Phone Numbers Were Never Meant as ID. Now We're All At Risk

One key lesson from the recent T-Mobile and several other breaches: our phone numbers, that serve as a means to identity and verify ourselves, are increasingly getting targeted, and the companies are neither showing an appetite to work on an alternative identity management system, nor are they introducing more safeguards to how phone numbers are handled and exchanged. From a report: Identity management experts have warned for years about over-reliance on phone numbers. But the United States doesn't offer any type of universal ID, which means private institutions and even the federal government itself have had to improvise. As cell phones proliferated, and phone numbers became more reliably attached to individuals long term, it was an obvious choice to start collecting those numbers even more consistently as a type of ID. But over time, SMS messages, biometric scanners, encrypted apps, and other special functions of smartphones have evolved into forms of authentication as well.

"The bottom line is society needs identifiers," says Jeremy Grant, coordinator of the Better Identity Coalition, an industry collaboration that includes Visa, Bank of America, Aetna, and Symantec. "We just have to make sure that knowledge of an identifier can't be used to somehow take over the authenticator. And a phone number is only an identifier; in most cases, it's public." Think of your usernames and passwords. The former are generally public knowledge; it's how people know who you are. But you keep the latter guarded, because it's how you prove who you are.

The use of phone numbers as both lock and key has led to the rise, in recent years, of so-called SIM swapping attacks, in which an attacker steals your phone number. When you add two-factor authentication to an account and receive your codes through SMS texts, they go to the attacker instead, along with any calls and texts intended for the victim. Sometimes attackers even use inside sources at carriers who will transfer numbers for them.

Mobile phone numbers are craved

[QuietLagoon]

For some reason, many of the vendors all but insist I provide them my mobile phone number. I always refuse because I know that once I give out the phone number, my phone will start ringing with telemarketing calls. They vendors say they want the mobile phone number for back-up identification purposes, but I just do not believe them.

Re:Mobile phone numbers are craved

It's even more difficult when you don't have a phone. I typically avoid services that require a phone number, but some sites get 555-5555.

Re:Mobile phone numbers are craved

I refuse to use my phone as an ID for the same reason. If you give any web site your phone number, chances are that it will be sold to telemarketers. They can say that by giving them your number (and because you have a business relationship with them) that its ok for them to give or sell your number to their business partners. We really need telemarketing to be outlawed. This should include political calls and calls from organizations or individuals asking for money. I also feel that the only way for someone to get my cell phone number should be for me to give it to them. I feel that the collection and selling of people's data needs to be stopped!!

Re:Mobile phone numbers are craved

[thegarbz]

I always refuse because I know that once I give out the phone number, my phone will start ringing with telemarketing calls.

Localised problem? I for one never give a second thought about handing out or typing my phone number in anywhere. Yet I have yet to receive a single telemarketing call that I didn't explicitly solicity ("enter your number and we will call you" from)

Is this uniquely American? I know probably not unique, in Australia I got the occasional telemarketing call but they were mostly from the telecom company, and it's not like I can hide my number from them.

Re:Mobile phone numbers are craved

I gave had the same phone number for over a decade. I’m not picky about giving it out during ecommerce transactions, for 2fa, etc.

I would say that I receive fewer than 5 unsolicited calls per year on average. If those, I suspect that a few are just scams dialing numbers in sequence. The others are nags from vendors that have to have my contact info.

I think it is illegal to telemarket people on their mobile number, because of the days when the recipient of the call could have been paying a significant amount for minutes. This is why, e.g. polling took a hit because pollsters could no longer contact a significant portion of the populace.

But you wrote “ringing” which probably means that US laws are irrelevant to your situation.

Re: Mobile phone numbers are craved

[nnull]

I don't even care anymore. I never did contracts on my phones and always did prepaid. If I have a problem, I stop paying and get a new SIM card the next day with a new phone number.

If marketers want to rely on phone numbers as accurate information, they're in for a shock.

Thanks to phone companies making callerid completely useless and something we had/have to pay for (are we still being charged for this crap service????), who cares?

Re:Mobile phone numbers are craved

[l0n3s0m3phr34k]

It probably is uniquely American. In the past few months, everyone on my team at work has seen a MASSIVE uptick in fake calls, with faked Caller ID numbers. We are getting at least, between us, 2-3 a day. My assumption is that due to the roll-back of Net Neutrality, many of the scammers now realize there is very little the FCC will do about all of this, so have opened the floodgates.
Most disturbing is that many of these calls are coming from areas in / near Washington DC, West Virginia, etc. We do have a decent-sized government contract, so it would seem whomever is selling this info KNOWS this and is trying to use these prefixes to get us to answer.

Re:Mobile phone numbers are craved

[ShanghaiBill]

I receive telemarketing and scam calls almost everyday. None of them seem to be related to anything I have ever bought or any company that I do business with. They appear to be untargeted and random.

Re:Mobile phone numbers are craved

[Carewolf]

For some reason, many of the vendors all but insist I provide them my mobile phone number. I always refuse because I know that once I give out the phone number, my phone will start ringing with telemarketing calls. They vendors say they want the mobile phone number for back-up identification purposes, but I just do not believe them.

They also ask for them places where telemarketing is not a thing. I suspect it is to better corrolate your date so they sell it for more money. Just give them a fake number or a temporary one.

Re: Mobile phone numbers are craved

Net neutrality.

What can't we blame on it?

Re: Mobile phone numbers are craved

Between NN and Trump (so, really, just Trump) we have successfully assigned blame for all the world's problems!

Re: Mobile phone numbers are craved

Agreed. You need my phone/mobile to process this form? Okay. 555-555-1212. So far so good. I haven't received a spam call yet!

Re: Mobile phone numbers are craved

They're not in for a shock. You're butt hurt to the point of inconveniencing yourself. As for them? You don't even register. People who mistype their phone numbers are legion compared to you.

So Luddite on. Just be sure of one thing: you aren't sticking it to anyone.

Re:Mobile phone numbers are craved

[Zontar_Thing_From_Ve]

For some reason, many of the vendors all but insist I provide them my mobile phone number. I always refuse because I know that once I give out the phone number, my phone will start ringing with telemarketing calls. They vendors say they want the mobile phone number for back-up identification purposes, but I just do not believe them.

I agree with you and this is exactly why I still have a land line. It seems to really be VOIP from my cable TV provider, but it works exactly as a true land line. Still rings phones plugged into a wall phone jack. I've got Nomorobo (https://www.nomorobo.com/ ) on it, which does an excellent job for free of stopping telemarketers. So now if anybody demands a phone number for any reason, they get the land line. They can send SMS ("texts" to USA people) all day to it and it will do nothing. They can call it and the odds are pretty good that they either won't get through or I won't answer (I have caller ID so I can refuse to answer if I don't know the caller). I decided that the $25 or so that I pay each month for the land line was worth it just to keep my mobile phone number private.

Re:Mobile phone numbers are craved

[unixisc]

I have a land line and a cellphone number. I provide the landline to anyone who asks, but leave the cellphone to myself. I have set up the landline to forward calls to the cellphone

Re: Mobile phone numbers are craved

[unixisc]

Quite a number of sites would reject any 555- number. And a number of service forms are designed to not proceed unless and until the phone number box is filled

Re:Mobile phone numbers are craved

[TheRaven64]

I'm in the UK and get a fair number of scam calls. I've had the same telephone number for 20 years. Not sure about Australia, but in the UK, mobile numbers are allocated with a small number of non-geographical area codes, so if you guess a random number in those area codes there's a very high probability that you'll get a real number. You can also easily find out the blocks allocated to different carriers, so I get a lot of scammers claiming to be from the company that I used when I first had the number (I've since ported it to three other mobile operators, and each time the people phoning up claiming to be from the first ones are more and more ludicrous). I get a lot of scammers telling me I was miss-sold PPI (ironic, because I wasn't eligible for PPI as a result of being self employed during that scandal).

Re:Mobile phone numbers are craved

[pnutjam]

I do this with a voip number because landlines suck.

Re:Mobile phone numbers are craved

Just get a free google phone # and use that.

Re:Mobile phone numbers are craved

[mr_mischief]

They are likely faking the area code and exchange. I live in Texas with a central Illinois phone number. I get calls all the time from people who admit they're in Florida or overseas, but from exchanges in central Illinois. VOIP services make this relatively simple to do. Heck, I have a VOIP number I could call from in Missouri, but I'm not in Missouri and have no physical phone there.

Re:Mobile phone numbers are craved

[Headw1nd]

Pretty sure they are just spoofing random cell numbers. I have called some of these numbers back and they go to ordinary people, and I suspect I had one call where my number was being spoofed as a person called me asking who I was and why I called them.

