top | item 47217474

(no title)

matrixgard | 22 hours ago

The "transitioning to a new system" explanation from support is worth pressing on, because what you're describing sounds less like a migration hiccup and more like a phone number intelligence service that's pulling from a data aggregator rather than just your profile. Number recycling from carriers takes as little as 90 days, and if Discover is using a third-party database to "enrich" or pre-populate auth options, that database can absolutely contain stale numbers that went back into the pool years ago.

SMS 2FA was deprecated by NIST (SP 800-63B) precisely because of this class of risk. SIM swap attacks get the press, but quiet number recycling is arguably worse because neither the bank nor the customer detects it until someone accidentally stumbles across it the way you did. Most people never check. They just assume whatever numbers show up are theirs.

The part that concerns me most: the rep confirmed the number isn't in their profile system, but it's still surfacing in the auth flow. That means there's a layer between their CRM and their auth service that nobody is reconciling. Have you gotten any written acknowledgment from them that this was a real finding, or are they just treating it as a support ticket to close?

discuss

No comments yet.