Finally got back my T-mobile account (yes, it was a sim swap, meaning that someone socially-engineered T-mobile itself to take over my phone number).

Main learning re twitter was:

> A phone number is sufficient to password reset a Twitter account even if not used as 2FA. Can completely remove phone from Twitter.

I had seen the "phone numbers are insecure, don't authenticate with them" advice before, but did not realize this

Using a phone number with 2FA is so bad, I send an email to USAA every year telling them to remove phone number 2FA on their site.

TOTP, FIDO, or Yubikey... anything but phone number.

🖖| via sequence. pimlico. poap. polygon. consensys. paxful. flipside crypto. dash. bridgewater associates. darpa. secdef. navy. dia | linktr.ee/alexanderchopan

capital one also has a tap card to phone as a 2fa. 

cool. except:
- never works
- i don’t want to carry debit card just to manage my account in the app

I’m just waiting for them to get hacked. I should send another email to security@usaa.com again 😂