Re:Mobile phone numbers are craved

[Shirley+Marquez]

Unfortunately, we would need a change to the Constitution to ban the political calls. That legal precedent is already established, and it's why political campaigns are allowed to call even if your number is in the Do Not Call registry.

Re: Mobile phone numbers are craved

[desdinova+216]

I wonder how many would take (real area code) 867-5309

Re:Mobile phone numbers are craved

[l0n3s0m3phr34k]

Not at all. On my personal cell, the spam calls come from the same area code AND prefix. Sometimes they are only a few of the last four off from my phone number. When three people in the same department are getting spoofed calls from the same area code, statistically that is not random. I could do the same thing with freePBX if I wanted to, especially when placing calls to cell phones. It's trivial to make the outgoing number very similar to the number your calling, or having a correlation script match up specific companies to specific outgoing numbers. I even made my freePBX show "000-000-0000"

Re:Mobile phone numbers are craved

[Headw1nd]

That is interesting. I assume the idea is that people will more likely pick up for a number that is from their area.

Re: Mobile phone numbers are craved

This number works (with a lot of area codes) at many stores to get the discount without participating in infernal loyalty card programs

Re: Mobile phone numbers are craved

[desdinova+216]

that's why I suggested it as a fake phone number

Elon will invent something

Right after he takes us to mars in his electric auto pilot flying cars launched from his boring machine tunnels and armed with portable flame throwers to fend off the martians.

All that will happen right after he secures funding and builds the $35k car he promised.

SSN was never meant to be used as ID either

[Vermonter]

And that's caused all kinds of problems with identity theft in recent years. I'm not surprised we are making the same stupid mistake with phone numbers.

Re:SSN was never meant to be used as ID either

And that's caused all kinds of problems with identity theft in recent years. I'm not surprised we are making the same stupid mistake with phone numbers.

You're absolutely right. Phone numbers and Social Security numbers were never intended to be used as identification.

And there's a simple, common sense solution to the problem. A national I.D. system. But every time someone proposes it, all of the tinfoil hat luddites immediately start screeching that it will inevitably lead to 1984-style Big Brother. (see the comment just below as an example)

Re:SSN was never meant to be used as ID either

[b0s0z0ku]

Solution -- minimize the requirement for identification. Allow anonymity in as many situations as possible. Free services like GMail do not need to know our identities, though it should be optional for things like password recovery.

Re:SSN was never meant to be used as ID either

[MrL0G1C]

That's as good as a bar code on your wrist. And how would it be any different from SSN? What are you going to do, plug your ID card into a USB slot? The downsides look bigger than the upsides to me.

I sign in to my bank without an national ID no problem (not just user+pw), the biggest ID problem has been over-reliance on drivers license and passport for people who don't have those. My bank threatened to close my account because I hadn't shown ID AGAIN for the umpteenth fucking time, like I suddenly because someone else or my passport suddenly became fake, fucking idiots. Security theatre if full of fucking morons doing stupid things. I get security checked buying a 50p bottle of water from the supermarket but they didn't security check > £1000 worth of spending spree and all the fraudster has to do was verbally say my card number FUCK MY LIFE / forehead slap.

Re:SSN was never meant to be used as ID either

[Anne+Thwacks]

Maybe it should be optional to give your phone number, but there should be no expectation that it would work for long. I live in the UK, and, like many others have a work phone, a private phone, and a pay-as-you-go SIM to call overseas - 3p a minute instead of 130p a minute that the large carriers charge. But pay-as-you-go SIMS for international calls operate a deal where it is cheaper to get a new SIM than to top up "sure we make a loss, but we will make it up with volume" (Their CFOs are probably leprechauns).

Meanwhile, like many others, I don't want to give out my home number or my personal number on the internet, because it would appear that a lot of people have yet to realise that security is something to be taken seriously.

When I forget the moderately secure passwords I use for the likes of Google and Yahoo, I have often lost the post-it note that used to be on my desk too, and have to ask to reset it. They insist I take a text on a number that I had for three months, over two years a go, and failing that, tell them what the number was: but I only ever used it for outgoing calls, so I probably have no way to check.

Mother's maiden name? Would I really use the real one that anyone with Facepalm can find in seconds? My first school? Facepalm risk too. Naturally I think of clever answers, but they are too clever, and I forget them.

We do need a good answer to "prove you are you" - but it needs to be a one-time method that will work without revealing who you are and without being tied to a phone number. And in inventing one, please remember that is worth Billions of dollars to the likes of Google and Yahoo (and quite a lot of hackers) to be able to prove you are exactly who you are, and link the information with your bank account and the person you would quite like to have had a secret affair with, your political opponents and the person whose road rage you have on video.

In short, if someone on the internet wants your ID, it is probably a dangerous threat - and possibly ought to be in the same category as threats of GBH. I am sure your political representatives will feel the same once they realise their own dirty little secrets could get out, but unfortunately, most of them are not too quick on the uptake.

Re: SSN was never meant to be used as ID either

[nnull]

National ID wouldn't solve this problem, it would make things worse. Letting government handle ID has always been a disaster the perpetrates identity theft to a whole new level.

Meanwhile, I have no problem generating my own keys and handing them out to my employees to identify me and vice versa. If I have a problem like feeling compromised, I simply change my key. Letting government handle that portion would result in massive red tape and difficulties in changing your ID when compromised.

Re: SSN was never meant to be used as ID either

[ShanghaiBill]

National ID wouldn't solve this problem

This is not supported by evidence. Plenty of countries have a national ID with a unique public identifier, and it works fine. Meanwhile "identity theft" is almost entirely an American problem.

Only America uses the same number for both identification and authentication, thus requiring it to be both widely known and secret ... and only Americans are oblivious enough to believe this is "normal".

Re:SSN was never meant to be used as ID either

screeching it will lead to mass surveillance
Is that you John Titor? Keep going, it's 2018, you're a decade late.

Re:SSN was never meant to be used as ID either

£

Well there's your problem.

1984 was set in London for a reason.

Re: SSN was never meant to be used as ID either

Heck, the USA already has a de facto ID system through state driver licenses and ID cards. It is also 99% of the way there with the REAL ID law as a second de jure system, next to the optional U.S. Passport system.

Re:SSN was never meant to be used as ID either

[unixisc]

You're absolutely right. Phone numbers and Social Security numbers were never intended to be used as identification.

And there's a simple, common sense solution to the problem. A national I.D. system. But every time someone proposes it, all of the tinfoil hat luddites immediately start screeching that it will inevitably lead to 1984-style Big Brother. (see the comment just below as an example)

Phone numbers and social security numbers ain't exactly similar. One has to apply for an SSN from the government. Phone numbers - one can change one's numbers anytime one feels like, for something like $15. As a previous poster said, he can change it at will making it completely worthless for ID

But since SSNs are already required for identification, here is an idea that would work. Modify the SSN card to become a biometric card w/ photos, SSN and any biometric information that's needed, as well as one's legal status (citizen, legal alien or foreign national). Make this the only official ID card, and stop using Driver Licenses and other things for that. (That way too, states that decide that it's safer to issue DLs to illegal aliens don't have to worry about them getting illegal benefits via that, since they'll need an SSN card to be IDed at all!)

Re: SSN was never meant to be used as ID either

[SpammersAreScum]

No, because that is not a permanent ID. Every time you move to a new state, you get a new driver's license with a new number.

Plant that idea!

Planted no-event, non story designed to push for national ID.

Enemy spotted and destroyed.

the george orwell coalition

hey, anything symantec is pushing makes me want to take my chances with my phone number! any coalition with visa, boa, and symantec scares me

Re:the george orwell coalition

That's the problem. On one hand they are right:

"The bottom line is society needs identifiers," says Jeremy Grant, coordinator of the Better Identity Coalition

But their "solution" involves:

. . . an industry collaboration that includes Visa, Bank of America, Aetna, and Symantec.

A bunch of companies that are either evil scumbags, completely corrupt and incompetent, or both.

Wait, what?

[drinkypoo]

But the United States doesn't offer any type of universal ID,

Yes, it does, and it's called a passport. Each passport has a unique "book number". The US also issues "passport cards" to passport holders. This is a federally-issued, unique identification card which is considered valid ID.

We also now have Real ID, which is a federal standard for acceptable identification. Real ID-qualified identification cards by definition involve linked databases.

Arguably, however, what is needed online is a uniquely-issued cryptographic signature, which is passphrase-protected. This could actually be used to secure online communications. It could be given out by post offices, which seems logical since they are the place where most people go to process their passport application and because the post office is about communication.

Re:Wait, what?

[rudy_wayne]

But the United States doesn't offer any type of universal ID,

Yes, it does, and it's called a passport. Each passport has a unique "book number". The US also issues "passport cards" to passport holders. This is a federally-issued, unique identification card which is considered valid ID.

How is this any different from a Social Security card, which is also a federally-issued, unique identification card? How does issuing everyone a passport solve any problem?

