Slashdot Mirror
Phone Numbers Were Never Meant as ID. Now We're All At Risk (wired.com)
One key lesson from the recent T-Mobile and several other breaches: our phone numbers, that serve as a means to identity and verify ourselves, are increasingly getting targeted, and the companies are neither showing an appetite to work on an alternative identity management system, nor are they introducing more safeguards to how phone numbers are handled and exchanged. From a report: Identity management experts have warned for years about over-reliance on phone numbers. But the United States doesn't offer any type of universal ID, which means private institutions and even the federal government itself have had to improvise. As cell phones proliferated, and phone numbers became more reliably attached to individuals long term, it was an obvious choice to start collecting those numbers even more consistently as a type of ID. But over time, SMS messages, biometric scanners, encrypted apps, and other special functions of smartphones have evolved into forms of authentication as well.
"The bottom line is society needs identifiers," says Jeremy Grant, coordinator of the Better Identity Coalition, an industry collaboration that includes Visa, Bank of America, Aetna, and Symantec. "We just have to make sure that knowledge of an identifier can't be used to somehow take over the authenticator. And a phone number is only an identifier; in most cases, it's public." Think of your usernames and passwords. The former are generally public knowledge; it's how people know who you are. But you keep the latter guarded, because it's how you prove who you are.
The use of phone numbers as both lock and key has led to the rise, in recent years, of so-called SIM swapping attacks, in which an attacker steals your phone number. When you add two-factor authentication to an account and receive your codes through SMS texts, they go to the attacker instead, along with any calls and texts intended for the victim. Sometimes attackers even use inside sources at carriers who will transfer numbers for them.
"The bottom line is society needs identifiers," says Jeremy Grant, coordinator of the Better Identity Coalition, an industry collaboration that includes Visa, Bank of America, Aetna, and Symantec. "We just have to make sure that knowledge of an identifier can't be used to somehow take over the authenticator. And a phone number is only an identifier; in most cases, it's public." Think of your usernames and passwords. The former are generally public knowledge; it's how people know who you are. But you keep the latter guarded, because it's how you prove who you are.
The use of phone numbers as both lock and key has led to the rise, in recent years, of so-called SIM swapping attacks, in which an attacker steals your phone number. When you add two-factor authentication to an account and receive your codes through SMS texts, they go to the attacker instead, along with any calls and texts intended for the victim. Sometimes attackers even use inside sources at carriers who will transfer numbers for them.
Setting up Google Authenticator or another TOTP app requires first setting up either SMS, U2F, or Google Search prompts, and printing backup codes. From "Install Google Authenticator":
The phrase "2-Step Verification turned on" links to "Turn on 2-Step Verification", which implies that you'll need to have one of these:
A. A mobile phone to receive SMS.
B. A USB security key implementing FIDO U2F and a desktop or laptop computer running a compatible version of the Google Chrome browser. I haven't tested whether Chromium from a GNU/Linux distribution works as well or whether U2F is one of the proprietary extras included only in Google Chrome. In addition, the U2F key has to have been manufactured in batches of at least 100,000.
C. A phone or tablet with the Gmail or Google Search app installed (which works only on iOS or Android with Google Play, not AOSP alone or Windows Phone). This was introduced fairly recently, and I began using 2FA on Google once it was introduced.
You'll also need to own a second phone as a backup or a printer to receive backup codes.
It probably is uniquely American. In the past few months, everyone on my team at work has seen a MASSIVE uptick in fake calls, with faked Caller ID numbers. We are getting at least, between us, 2-3 a day. My assumption is that due to the roll-back of Net Neutrality, many of the scammers now realize there is very little the FCC will do about all of this, so have opened the floodgates.
Most disturbing is that many of these calls are coming from areas in / near Washington DC, West Virginia, etc. We do have a decent-sized government contract, so it would seem whomever is selling this info KNOWS this and is trying to use these prefixes to get us to answer.
I receive telemarketing and scam calls almost everyday. None of them seem to be related to anything I have ever bought or any company that I do business with. They appear to be untargeted and random.