Back in January, when signing into discover.com, I was prompted for a 2FA SMS security code. But this time I was given two phone numbers to choose from. The first number was my actual phone number which matches my Discover profile. The second number was an old phone number from years ago that is no longer mine and I don’t have access to anymore.
I called Discover and the rep confirmed that this phantom number isn’t anywhere in my Discover profile or in their “system.” I was assured this is a common issue due to them transitioning to a “new system.” They put in a request to their “backend team” and told me the second number should drop off within 72 hours. I was told to try signing in again in 3 days to confirm the phantom number is gone.
Well, I forgot. But I remembered today when signing in and realizing that second number - which I don’t have access to and isn’t on my Discover profile - is still showing up as a 2FA option.
I called Discover again. Like last time, they confirmed this is a known issue and again checked my account to confirm this phantom number isn’t present on my profile. Next, they recommended I speak with “web support” and this is where things took a crazy turn. I learned:
1. Discover HQ is aware and this is still a “known issue."
2. Discover doesn’t know where this additional number is coming from because they transitioned to getting phone numbers from a third party data broker and apparently, decided to use those numbers for 2FA.
3. Discover can’t tell me which specific data broker they’re using.
4. Discover doesn’t know when this will be fixed or when customers will be able to remove invalid 2FA phone numbers from their accounts.
5. There will be no communication given to customers if and when this is fixed. You'll have to call back on your own at some point in the future.
This seems absolutely insane. How is this huge security risk ongoing for over a month? Does anyone on HN use Discover? Can you confirm if you’re also seeing random/old/unrecognized phone numbers presented as options for SMS 2FA?
Related Reddit thread: https://www.reddit.com/r/discover/comments/1r41m95/no_way_to_remove_old_numbers_for_2fa/