Re:Wait, what?

[b0s0z0ku]

Exactly: you'll just be trading the current problems of a social security number for the same problems in a passport book number.

Re:Wait, what?

[drinkypoo]

Each passport has a unique "book number". The US also issues "passport cards" to passport holders. This is a federally-issued, unique identification card which is considered valid ID.

How is this any different from a Social Security card, which is also a federally-issued, unique identification card? How does issuing everyone a passport solve any problem?

I don't now that it fully solves any problem, but I took exception to the false claim that there is not a federal ID besides the social security card. It's harder to falsely get your hands on a passport than a social security card, though neither are impossible since there's always good old theft. However, social security cards don't have a photograph on them.

Re:Wait, what?

The fundamental problem is people misinterpreting any of these ID numbers as bearer tokens which prove identity. They are not meant to be secrets and not meant to prove identity just because you happen to know them. The phone number, passport book number, SSN, and even TLS certificate serial number and public key are all meant to be identifiers like a name. You can write them on forms just like you can write your name, but that act has done nothing to authenticate you.

Your identity is not supposed to be assumed simply because you know a passport book number. The passport is a certificate, and there is supposed to be a way to infer authenticity (that it is not a forged passport) when you inspect it in person. But whether the one presenting it is the right person is a separate question, meant to be answered by looking at the photograph and other basic biometric details like height, weight, and eye/hair color printed on the passport. Without this in-person authentication where the holder and the authentic passport are both inspected and compared, there can be no authentication of the person's identity.

As I understand it, the electronic part of a modern passport is just a tamper-resistant representation of its content. It does not include any secret key nor other authenticator for the owner. It is just a way for immigration officials to read and verify the same content they can read with their eyes, to speed immigration desks and stop some forgeries such as alterations to the photo or other printed information.

Re:Wait, what?

[cellocgw]

How is this any different from a Social Security card, which is also a federally-issued, unique identification card? How does issuing everyone a passport solve any problem?

Dunno how to break it to you youngsters, but my SSN is being **used** as a unique ID, but in fact it is not a traceable identification number. Like everyone born in the antediluvian epoch (more or less pre-Reagan), I walked into a federal office one day and asked for a SSN. They asked my name, typed up a card, and there I was. Basically same procedure as happens now if you want to pull an EIN for a trust.
Just like phone numbers, SSNs are being misused for something they were not intended.

Re:Wait, what?

That would be counterproductive to completely dissolving the USPS. It's an expensive non-self-sustaining arm of the government that relies on selling our addresses in bulk to anyone interested in contacting citizens due to their legalized "right" to deliver to our residence.

Re:Wait, what?

[thegarbz]

Why not adopt a points based system like in other countries? Bring enough uniquely identifiable information to a table to qualify for whatever important thing you are doing. Passport, drivers license or other government issued photo ID = 50 points, birth certificate or other government official issued document without photo ID, 40 points, credit card or financial documents 20 points, addressed letter from a recognised institution = 10 points.

Need to open a bank account, take out a home loan, or apply for a visa, pony up 100 points, Need to buy a phone, pony up 40, etc.

That solves the whole problem of having to force people to obtain a specific form of ID, it also solves the problem of a single unique document covering everything.

Re:Wait, what?

One feature you could bake into it:
      Make the "federal id number" something only you and the feds get.
      Everything else is a new number.
            Citizen 123, applying for job ABC.
                ABC doesn't get the 123 number.
                It gets a number you generate from the federal site
                It still ties back to you, but it's unique, and tied to a particular entity that looked the number up in the first place. If it gets compromised, no big deal, just generate another one. The original number doesn't get given out to anybody.
              Take it one further. The feds have a number even you don't know. If your number, that you use to identify yourself somehow gets compromised, you can get another number too.

Re:Wait, what?

[reboot246]

My Social Security card is old enough that it has printed on it, "Not to be used for identification". They were never intended to be used as such, but somehow it got into everybody's mind that they were. Everybody from the doctor's office to the pizza guy thinks they're entitled to ask for it. Tell them, "NO".

Re:Wait, what?

[houghi]

In Belgium we have something that we can use to identify ourselves online. https://eid.belgium.be/en

First: In Belgium everybody older than 12 has to have an ID. If this is a good idea or not is not part of this discussion.

On each card there is a chip that can be read by a cheap reader, if you want and with Open Source Software. This can then be used to easily identify yourself both online and in e.g. a store, a hospital, or any other moment you need to.

A cheap cardreader of 10 EUR is enough. Most people will have one at home to fill out their taxes. Filling out my taxes that way takes about 2 minutes, as I have nothing to declare and everything is already filled out.

If your card is lost, you phone a numberan the card will be invalid.

e.g. If you rent out an appartment, you will probably not have the ability to do all this automatically.
So you read the details with a 10 EUR cardreader that you will already own for your taxes and go to https://www.checkdoc.be/CheckD... to verify if the ID is valid.

Yes, there are downsides to this system. One of them is that if you use them for e.g. age verification to buy cigarettes, they can potentially read the adress and start spamming as there is no restriction on what they can read. However we do have GDPR.

However I must say that it is not used enough. Not even as an option. I would LOVE if e.g. my provider would have it as an option to verify if it is me or (espeically) my telecom operator.

OTOH if I need to change anything with my Telco, I just go to the store, they read the card and I am identified.

Yes, fraud is always possible.Perhaps people do not trust the code. Well, it IS OSS, so please, I beg you, find issues with it and tell the people who maintain the code. The more issues are found, the safer it will get, as they then can be resolved.

Re:Wait, what?

And still I cannot buy a ticket online from Brussels Airlines (or any other operator) without filling in a phone number.

Re:Wait, what?

I'm not disputing your main point, but SS numbers are particularly terrible due to the fact that it is relatively easy to guess them. The details are explained here. A method that makes it harder to guess your id number would be at least less bad.

Re:Wait, what?

[apoc.famine]

But jesus man, it involves fucking MATH! How do you expect to explain to people that they don't have enough IDs? How do you expect the poor employees in charge of figuring out if they have enough to determine if they do or not? Fucking lookup tables, a calculator, slide rule, couple of Tarot cards.....might as well have a giant hunk of graph paper where you put all the IDs on it and ask the employees to integrate the area.

I'm just advocating that everyone get a QR code tattooed on them at birth. Then you just scan and you're done. Far easier than your convoluted solution. Math. Ha.

Re:Wait, what?

[thegarbz]

How do you expect to explain to people that they don't have enough IDs?

Jokes aside, no it doesn't it's actually quite easy.

Fucking lookup tables

Yep that's the easiest way. Normally you just tell people the ID rules: I need one of any of these, and two of any of these. Or none of these, and 3 of these. It's really very very simple.

You were quipping with lookup tables, but often that's precisely what you get given :-)

Ahoy-hoy

What? No, this is 1, you must want 2. 2 I say.

Phone number is better than SS number

Phone number is annoying as hell, but at least you can't open a credit card or rent an apartment in my name with my phone number. I think it's just investors want to know your new users are real unique people, so they make you verify with SMS. Also, the cops like it so when you make a politically incorrect tweet they can kick your door down and haul you into the court of shame.

phone numbers are like passwords

get a new one ever so often. I do that with my cell phone number.

Also, it keeps debt collectors at bay.

Re:phone numbers are like passwords

Until you start getting someone else's debt collectors.

Drawing in people with free services

[Okian+Warrior]

A personal anecdote: I have a GMail account I use at home, everything works well enough (despite the awful interface).

I sometimes want to use it at the local hackerspace, I try to log in, and after I enter my password it tells me "we don't recognize this computer, give us your phone number and we'll send you an SMS message to continue"(*).

I absolutely do not want to give Google my phone number, but there's no way around this.

My account is not compromised, I've got a respectable password, and this didn't used to be a requirement.

Basically, they've lured everyone in with a free service, and now they're drawing in other personal information in order to continue to use it. I fear that one day they will simply decide to require a phone number from my home computer, and then I'll be fucked because I will have to give it to them or else lose all functionality of GMail.

It sucks. They don't tell you how to get around it, they only give explanations of "this is for *your* security!".

Giving google my phone number doesn't increase security, but they've drawn everyone in with the free service.

(*) Also, I have no idea how they "recognize" my home computer, since I regularly delete cookies from my system and re-login. Perhaps the "delete cookies" feature doesn't do what they say it does.

Re:Drawing in people with free services

>(*) Also, I have no idea how they "recognize" my home computer, since I regularly delete cookies from my system and re-login. Perhaps the "delete cookies" feature doesn't do what they say it does.

If you use Chrome to login, then I'm sure there's all kinds of machine identifiers the browser passes on to Google. You probably need to use a third party program to delete caches and cookies and other tracking bits. Also get new IP either by issuing a dhcp release command or use a proxy or vpn.

