Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phone Numbers Were Never Meant as ID. Now We're All At Risk (wired.com)

Posted by msmash on from the closer-look dept.

One key lesson from the recent T-Mobile and several other breaches: our phone numbers, that serve as a means to identity and verify ourselves, are increasingly getting targeted, and the companies are neither showing an appetite to work on an alternative identity management system, nor are they introducing more safeguards to how phone numbers are handled and exchanged. From a report: Identity management experts have warned for years about over-reliance on phone numbers. But the United States doesn't offer any type of universal ID, which means private institutions and even the federal government itself have had to improvise. As cell phones proliferated, and phone numbers became more reliably attached to individuals long term, it was an obvious choice to start collecting those numbers even more consistently as a type of ID. But over time, SMS messages, biometric scanners, encrypted apps, and other special functions of smartphones have evolved into forms of authentication as well.

"The bottom line is society needs identifiers," says Jeremy Grant, coordinator of the Better Identity Coalition, an industry collaboration that includes Visa, Bank of America, Aetna, and Symantec. "We just have to make sure that knowledge of an identifier can't be used to somehow take over the authenticator. And a phone number is only an identifier; in most cases, it's public." Think of your usernames and passwords. The former are generally public knowledge; it's how people know who you are. But you keep the latter guarded, because it's how you prove who you are.

The use of phone numbers as both lock and key has led to the rise, in recent years, of so-called SIM swapping attacks, in which an attacker steals your phone number. When you add two-factor authentication to an account and receive your codes through SMS texts, they go to the attacker instead, along with any calls and texts intended for the victim. Sometimes attackers even use inside sources at carriers who will transfer numbers for them.

6 of 185 comments (clear)

  1. Mobile phone numbers are craved by QuietLagoon · · Score: 5, Insightful

    For some reason, many of the vendors all but insist I provide them my mobile phone number. I always refuse because I know that once I give out the phone number, my phone will start ringing with telemarketing calls. They vendors say they want the mobile phone number for back-up identification purposes, but I just do not believe them.

    1. Re:Mobile phone numbers are craved by Anonymous Coward · · Score: 1, Insightful

      I refuse to use my phone as an ID for the same reason. If you give any web site your phone number, chances are that it will be sold to telemarketers. They can say that by giving them your number (and because you have a business relationship with them) that its ok for them to give or sell your number to their business partners. We really need telemarketing to be outlawed. This should include political calls and calls from organizations or individuals asking for money. I also feel that the only way for someone to get my cell phone number should be for me to give it to them. I feel that the collection and selling of people's data needs to be stopped!!

    2. Re: Mobile phone numbers are craved by Anonymous Coward · · Score: 2, Insightful

      Net neutrality.

      What can't we blame on it?

  2. SSN was never meant to be used as ID either by Vermonter · · Score: 5, Insightful

    And that's caused all kinds of problems with identity theft in recent years. I'm not surprised we are making the same stupid mistake with phone numbers.

  3. Wait, what? by drinkypoo · · Score: 3, Insightful

    But the United States doesn't offer any type of universal ID,

    Yes, it does, and it's called a passport. Each passport has a unique "book number". The US also issues "passport cards" to passport holders. This is a federally-issued, unique identification card which is considered valid ID.

    We also now have Real ID, which is a federal standard for acceptable identification. Real ID-qualified identification cards by definition involve linked databases.

    Arguably, however, what is needed online is a uniquely-issued cryptographic signature, which is passphrase-protected. This could actually be used to secure online communications. It could be given out by post offices, which seems logical since they are the place where most people go to process their passport application and because the post office is about communication.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. At least you can change it by spyfrog · · Score: 3, Insightful

    Well, at least you easily can change your phone number if you need to - like an identity theft. Good luck with that if you happen to live where I live where the most common used identification number is our equalient of the American social security number. A number that is more or less impossible to change and that is considered public information by the government.