemail.net/helpers/on-auth.js at d087cd6816be680d38f74c63fe1f5630a8c4741b · forwardemail/forwardemail.net · GitHub

  4. The AES-256-GCM encryption used to wrap the password in the session:
    forwardemail.net/helpers/encrypt-decrypt.js at d087cd6816be680d38f74c63fe1f5630a8c4741b · forwardemail/forwardemail.net · GitHub

  5. Password hashed with Argon2 before storage (only hash + salt stored, never plaintext):
    forwardemail.net/helpers/create-password.js at d087cd6816be680d38f74c63fe1f5630a8c4741b · forwardemail/forwardemail.net · GitHub

Regarding your account settings (domains, aliases, routing rules): these are stored in our MongoDB database and are accessible to us through the dashboard at Log In to Forward Email - Access Your Account so we can help troubleshoot delivery issues. However, the actual mailbox contents (your emails, contacts, calendars) live exclusively in the encrypted SQLite databases — we cannot access them without your password.

For server-level hardening, we use Ansible to provision all infrastructure:

1 Like

Corporations don’t use phone numbers because of their communication aspects, they use them because they are KYC-Lite™ and are real, although bypassable KYC in most countries. Also they cost money, therefore it is like a micro-transactions increasing cost of fraud on signup. And finally, because of these aspects they are gold for data brokers who make a lot of their money from KYC and marketing.

Government/banks may use them because they are non-technical, unsecured sloths, and they wan’t control over the population by eliminating anonymity.

You might say that banks shouldn’t need phone numbers because they get your ID anyway, but they gobble them up to prop up the aforementioned industries and processes. Additionally, they are not only focused on the edge cases of people trying to be private, like how the people on this forum might use a bank, but if people use sms for regular communications, government can easily see all their messages and real time location.

IIRC if your phone number is in enough government and private databases, you don’t need an additional KYC when signing up for certain financial services.

Phone numbers have no physical presence, as in they are just database entries in carrier servers so not so real.

This seems like a moot point. Your bank is not going to use PGP to send you OTP codes.

I got lucky and was able to force my bank into sending me a hardware token but, typically I have only been able to get banks to do that when acting as a business not as an individual.

1 Like