Re:Drawing in people with free services

[fph+il+quozientatore]

They recognize it from the IP (geolocation).

Re:Drawing in people with free services

Use POP/IMAP instead when out and about.

You're hopefully not accessing gmail from a strange machine in the hackspace, so presumably you have a computer (laptop, phone, VAX/VMS because IDK what people drag to your hackspace...) with you, on which you can install a client.

The "need a phone number" bit is, indeed, disgusting.

IIRC you can also get around it by entering username/pwd credentials, then once they've POSTed but before the return page load, hit esc, and go straight to inbox page.

Finally, you could set up a VPN/ssh tunnel/whatever you wanna call it at your home, so you could bounce to that and from there not have g**gle wondering why you like the hackspace.

You're welcome.

Re:Drawing in people with free services

[93+Escort+Wagon]

I sometimes want to use it at the local hackerspace, I try to log in, and after I enter my password it tells me "we don't recognize this computer, give us your phone number and we'll send you an SMS message to continue"(*).

I absolutely do not want to give Google my phone number, but there's no way around this.

You can protect a Google account with two-factor auth, using an authentication app like OTP Auth - does this “give us your phone number” query still occur if you have that enabled?

It wouldn’t make any security sense, but I wouldn’t be surprised if it does. Google does seem to be getting more in-your-face with regard to its information grabbing and sharing.

Re:Drawing in people with free services

[LynnwoodRooster]

A personal anecdote: I have a GMail account I use at home, everything works well enough (despite the awful interface).

I sometimes want to use it at the local hackerspace, I try to log in, and after I enter my password it tells me "we don't recognize this computer, give us your phone number and we'll send you an SMS message to continue"(*).

I absolutely do not want to give Google my phone number, but there's no way around this.

Get a free Google Voice number - then use that. It works great. It will receive the SMS no problem.

Re:Drawing in people with free services

[rudy_wayne]

Use POP/IMAP instead when out and about.

I've had a GMail account since the old days when you had to have an "invitation" to get one.

Whether I'm at home or away, I *ALWAYS* use POP/IMAP and a real e-mail client.

There simply is no reason to use Google's retarded, constantly subject-to-change-on-a-whim, web interface.

Re:Drawing in people with free services

I absolutely do not want to give Google my phone number, but there's no way around this.

I can think of half a dozen.

My account is not compromised, I've got a respectable password, and this didn't used to be a requirement.

Enough people started to complain about it that they actually changed their security protocols. Who knew!

Giving google my phone number doesn't increase security, but they've drawn everyone in with the free service.

Then stop using Google, there's two or three dozen other e-mail providers.

(*) Also, I have no idea how they "recognize" my home computer, since I regularly delete cookies from my system and re-login. Perhaps the "delete cookies" feature doesn't do what they say it does.

It actually does. These "Cookies" are stored on your local computer, but they don't stop other computers from retaining information about your computer, all of which you are gladly sharing.

Re: Drawing in people with free services

Google Voice is not available outside of the US.

Try again.

Re:Drawing in people with free services

I lost my Yahoo email after the Oauth acquisition, because I had given them an entirely nonsensical "backup email address" years ago after too many nagging messages.
It's in the form "a@a.a" which obviously leads nowhere.
So, be careful as you can lose access to an account entirely if you were to enter a bogus phone number or backup email "for your security and convenience".

Back up the data you may have under your email account, because you may be a computer failure away from losing your access with no phone number.
I always thought they use browser fingerprinting, although it may just be the IP address. So you might be at danger from an external IP change (depending on ISP your external ISP might last for years) although perhaps they let it "slip" if it's same ISP and same geolocation. (then maybe they use in this case fingerprinting. You're the only one around using Firefox on 64bit linux on 1920x1200 monitor with this set of fonts, etc.)

Re:Drawing in people with free services

[Narcocide]

Until this hit the front page, I believed it was for our security, too: https://yro.slashdot.org/story...

Re: Drawing in people with free services

[LynnwoodRooster]

Huh. Seems to work for me other than China - but then, I use a VPN for China and can get whatever I need. Canada, the EU, Mexico, Central America - all have my Google Voice work fine as long as I have some sort of Internet connectivity (either WIFI or 3G or better).

Re:Drawing in people with free services

[geggam]

Should give you an idea of how they fingerprint you. There are several other metrics especially with javascript

$ echo ' 192.168.1.245 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36' | md5
ff218f1f924e6eb7d71cf3cdfe8ddb29

Re:Drawing in people with free services

[Anne+Thwacks]

And your MAC address, and your router's MAC address, and quite probably hashes of your directories, and any other conceivable invasion of privacy they have not yet been caught doing.

Google's entire turnover depends on invading your privacy. You bet they are good at it.

Re:Drawing in people with free services

Get a free Google Voice number - then use that. It works great.

Last I heard, they Google Voice is only offered to USians. There's a lot of the planet that's not the US, so that's not a useful answer for most people.

Re:Drawing in people with free services

[Scarletdown]

Thunderbird is one viable solution to GMail's annoying interface.

Re:Drawing in people with free services

[fph+il+quozientatore]

I don't think they can get your MAC address from outside your network...

Re: Drawing in people with free services

Either you misunderstood what was said, or you're being arrogant.

Non-americans can not sign up for Google Voice. While the service may _work_ for you (an American) outside of your place of residence, it DOES NOT mean people from those places can register and utilize it.

Re: Drawing in people with free services

[LynnwoodRooster]

Okian Warrior - the original person I responded to - is in the US. So... your point?

Re:Drawing in people with free services

Not just google - they all do their best to get your cell phone number. I have had multiple instances of Microsoft claiming "suspicious" activity and demanding a cell phone number to send an authentication code to in order to continue using a product or service. When I log in to my account, there is no suspicious activity in the history, nor is there any explanation as to how asking me to enter a number and then sending an activation code to that same number is adding any level of security whatsoever.

A cell phone number is being used as a unique identifier to track you across different services and link you across accounts that you might use a different usernames for. It allows facebook to link you to your whatsapp profile even if you try to keep them separate.

Re:Drawing in people with free services

[jcam2]

Unfortunately account hijacking due to password re-use is so common that Google has to detect what look like suspicious logins (ie. from a different device, or in a different country, or at an unusual time) and ask additional challenge questions. However, in this case you can enter ANY phone number - it doesn't have to be your own.

Re:Drawing in people with free services

[thegarbz]

I absolutely do not want to give Google my phone number, but there's no way around this.

a) Google have your phone number even if you think they don't.
b) Use the Google Authenticator app instead, it's a fuckton better than SMS anyway.

Re: Drawing in people with free services

Where in their post does it state the are from the US?

Re: Drawing in people with free services

[LynnwoodRooster]

Previous exchanges... And where doesn't it state he's not? Additionally, if you have a VPN - you're in the US and you can get a Google Voice number. Unless that is too difficult for you to do?

Re:Drawing in people with free services

[ahodgson]

I've had Google refuse to allow POP or IMAP connections from a new IP unless I logged into webmail first. And provided the phone number to do so. Gmail's totally useless, don't know why anyone puts up with it. At least when my own server has problems I can just fix it.

Re:Drawing in people with free services

[LynnwoodRooster]

I guess folks at Slashdot have never heard of this new invention called a VPN? With it, you can actually appear to be in another country! Amazing, I know - but true!

Re: Drawing in people with free services

Wait until they force 2FA onto you. The following scenario is real, happens to me regularly, and is a total pain the arse to deal with:

1) Travel to new remote location for work.
2) Login using known correct password.
3) Trigger mandatory 2FA over SMS.
4) Unable to receive SMS due to remote location, account gets locked down, unable to do anything until I return to civilisation.

This happens with Google (their rescue codes help a lot) as well as my online banking, and, the "Verified by Visa" bullshit. Oh, now I can't use my CC to book a flight home from this remote shit hole because I can't receive an SMS while out here. Give me a break!

It's utterly preposterous.

Re:Drawing in people with free services

[GumphMaster]

b) Use the Google Authenticator app instead, it's a fuckton better than SMS anyway.

So I avoid providing a phone number to Google service X by using a Google app on a device almost certainly tied explicitly to my phone number.

Re:Drawing in people with free services

I feel your pain. My employer switched to gmail although it appears to be email@bigcorp.com to outside email senders.

I used to check my work email through Tor (because I did not want Google/Alphabet to record my ISP, MAC address, etc in their databases) but the HR manager got upset because G would call her and ask if Joe was in France or Germany or ..

She told me to stop using Tor. Instead, I told her that if G couldn't accept my logging in with my secure user name and password that I would never check email from home again. She decided to stop complaining and ignore any complaints from G. It seems they like us working from home on our own time.

Re:Drawing in people with free services

>I don't think they can get your MAC address from outside your network...

