Slashdot Mirror
Phone Numbers Were Never Meant as ID. Now We're All At Risk (wired.com)
One key lesson from the recent T-Mobile and several other breaches: our phone numbers, that serve as a means to identity and verify ourselves, are increasingly getting targeted, and the companies are neither showing an appetite to work on an alternative identity management system, nor are they introducing more safeguards to how phone numbers are handled and exchanged. From a report: Identity management experts have warned for years about over-reliance on phone numbers. But the United States doesn't offer any type of universal ID, which means private institutions and even the federal government itself have had to improvise. As cell phones proliferated, and phone numbers became more reliably attached to individuals long term, it was an obvious choice to start collecting those numbers even more consistently as a type of ID. But over time, SMS messages, biometric scanners, encrypted apps, and other special functions of smartphones have evolved into forms of authentication as well.
"The bottom line is society needs identifiers," says Jeremy Grant, coordinator of the Better Identity Coalition, an industry collaboration that includes Visa, Bank of America, Aetna, and Symantec. "We just have to make sure that knowledge of an identifier can't be used to somehow take over the authenticator. And a phone number is only an identifier; in most cases, it's public." Think of your usernames and passwords. The former are generally public knowledge; it's how people know who you are. But you keep the latter guarded, because it's how you prove who you are.
The use of phone numbers as both lock and key has led to the rise, in recent years, of so-called SIM swapping attacks, in which an attacker steals your phone number. When you add two-factor authentication to an account and receive your codes through SMS texts, they go to the attacker instead, along with any calls and texts intended for the victim. Sometimes attackers even use inside sources at carriers who will transfer numbers for them.
"The bottom line is society needs identifiers," says Jeremy Grant, coordinator of the Better Identity Coalition, an industry collaboration that includes Visa, Bank of America, Aetna, and Symantec. "We just have to make sure that knowledge of an identifier can't be used to somehow take over the authenticator. And a phone number is only an identifier; in most cases, it's public." Think of your usernames and passwords. The former are generally public knowledge; it's how people know who you are. But you keep the latter guarded, because it's how you prove who you are.
The use of phone numbers as both lock and key has led to the rise, in recent years, of so-called SIM swapping attacks, in which an attacker steals your phone number. When you add two-factor authentication to an account and receive your codes through SMS texts, they go to the attacker instead, along with any calls and texts intended for the victim. Sometimes attackers even use inside sources at carriers who will transfer numbers for them.
A personal anecdote: I have a GMail account I use at home, everything works well enough (despite the awful interface).
I sometimes want to use it at the local hackerspace, I try to log in, and after I enter my password it tells me "we don't recognize this computer, give us your phone number and we'll send you an SMS message to continue"(*).
I absolutely do not want to give Google my phone number, but there's no way around this.
My account is not compromised, I've got a respectable password, and this didn't used to be a requirement.
Basically, they've lured everyone in with a free service, and now they're drawing in other personal information in order to continue to use it. I fear that one day they will simply decide to require a phone number from my home computer, and then I'll be fucked because I will have to give it to them or else lose all functionality of GMail.
It sucks. They don't tell you how to get around it, they only give explanations of "this is for *your* security!".
Giving google my phone number doesn't increase security, but they've drawn everyone in with the free service.
(*) Also, I have no idea how they "recognize" my home computer, since I regularly delete cookies from my system and re-login. Perhaps the "delete cookies" feature doesn't do what they say it does.
Each passport has a unique "book number". The US also issues "passport cards" to passport holders. This is a federally-issued, unique identification card which is considered valid ID.
How is this any different from a Social Security card, which is also a federally-issued, unique identification card? How does issuing everyone a passport solve any problem?
I don't now that it fully solves any problem, but I took exception to the false claim that there is not a federal ID besides the social security card. It's harder to falsely get your hands on a passport than a social security card, though neither are impossible since there's always good old theft. However, social security cards don't have a photograph on them.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
How is this any different from a Social Security card, which is also a federally-issued, unique identification card? How does issuing everyone a passport solve any problem?
Dunno how to break it to you youngsters, but my SSN is being **used** as a unique ID, but in fact it is not a traceable identification number. Like everyone born in the antediluvian epoch (more or less pre-Reagan), I walked into a federal office one day and asked for a SSN. They asked my name, typed up a card, and there I was. Basically same procedure as happens now if you want to pull an EIN for a trust.
Just like phone numbers, SSNs are being misused for something they were not intended.
https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
You must be a millenial, phone numbers were never uniquely tied to individual people. Early on, phone numbers weren't necessarily even tied to a single residence, or have you never heard of a party line?
A phone number is just like a snail mail or email address, it doesn't guarantee that there's only one person attached to that number and it doesn't guarantee that one person doesn't have multiple numbers. Which is terrible as a means of identification. And that's before you even start to think about spoofing and unauthorized access to the number.
When you place a call, send a letter or email, you're just directing the message to a particular place, there may be one person there or you may have to have that person direct you to the intended recipient.
Why not adopt a points based system like in other countries? Bring enough uniquely identifiable information to a table to qualify for whatever important thing you are doing. Passport, drivers license or other government issued photo ID = 50 points, birth certificate or other government official issued document without photo ID, 40 points, credit card or financial documents 20 points, addressed letter from a recognised institution = 10 points.
Need to open a bank account, take out a home loan, or apply for a visa, pony up 100 points, Need to buy a phone, pony up 40, etc.
That solves the whole problem of having to force people to obtain a specific form of ID, it also solves the problem of a single unique document covering everything.