Let me explain both my threat model and my use-case.
My threat model is not state level actors or law enforcement. My threat model is simply individuals working at providers I use that get curious and go hunting for my traffic. So, for instance, someone that works at my ISP or for my cellular provider or (github/twilio/twitter).
I don't want these private actors to see my name or my phone number. However, VOIP numbers are typically blocked by providers for purposes of authentication and security because they need you to "burn" an actual SIM card number just to incur costs on you. This is their blunt response to a rather difficult spam/scam problem that would just explode if no costs were involved.
...
My use-case is that I don't want to carry around three phones everywhere I go and eSIMs don't work for these functions (again, their numbers are often discriminated against). I also don't want a single SIM card to correlate across multiple providers - that is why I have three (one personal SIM (not in my name) and two "mule" SIMs).
...
"It's still in your proximity even if it's not in your name so anyone able to obtain your IPs from the services you use would also be able to get the location of your mule."
No, they are rarely in my proximity. In fact, at this moment they are 12000 miles away from me. I keep them at my office and might move them to a datacenter ... but only if I can convert them from a phone form factor to a rpi-with-cellular-hat form factor ... or maybe ssh into the phone ?
Well, remember - their interactions with these 2FA Mules are SMS only - there is no IP/network connection made here. So the providers, at least, don't have an IP address to look up. Also, in case it is not obvious, I fully control my entire mail and dns infrastructure - as in, I own the machines and rent the racks.
My threat model is not state level actors or law enforcement. My threat model is simply individuals working at providers I use that get curious and go hunting for my traffic. So, for instance, someone that works at my ISP or for my cellular provider or (github/twilio/twitter).
I don't want these private actors to see my name or my phone number. However, VOIP numbers are typically blocked by providers for purposes of authentication and security because they need you to "burn" an actual SIM card number just to incur costs on you. This is their blunt response to a rather difficult spam/scam problem that would just explode if no costs were involved.
...
My use-case is that I don't want to carry around three phones everywhere I go and eSIMs don't work for these functions (again, their numbers are often discriminated against). I also don't want a single SIM card to correlate across multiple providers - that is why I have three (one personal SIM (not in my name) and two "mule" SIMs).
...
"It's still in your proximity even if it's not in your name so anyone able to obtain your IPs from the services you use would also be able to get the location of your mule."
No, they are rarely in my proximity. In fact, at this moment they are 12000 miles away from me. I keep them at my office and might move them to a datacenter ... but only if I can convert them from a phone form factor to a rpi-with-cellular-hat form factor ... or maybe ssh into the phone ?
Well, remember - their interactions with these 2FA Mules are SMS only - there is no IP/network connection made here. So the providers, at least, don't have an IP address to look up. Also, in case it is not obvious, I fully control my entire mail and dns infrastructure - as in, I own the machines and rent the racks.