That all depends on what applications you install, especially "anti-cheat" programs for big games like.....

Run a black box Operating System? Good luck with that.

Re:Drawing in people with free services

There's an authenticator app that runs on most things.
There are also "recovery codes".

*YOU* May practice good password hygiene and not reuse passwords, but most people don't, and a *large* number of password databases out there expose many people's legitimate passwords to their accounts. Google and any person or company who manages logins for a large group of people run into the same issue. There's also a Yubi USB key or equivalent.

Most people have a phone with SMS, so this is the "easiest" thing for Google to send to, but it doesn't mean you can't choose the app or key. Ironically, Google and Blizzard typically have better sign in security than most banking sites. (Long passwords with just about any character accepted, reasonable 2nd factor options, more paranoid about logins from unusual locations.)

Recognizing a computer: there are probably any number of things one could do. IP address, cookies which you'd cleared, number baked into a browser, a "signature" for the computer based on the things exposed to the browser, or some combination of all of the above. (Also, most the time if I clear out everything from the browser I get prompted again for the 2nd factor of identification.) Some are relatively reasonable, some feel a bit Orwellian.

Based on the number of friends I know who've had their "accounts hacked", Google's precautions are probably well warranted, even if they're inconvenient if you're previously unaware of them and don't have a preferred "verify who you are" method setup in advance.

Google's mail has a lot to recommend it from a usability standpoint, actual interface and changes to it not withstanding. Probably the best is the excellent search.

For anybody who's really concerned about privacy though, Google, and to a lesser extent Apple and Microsoft, are not the guys to turn to. *SO* much is collected, and at least in Google's case, sifted through.

One's almost forced to go back to the bad old days of dumb phones with removable batteries and banishing one's self from the internet to stop various large companies tracking you.

Re:Drawing in people with free services

... I have a GMail account I use at home ...

That's why I have an e-mail client (eg. Incredi-mail or Thunderbird portable) on a USB drive: The SMTP protocol doesn't provide a hardware Id. like a browser does. Google and Hotmail don't know I'm using a different computer to check my email. Bonus, I can use the offline mode to view my Inbox anytime.

Re:Drawing in people with free services

[thegarbz]

So I avoid providing a phone number to Google service X by using a Google app on a device almost certainly tied explicitly to my phone number.

So you almost certainly don't have a clue about how the app works. It's not tied to your phone number any more than Google Maps is.

Re:Drawing in people with free services

[houghi]

Not only the IP. It is Browser Fingerprinting. https://en.wikipedia.org/wiki/...

That will tell them who you are. GDPR related to Brwoser Fingerprinting

Re:Drawing in people with free services

If you have an Android phone (with Google Play services) then they already have your phone number.

Re:Drawing in people with free services

[tepples]

VPN doesn't give you a street address or bank account in the appropriate country.

Re:Drawing in people with free services

[times05]

You don't want to give your phone number to Google?

Heh, would you phone happen to be an Android? Like more than 80% of the world.... Because Google wrote android... so you can bet not only do they know your phone number, but every key you ever pressed on that phone.

Re:Drawing in people with free services

Ahhh....that is why I'm now getting tons of SPAM text messages and calls on my cell phone that was never associated with my name, address, or anything. I stupidly fell for the SMS verification code scam. Shame on me. Shame on them!

Re:Drawing in people with free services

It sucks. They don't tell you how to get around it, they only give explanations of "this is for *your* security!".

If you work in a skyscraper, or other huge business it's pretty easy to find a phone at an unoccupied desk. Use that number.

Re:Drawing in people with free services

How about this, stop using Google products? Pay for an email account somewhere that doesn't jerk you around like this.

Re:Drawing in people with free services

[apoc.famine]

And I don't know why anyone would put up with running their own server and be forced to play IT when off the clock and on personal time.

I don't have an issue with Gmail. For the price (tracking me and needing my phone number) it's worth it to me. I don't want to dick around with a server at home and making sure that it's up-to-date and secure, that my firewall is playing nice with my server, etc. I want the most minimal home IT setup I can get away with, because I have better shit to do than play IT on nights and weekends.

Gmail on my phone mostly just works. Their client was worse than outlook, which is really saying something, but it's functional now that I switched.

I get all of the downsides, all of the trade-offs, and all of the shittiness of Gmail. But to me, that's less painful than having to run my own server infrastructure in my free time. There was a time when I loved that shit, but as I've gotten older, my priorities have shifted. Life is way too short for me to have to rebuild a raid array on a sunny Saturday afternoon. There are far more interesting things for me to do on a Wednesday evening than figure out why a spam filter suddenly stopped working.

If this is your cup of tea, great. But you need to understand that it's not everyone's, and for a lot of us, using Gmail is the less painful and irritating of the two options.

At least you can change it

[spyfrog]

Well, at least you easily can change your phone number if you need to - like an identity theft. Good luck with that if you happen to live where I live where the most common used identification number is our equalient of the American social security number. A number that is more or less impossible to change and that is considered public information by the government.

Define const Jenny == 8675309

Jenny, Jenny, who can I turn to?
You give me something I can hold on to
I know you'll think I'm like the others before
Who saw your name and number on the wall?

Jenny, I've got your number
I need to make you mine
Jenny, don't change your number

Jenny, Jenny, you're the girl for me
You don't know me but you make me so happy
I tried to call you before but I lost my nerve
I tried my imagination but I was disturbed

I thought most US citizens had no passport

[tepples]

Each passport has a unique "book number". The US also issues "passport cards" to passport holders.

I was under the impression that most U.S. citizens who do not travel internationally do not carry a U.S. passport. The United States has a lot more area in which one can legally travel on ground without a passport than somewhere like Europe, whose countries are closer in size to the several states of the U.S. So what should a service that requires a passport "book number" do for U.S. subscribers who do not carry a passport? Require them to obtain one? I was under the further impression that the cost in time and money of getting a passport just to use one private-sector service was beyond "impulse buy."

what is needed online is a uniquely-issued cryptographic signature, which is passphrase-protected. This could actually be used to secure online communications. It could be given out by post offices

But is US Postal Service enough of a private-sector company that the small-public-sector wing of the majority party currently in office would allow it to issue client certificates for citizens?

Re:I thought most US citizens had no passport

[CrimsonAvenger]

I was under the impression that most U.S. citizens who do not travel internationally do not carry a U.S. passport.

Quite so.

Nonetheless, it is AVAILABLE to any US Citizen, even if you have no intention of ever leaving your hometown, much less that USA....

Re:I thought most US citizens had no passport

Not true. In the United States, people who owe debts like unpaid child support, or fines from court cannot get passports. And now that college debt is spiraling and people with humanities try to duck them by "teaching English in Asia", how long until college debt blocks you from getting a passport too.

Re:I thought most US citizens had no passport

Nonetheless, it is AVAILABLE to any US Citizen, even if you have no intention of ever leaving your hometown, much less that USA....

Passports are an expense that most Americans avoid. It's $145 for a new passport, and $110 to renew. Plus $15 to have a passport photo taken.

State IDs prices vary but $30 is typical, and they are often free to senior citizens. (state ID physically like a driver's license, but without the authorization to drive)

Re:I thought most US citizens had no passport

[tepples]

Nonetheless, [a U.S. passport] is AVAILABLE to any US Citizen, even if you have no intention of ever leaving your hometown

And a burner phone and pay-as-you-go plan are available to every US resident. It's just a cost in time and money to obtain either a burner phone or a passport, especially if your vital records are hundreds of miles away in another state.

Re: I thought most US citizens had no passport

State IDs are $15 where I'm at. US east coast state.

Re: I thought most US citizens had no passport

Yup, prices vary. And vary wildly even between "US east coast states".

$54 in Washington, $32-$40 in Hawaii, $30.50 in Pennsylvania, $30 in California, $28 in Wisconsin, $24 in New Jersey, $20 in Illinois and Delaware, $18 in New Mexico, $15 in Alaska, $13 in North Carolina, $10 in New Hampshire and Michigan, $9 in Indiana and New York, $8.50 in Ohio, $8 in Iowa and Virginia, $5 in Tennessee and Arkansas, free in South Carolina, ...

NOTE: Many listed are of different durations, but 4 year expiration is the most common. And some states have a discounted 8 year price, but in those cases I listed the 4 year price only.

Re: I thought most US citizens had no passport

Fucking right wing states overcharging for an ID to keep blacks or off the polls. Whoops, i guess the data doesn't fit the narrative.

Re:I thought most US citizens had no passport

Each passport has a unique "book number". The US also issues "passport cards" to passport holders.

That number will change when you renew your passport, and if you get a second or third passport (which may be necessary if you travel to countries that refuse entry if you have been to certain other countries, especially in the Middle East), this passport will also have a different number.

Thanks China

Because of the Chinese character set, most websites in China use phone numbers and SMS for logging in. This has the added bonus of tieing the account to a government tracked user as you need ID to get a phone number to begin with.

Due to my lifestyle I change phone number every 2 months so always get burned by companies requiring SMS for 2FA. If itâ(TM)s genuinely for security websites would use Google Authenticator, Authy or an RSA dongle etc.

The use of mobile is purely for marketing and tracking.

Re:Thanks China

I'm in Western Europe but needing an ID to get phone is common as well.
And this year I got the pleasure of buying a phone on the Internet, paid with debit card but it wanted to send me a SMS, on the phone I don't have.
I had a friend pay, instead. I chose the phone to get delivered to some local warehouse/outlet/whatever so I don't pay for shipping (the phone is extremely cheap, I had a former version of the same, dumb with FM radio and good call quality). Got an email telling me I have to show up with ID and the debit card used for paying (mandatory). ... What the hell???

I thought I was buying something on the Internet (I've tended not to lately, because I had no need for new electronics or computer parts). Instead I think I'm playing an adventure game from the 1990s.

Re:Thanks China

On a ./. article about dual SIM, a Chinese told us dual SIM is needed in China because your use the second number to sign up to random shit (let's say gym membership, online accounts, etc.)
This as a magnet for all the spam garbage but it might be useful against tracking thus! Unless it's against the law to turn off your second SIM or second phone...

universal ID

"the United States doesn't offer any type of universal ID"

Well, they do ( SSN ) but technically its unconstitutional. So would be any 'secure extension' of that.

Problem isn't phone numbers or SSNs

[Solandri]

The problem is trying to use a plain string of numbers and/or characters as an ID. That basically forces you to transmit the ID in cleartext any time you use it, so anyone can pretend to be you by copying it (SSN) or requesting the number be transferred to a new device (phone number). What's needed is some type of encrypted challenge-response as a form of ID. With two-factor encryption, this would be

• A challenge sent to you encrypted with the challenger's private key and your advertised public key.
• You look up the public key of who the challenger claims they are, and use that and your private key to decrypt the challenge. This guarantees the challenge was really sent by the challenger (since only someone with the challenger's private key could make it decryptable with their public key), and is intended for you (since anything encrypted with your public key is only decryptable by you).
• You answer the challenge, encrypt your answer with the challenger's public key and your private key, then send your response back.
• That response can then only be decrypted by the person or company who holds the challenger's private key.

Anyone intercepting the messages in-transit cannot learn the contents of these messages. Your public key (or rather, your ability to decrypt messages encrypted with your public key, since only you hold the corresponding private key) serves as your ID.

Unfortunately, the entire process is rather unwieldy, and you can't memorize your private key. You have to keep it written or stored somewhere, making it vulnerable to theft. (The public key can be indexed in a public database, so you can give it via an index number.) The easiest-to-use solution I've seen to the problem is Chip & PIN used on newer credit cards. The Chip stores your private key and handles the encryption and decryption. Your PIN helps to prevent the Chip from being used without your knowledge, but isn't foolproof. It hopefully works long enough for you to get a new Chip in the event you discover it's lost or stolen. In this case, the Chip would serve as your ID, and the PIN your private passcode to access the ID. Using the ID requires both the physical Chip and your memorized PIN. (The process is still vulnerable at the "replace a lost/stolen Chip card" stage - the longer it takes to confirm your ID and issue you a new Chip, the more time a thief has to figure out your PIN.)

Re:Problem isn't phone numbers or SSNs

The problem is trying to use a plain string of numbers and/or characters as an ID.

That's not the problem.

You just forget that the human being is limited in terms of capacity.

Ah, a "solution" worse than the problem.

"But the United States doesn't offer any type of universal ID"

That's intentional and even desirable. Creating a centralized and authoritative database of citizens identities is a surefire way of accelerating the surveillance state even faster than it is currently going. It also sets up a controlling authority that most likely can't be escaped and WILL be abused, for example if you become an "undesirable" all the government has to do to vastly curtail your freedoms (apartment, driving, flying, etc) is deny you an ID or invalidate your current one.

Re:Ah, a "solution" worse than the problem.

[WorBlux]

State's already routinely pull Driver's Licenses for non-driving offense. Having something that is just for ID and can't be revoked except for fraud is better than a patchwork of documents that can be pulled for various excuses. And you can't have an authoritative name/identity system without an authority, and you can't be certain who you are dealing with without an authoritative system.

Re:Ah, a "solution" worse than the problem.

If I show my ID to a human this doesn't automatically create a paper trail, so I think I will rather keep the ID. This is a bit like cash in this aspect. Note to self : maybe the robot cashier scans the numbers on paper money. Probably not but very possible.

Taking ID away is the last thing a gov might want to do and in my country taking away your nationality is unconstitutional as well (if you don't have another)
They'll need to introduce a citizen score and then set it to zero if they don't like you. Even then they might eventually need to set up military check points on roads if they want to fuck us up this bad. That's what the DPRK does.

Re:Ah, a "solution" worse than the problem.

"State's already routinely pull Driver's Licenses for non-driving offense"

The key word there is "states", drivers licenses (if they can really be called that anymore) are an inherently decentralized system at the moment which makes widespread abuse far more difficult. If one state decides to start screwing with you a person can usually move a state over and chances are you'll escape the harassment, even if you don't there are 48 other chances for a unencumbered life. It has its issues to be sure, but given the choices (low level fraud vs police state) its preferable.

Re:QuietLagoon = fake name massive human fail

Says the anonymous coward.

Why not use tattoos?

[Cornwallis]

It worked for Hitler.

Re: Why not use tattoos?

Meh, those can be copied, altered or cut out. Now, a chip embedded in your spinal column that explodes if attempted to be removed is a much more likely option

Re: Why not use tattoos?

Get frozen, decapitated, re-stitched and heated back (microwave, lowest setting).

TOTP needs SMS, U2F, or Android/iPhone/iPad first

[tepples]

Setting up Google Authenticator or another TOTP app requires first setting up either SMS, U2F, or Google Search prompts, and printing backup codes. From "Install Google Authenticator":

To use Google Authenticator on your Android device, you'll need:
[...]
2-Step Verification turned on

The phrase "2-Step Verification turned on" links to "Turn on 2-Step Verification", which implies that you'll need to have one of these:

A. A mobile phone to receive SMS.
B. A USB security key implementing FIDO U2F and a desktop or laptop computer running a compatible version of the Google Chrome browser. I haven't tested whether Chromium from a GNU/Linux distribution works as well or whether U2F is one of the proprietary extras included only in Google Chrome. In addition, the U2F key has to have been manufactured in batches of at least 100,000.
C. A phone or tablet with the Gmail or Google Search app installed (which works only on iOS or Android with Google Play, not AOSP alone or Windows Phone). This was introduced fairly recently, and I began using 2FA on Google once it was introduced.

You'll also need to own a second phone as a backup or a printer to receive backup codes.

Get your own email, dummy

You could just spend $2 a month on your own fucking email account.

Not really

[markdavis]

>"But the United States doesn't offer any type of universal ID, which means private institutions and even the federal government itself have had to improvise."

Well, they do, it is the SSN (Social Security Number)... which was never supposed to be or meant to be some type of general-purpose, national ID number. In any case, it is not desirable to have a national ID number, anyway. Why? Because it destroys freedom and privacy by making being anonymous difficult and encourages tracking and cross-referencing.

Biggest problem ever was when "credit scores" got linked to SSN and now businesses use that as an excuse to REQUIRE SSN for many transactions, even getting a phone, gas, electricity, mortgage. And the IRS uses for taxes, another huge mistake- so now every employer and bank and lender "must" have it. And your employer shares it with numerous insurance companies and other "partners" without your permission nor knowledge (been there, done that).

Re:Not really

>"But the United States doesn't offer any type of universal ID, which means private institutions and even the federal government itself have had to improvise."

Well, they do, it is the SSN (Social Security Number)... which was never supposed to be or meant to be some type of general-purpose, national ID number.

In order words, the original statement was correct.

And the IRS uses for taxes, another huge mistake- so now every employer and bank and lender "must" have it.

Considering that they need to track your SS taxes so that the SS bureau can calculate your benefit and ensure that you are paying the correct amount of taxes, I'd say the IRS has a legitimate claim to your SSN. (Your dependent's SSN is another story.)

Impersonating me? Get a life already, freak! apk

Impersonating me? Get a life already, freak!

APK

P.S.=> Unbelievable anyone wastes their life + time the way you do impersonating me & for what - Does it STOP me from posting?? No... apk

Steve Gibson's SQRL is the answer

New upcoming technology is going to solve that pretty soon.

Search for "Steve Gibson SQRL" and see for yourself. I also recommend you listen to Steve on the SecurityNow podcast where he explains it.

Rejoice!!!

Re:Steve Gibson's SQRL is the answer

Steve Gibson is a fucking nutjob.

false correlation

[lkcl]

" But you keep the latter guarded, because it's how you prove who you are. "

nooOoo: when you type in a password, it authenticates the *username*. it does *not* authenticate the *user*.

The article misses the solution (typical of Wired)

Their main complaint that "phone number were not meant to be used as IDs" is that they are not secure and someone could hijack your number using a hacked SIM or whatever. So, instead of making the federal government blow billions of dollars creating a new ID numbers when we already have SS, not just force companies to make the SIMs more secure? This is probably Oracle backed FUD, since any massive new government database means more money for them, although IBM got the original SS contract along with other big government tracking projects like the ones they did for Hitler around the same time.

Name, Phone, Email or fingerprints are all equal

Name or Phone or Email or face or finger prints are all equal.
None are private and none should be used for any account access without at least 2 other non-public validation questions.

How does that work?

As someone who hasn't had a phone number for the last 15 years, I don't understand. Please explain how a phone number is a form of ID.

Re:Impersonating me? Get a life already, freak! ap

Impersonating APK is almost as big of waste of time as being APK. He's complete garbage and he shills harmful software in an off-topic way.

If /. admins weren't feckless losers they would have permanently banned that spammer-troll degenerate.

ZIP

P.S. => APK is the original ne'er-do-well. He serves no purpose other than to harass and annoy good people with his incessant ramblings.

Identification vs. Authorization

[Macdude]

It's a simple matter of Identification vs. Authorization, phone numbers (like fingerprints) are great for identification but horrible for authorization because of the ease they can be used fraudulently, i.e. generate false positives. I'm always amazed at how so many security "professionals" can't seem to grasp this simple concept.

Re:Identification vs. Authorization

[stoatwblr]

"phone numbers (like fingerprints) are great for identification but horrible for authorization"

Most of the 50 or so phone numbers I've had in various locations around the world (prepay mobile sims) have been reassigned to someone else within 12 months of going idle.

Tell me, how is that good for identification?

telemarketing is not the issue

All those stores with "rewards" programs, tiny discounts on their inflated prices...

They sell your purchase data to marketers... Easy enough to connect ALL your "rewards" purchases, and everything else you do...

Just by the phone number

I use a separate mobile number for such purposes.

[devslash0]

I have a mobile plan with two numbers. One is my day-to-day number, the other one - used only for authentication / 2FA / recovery purposes and only turned on when required.

super-fail

this is, of course, a super-fail, as I only log in to other devices when I don't have a logged in device available. Fuck google.

Re:super-fail

[tepples]

If you can have only one computer running at once, use the U2F key + printed backup codes method. Then plug the key into the USB port of whatever PC you use with your Google Account.

Re:super-fail

Yeah, it sucks the first time you run into a new security feature that you may not have known about and hadn't setup ahead of time.
      (Using something other than your phone.)
I'm sure Google's crying that you went out and paid for the privilege of a traditional pop/smtp mail provider.
      Oh, wait, you didn't?

I am certain Google regrets the need to put these measures in place and would have liked to avoid them. . . but the thousands or millions of compromised passwords put them in an unenviable position of needing to verify who's trying to access that nearly anonymous account.

Completely Not Needed

User name and password are good enough. The only need for a universal id is to data mine data about you across companies. Basically so companies can sell each other data about you for money, advertising, profiling, and blacklists.

Re:They were EXACTLY meant as ID!

You must be a millenial, phone numbers were never uniquely tied to individual people. Early on, phone numbers weren't necessarily even tied to a single residence, or have you never heard of a party line?

A phone number is just like a snail mail or email address, it doesn't guarantee that there's only one person attached to that number and it doesn't guarantee that one person doesn't have multiple numbers. Which is terrible as a means of identification. And that's before you even start to think about spoofing and unauthorized access to the number.

When you place a call, send a letter or email, you're just directing the message to a particular place, there may be one person there or you may have to have that person direct you to the intended recipient.

Re:The article misses the solution (typical of Wir

SIMs are very secure. The problem is people calling up your phone company or walking into a store and saying "Hi, I'm X and I lost my phone/SIM card/etc. Could you please issue me a new one?" or the equivalent of "Hi, I'm your customer X and previously was at carrier Y and would like to port my number over." In other words, a social problem.

Hold the telcos responsible

[Chewbacon]

I get a rush of phone calls sometimes from people saying "Hey, you called me, who is this? Why do you KEEP calling me?" My response is usually dumbfounded and the conversation ends with the caller just as confused, but sometimes they get angry and say "put me on your DO NOT CALL LIST!" So my number is spoofed. Verizon tells me there's not a damn thing they can do about it. Sucks since it is a business line and I take calls from clients every day, but Verizon has their money from me (well, probably millions from my company, as we are pretty damn big) and doesn't give a flying fuck.

Re:Hold the telcos responsible

[Todd+Knarr]

The problem is that the spoofing happens at the spoofer's end, and they aren't using Verizon so Verizon can't do a thing about it. You'd have to talk to the telco the spoofer uses for their line, and they have no incentive to do anything because the person complaining isn't a paying customer and the spoofer is. The only real solution is what we did with email spam with blacklists of entire providers. (NB: no it didn't eliminate email spam, but it cut it down significantly and made it a whole lot easier to filter out before the mail server had to receive it.)

Re:Hold the telcos responsible

[stoatwblr]

"The problem is that the spoofing happens at the spoofer's end"

Correct

"and they aren't using Verizon so Verizon can't do a thing about it"

Wildly incorrect.

Verizon has routing information about the call provided at a much deeper layer than the presentation layer, but as they (and other telcos) are paid to terminate those spoofed calls, they choose to look the other way until compelled(*) to do something about it.

(*) Either by government edict (happening in some countries and meeting strong resistance from the telcos), or because billing fraud means they don't get paid to a level where accountants start paying attention (which results in rapid implementation and those filters being sold to customers as "for your protection")

Re:Hold the telcos responsible

[Todd+Knarr]

Verizon isn't in a position to figure out whether the info is being maliciously spoofed or not. There's lots of legitimate reasons to spoof the CID data so it differs from the ANI or billing data. Calls from a large business, for instance, where the outgoing lines are distinct from the incoming lines and you want the CID to refer to the number the receiver can call to reach the business. Calls from a call center serving multiple clients, too, where it's better to have the CID reflect the number assigned to that client for customer-service calls rather than the call center's outgoing-line bank. There's no way for Verizon to distinguish those cases from someone spoofing a number for malicious purposes, unless Verizon is actually the company the spoofer is using and they know who the spoofer is and what their business is.

This wasn't a problem back in the day when you needed a T1 or larger connection to be able to set CID data on outgoing calls, but nowadays anybody using SIP effectively has a direct T1 connection and can run their own PBX with all the capabilities of a commercial setup.

phone number got hijacked

[bigtreeman]

My wife's phone number got hijacked and ported to another provider.
This was used to attack the bank account and open new credit accounts.
We responded quickly and luckily our bank had very safe procedures.
But a lot of banks aren't as good. The police weren't very useful.
We now have extra protections in place.

Use your ringtones, Luke.

[fyngyrz]

I happily give them my phone number. I just don't answer my phone except for whitelisted numbers that have a non-mute ringtone. Solves all manner of problems. A mute ringtone is one that makes zero noise, and that's the default on my phone.

The day of unplanned voice telephone comms from random callers is past for me. You want me, then email me, or text me. We can arrange a phone call if need be; but cold calls? No. Not happening. Telemarketers and various other forms of similar lowlife have shit that bed beyond all recovery.

I don't pay any attention to voice messaging, either. The idea of someone trying leave me a voice message fills me with glee... they just spent some fraction of their life for nothing.

They may wreck texting eventually as well. But perhaps not. The same filtering that works (and very well, too) with email could work with texting. Whitelists, smart filtering... bring it on, I say.

Re:Use your ringtones, Luke.

Texting has a long way to go to get to the level of usability of email with respect to spam. Doctor appointment? Here's a text reminding you that they called you to remind you that your calendar alert will remind you of your appointment! Vet visit for your pet? Here's a text telling you that you just had an appointment! Car in for an oil change? Here's a text asking for a good review on the customer survey! A family member sends a group text about something? Here's a flood of 20 texts from an assortment of people!

There's no way to unsubscribe, there's no way to prevent the deluge, and the only blocking feature available on my carrier is limited to 15 addresses. It's to the point where I'm starting to wish I could turn off texting entirely.

Texting is already wrecked.

Re:Use your ringtones, Luke.

[Agripa]

I happily give them my phone number. I just don't answer my phone except for whitelisted numbers that have a non-mute ringtone. Solves all manner of problems. A mute ringtone is one that makes zero noise, and that's the default on my phone.

The day of unplanned voice telephone comms from random callers is past for me. You want me, then email me, or text me. We can arrange a phone call if need be; but cold calls? No. Not happening. Telemarketers and various other forms of similar lowlife have shit that bed beyond all recovery.

I don't pay any attention to voice messaging, either. The idea of someone trying leave me a voice message fills me with glee... they just spent some fraction of their life for nothing.

They may wreck texting eventually as well. But perhaps not. The same filtering that works (and very well, too) with email could work with texting. Whitelists, smart filtering... bring it on, I say.

I used to have a busy signal for my answering machine message. I wonder if any phones allow a different answer message for white listed and black listed numbers.

Re:The article misses the solution (typical of Wir

If you're an American adult with any kind of credit at all, thanks to the breach with Equifax, you're pretty much boned. Your SSN is out there, probably along with a depressing amount of other identifying information.

Don't have a phone?

I really don't have a mobile phone.
What I have discovered is massive amounts of social and economic discrimination because I do not have one.
Just because I do not own a device many "free" services become unavailable to me.

Do I care, not really, because I have always seen the wolf in sheep's clothing that is the technology industry.
However I feel that many people are not aware of the problem.

Ditch your phone/s for a year and take a look.
Don't worry you will not die because you do not carry a corporate tracking beacon.
In fact you will be more free. Freedom is important to you isn't it?

my 2c

Society needs identifiers my ass

"Society needs identifiers" is double talk for "my lobby organization's [Better Identity Coalition] customers [Visa, Bank of America etc.] want the state to pick up the cost of doing our jobs.

And then later:

Taxes? NOOOOO! LEAN STATE!

Know what? Assholes. Were it to me, I'd know what to do with y'all. Expropriation.

Americans don't WANT any kind of "Universal ID"

[Jane+Q.+Public]

Man, young people these days are so ignorant of history. It's really pretty concerning to those who aren't.

There is a REASON people don't want a "universal ID". And it has to do with something called "1984"

But it's not limited to 1984. Our parents (if you're older) and grandparents, and great-grandparents fought tooth and nail against any kind of Federal ID.

It's actually kind of common to think that people in the past were less sophisticated than you are, and therefore not quite as bright. In simpler terms, many people seem to fall into the trap of thinking people generations ago as not ignorant (compared to today's knowledge), but actually stupid.

That's a mistaken viewpoint.

There is a reason Social Security was never allowed to pass, unless it was promised that the Social Security number would NEVER be a "federal ID".

And the promise was made, and Social Security passed.

And years later, the government made SSN a valid ID for national credit companies. In other words: betrayal of their promise.

Better wake up, people. I984 is looking you in the face. Right now. If you don't see those encroachments coming down on you, in the name of "convenience", you're just naive.

Re:Americans don't WANT any kind of "Universal ID"

A hundred governments have turned into tyrannies in the time between 1900 and 2000 alone. On the example of Central Europe or Africa, the risk of any one government turning into a tyranny rises about 1% per year. So far, Switzerland and the US are the only countries old enough to really stand the test of time that resisted turning into tyrannies, with Canada and Australia coming in third and fourth place. All these countries has or had civilian gun ownership. Switzerland still has it fully, the US restricted, Canada and Australia abolished it, as have all other Western countries.

And as you can view in Europe, all Western European countries have over the last three decades steadily turned towards totalitarianism, with the UK at the forefront. The UK has now the most stringent gun and knife laws of the entire first world, and perhaps not so much coincidentally also the worst restrictions of free speech, the most insane definition of "hate crimes" and the least individual freedom of all of Western Europe.

A single identifier per person is all but standard in all these countries and all it does is make the government more efficient in tracking and regulating people, that is, unarmed and defenseless civilians. Unfortunately, effectively tracking and regulating people that can mount no reasonable defense against an overbearing state makes the defenseless people even less capable of equaling state power. And power differences always turn out worse for the weaker part.

Re:Americans don't WANT any kind of "Universal ID"

young people these days are so ignorant of history.

Ironically, you just demonstrated your ignorance a few days ago.

Re:TOTP needs SMS, U2F, or Android/iPhone/iPad fir

[houghi]

I have the Google Autenticator for my SSH logins.
This is what I did:
1) Down load the app.I use the one from LastPass, not the one from Google
2) Follow e.g. These instructions. It basicaslly means you install libpam-google-authenticator, configure 2 files and run google-authenticator
3) ssh and it will ask me for the autenticator. No network needed.

I use the same app for Amazon.

Since there is no need for tracking a person

[jd]

Why should anyone care?

You need to track connections, accounts, logical device interfaces and logical user instances, but not physical people or physical things. Even a license plate just correlates a registration of a logical notion of a car with a registration of a logical notion of the owner. Not a physical thing.

The physical world is not related to the logical world. You don't need to track physical people and there need not be a 1:1 relationship to logical data. So a logical person entity can be multiple physical people, and a physical person can have multiple logical person entities.

As long as what is needed is present, that's fine. It's also more secure.

We can dispense with the idea of individuals, at the data level, eliminating the need for IDs that correspond to specific things in meatspace.

Google Maps requests your phone number

[tepples]

[A TOTP app is] not tied to your phone number any more than Google Maps is.

First, Google Maps is in fact tied to your phone number. The Google Maps app requests permission to "send SMS messages", "directly call phone numbers", and "read phone status and identity".

Second, as I wrote in another comment, Google considers TOTP secondary. A Google Account holder must first set up 2sv through SMS, U2F, or Google Search prompts before setting up TOTP, and two of these three options are tied to either a cellular plan or a mobile device running iOS or Android with Google Play.

Re:Google Maps requests your phone number

[thegarbz]

First, Google Maps is in fact tied to your phone number.

Congratulations. You just reiterated point 1 in my original post.

and two of these three options are tied to either a cellular plan

Your second point is missing a point. Or rather I'll make the point for you: One of these is not tied to your cellular plan. Which all brings me back to my original post which I will re-quote here for properity:
" a) Google have your phone number even if you think they don't.
b) Use the Google Authenticator app instead, it's a fuckton better than SMS anyway."

Re:Google Maps requests your phone number

[tepples]

If you use a U2F key as your primary, Google wants a backup phone but will accept printing backup codes with a printer. Do most households with a computer even own a printer anymore?

Re:Google Maps requests your phone number

You don't have to print out the codes, you know? When I requested them, I just wrote them down with good old fashioned pen and paper. Your edge-case arguments seem to be getting weaker by the day.

Why on earth?

[fish_in_the_c]

"But the United States doesn't offer any type of universal ID"
Why on earth would I WANT a universal ID system. Who does that benefit? NOT the consumer, NOT the average person in society. While the lack of one might be some inconvenience, and it certainly increases the chance of crime. The social and political cost of making it easy for any political group who takes power to track everyone and anyone they 'don't like' and to IDENTIFY them easily is not worth the convince. The reality is that sometimes in order for society to progress there needs to be political and sometimes even physical upheaval, but creating a system where each person can be uniquely identified at any given point is 90% of the way to solving the problem of complete and absolute control of actions ( if not thoughts) of an entire society. It is the antithesis of freedom.
Who does it benefit? Not small business who actually meet and know their customers, NOT people working and relating to other people, it befits primarily LARGE and or remote corporations who have no other way of establish trust.

Re: Impersonating me? Get a life already, freak! a

I am stupid and I smell my own farts and eat my own poop...apk

"long term?"

[stoatwblr]

"As cell phones proliferated, and phone numbers became more reliably attached to individuals long term"

In the USA maybe.
In other parts of the world people have multiple mobile numbers or dump them every year or so with a change in contract.

As a reliable identification method they were always questionable and showed a marked US-centricism in software that was clearly broken from the outset.

Need anonymoty, not a "universal ID"

[InPursuitOfTruth]

The article seems to be more about pushing a solution of a central ID system as a presumed solution to the identity theft problem, even though it was the requirement that SSN's be associated with financial accounts that began the whole problem. Specifically:

"But the United States doesn't offer any type of universal ID, which means private institutions and even the federal government itself have had to improvise."

What's needed is better anonymity not increased centralized identity. On top of that, to the extent identity is needed, it should be more complex and IDs should be unique from one entity (e.g., bank) to another. If there is any centralized requirement, it should be identity policy and protocols, not the identity!

While it is true that authentication becomes an issue you can avoid despite an identity being public, the proliferating of common identities such as SSNs seems to be a catalyst for identity theft. The last thing I want is another government issued identity I cannot change or revoke that all my valuable assets become tied to.

Did anyone else catch this bias?

The best way to protect our assets is through anonymity. No one who steals identifying information such as SSNs, birthdates and phone numbers should be able to locate and steal the assets belonging to that person. A Universal ID helps thieves, not us.