Phone Numbers Were Never Meant as ID. Now We're All At Risk

One key lesson from the recent T-Mobile and several other breaches: our phone numbers, that serve as a means to identity and verify ourselves, are increasingly getting targeted, and the companies are neither showing an appetite to work on an alternative identity management system, nor are they introducing more safeguards to how phone numbers are handled and exchanged. From a report: Identity management experts have warned for years about over-reliance on phone numbers. But the United States doesn't offer any type of universal ID, which means private institutions and even the federal government itself have had to improvise. As cell phones proliferated, and phone numbers became more reliably attached to individuals long term, it was an obvious choice to start collecting those numbers even more consistently as a type of ID. But over time, SMS messages, biometric scanners, encrypted apps, and other special functions of smartphones have evolved into forms of authentication as well.

"The bottom line is society needs identifiers," says Jeremy Grant, coordinator of the Better Identity Coalition, an industry collaboration that includes Visa, Bank of America, Aetna, and Symantec. "We just have to make sure that knowledge of an identifier can't be used to somehow take over the authenticator. And a phone number is only an identifier; in most cases, it's public." Think of your usernames and passwords. The former are generally public knowledge; it's how people know who you are. But you keep the latter guarded, because it's how you prove who you are.

The use of phone numbers as both lock and key has led to the rise, in recent years, of so-called SIM swapping attacks, in which an attacker steals your phone number. When you add two-factor authentication to an account and receive your codes through SMS texts, they go to the attacker instead, along with any calls and texts intended for the victim. Sometimes attackers even use inside sources at carriers who will transfer numbers for them.

Mobile phone numbers are craved

[QuietLagoon]

For some reason, many of the vendors all but insist I provide them my mobile phone number. I always refuse because I know that once I give out the phone number, my phone will start ringing with telemarketing calls. They vendors say they want the mobile phone number for back-up identification purposes, but I just do not believe them.

Re:Mobile phone numbers are craved

[l0n3s0m3phr34k]

It probably is uniquely American. In the past few months, everyone on my team at work has seen a MASSIVE uptick in fake calls, with faked Caller ID numbers. We are getting at least, between us, 2-3 a day. My assumption is that due to the roll-back of Net Neutrality, many of the scammers now realize there is very little the FCC will do about all of this, so have opened the floodgates.
Most disturbing is that many of these calls are coming from areas in / near Washington DC, West Virginia, etc. We do have a decent-sized government contract, so it would seem whomever is selling this info KNOWS this and is trying to use these prefixes to get us to answer.

Re:Mobile phone numbers are craved

[ShanghaiBill]

I receive telemarketing and scam calls almost everyday. None of them seem to be related to anything I have ever bought or any company that I do business with. They appear to be untargeted and random.

Re: Mobile phone numbers are craved

Net neutrality.

What can't we blame on it?

SSN was never meant to be used as ID either

[Vermonter]

And that's caused all kinds of problems with identity theft in recent years. I'm not surprised we are making the same stupid mistake with phone numbers.

Re:SSN was never meant to be used as ID either

[b0s0z0ku]

Solution -- minimize the requirement for identification. Allow anonymity in as many situations as possible. Free services like GMail do not need to know our identities, though it should be optional for things like password recovery.

Wait, what?

[drinkypoo]

But the United States doesn't offer any type of universal ID,

Yes, it does, and it's called a passport. Each passport has a unique "book number". The US also issues "passport cards" to passport holders. This is a federally-issued, unique identification card which is considered valid ID.

We also now have Real ID, which is a federal standard for acceptable identification. Real ID-qualified identification cards by definition involve linked databases.

Arguably, however, what is needed online is a uniquely-issued cryptographic signature, which is passphrase-protected. This could actually be used to secure online communications. It could be given out by post offices, which seems logical since they are the place where most people go to process their passport application and because the post office is about communication.

Re:Wait, what?

[drinkypoo]

Each passport has a unique "book number". The US also issues "passport cards" to passport holders. This is a federally-issued, unique identification card which is considered valid ID.

How is this any different from a Social Security card, which is also a federally-issued, unique identification card? How does issuing everyone a passport solve any problem?

I don't now that it fully solves any problem, but I took exception to the false claim that there is not a federal ID besides the social security card. It's harder to falsely get your hands on a passport than a social security card, though neither are impossible since there's always good old theft. However, social security cards don't have a photograph on them.

Re:Wait, what?

[cellocgw]

How is this any different from a Social Security card, which is also a federally-issued, unique identification card? How does issuing everyone a passport solve any problem?

Dunno how to break it to you youngsters, but my SSN is being **used** as a unique ID, but in fact it is not a traceable identification number. Like everyone born in the antediluvian epoch (more or less pre-Reagan), I walked into a federal office one day and asked for a SSN. They asked my name, typed up a card, and there I was. Basically same procedure as happens now if you want to pull an EIN for a trust.
Just like phone numbers, SSNs are being misused for something they were not intended.

Re:Wait, what?

[thegarbz]

Why not adopt a points based system like in other countries? Bring enough uniquely identifiable information to a table to qualify for whatever important thing you are doing. Passport, drivers license or other government issued photo ID = 50 points, birth certificate or other government official issued document without photo ID, 40 points, credit card or financial documents 20 points, addressed letter from a recognised institution = 10 points.

Need to open a bank account, take out a home loan, or apply for a visa, pony up 100 points, Need to buy a phone, pony up 40, etc.

That solves the whole problem of having to force people to obtain a specific form of ID, it also solves the problem of a single unique document covering everything.

Re:Wait, what?

[houghi]

In Belgium we have something that we can use to identify ourselves online. https://eid.belgium.be/en

First: In Belgium everybody older than 12 has to have an ID. If this is a good idea or not is not part of this discussion.

On each card there is a chip that can be read by a cheap reader, if you want and with Open Source Software. This can then be used to easily identify yourself both online and in e.g. a store, a hospital, or any other moment you need to.

A cheap cardreader of 10 EUR is enough. Most people will have one at home to fill out their taxes. Filling out my taxes that way takes about 2 minutes, as I have nothing to declare and everything is already filled out.

If your card is lost, you phone a numberan the card will be invalid.

e.g. If you rent out an appartment, you will probably not have the ability to do all this automatically.
So you read the details with a 10 EUR cardreader that you will already own for your taxes and go to https://www.checkdoc.be/CheckD... to verify if the ID is valid.

Yes, there are downsides to this system. One of them is that if you use them for e.g. age verification to buy cigarettes, they can potentially read the adress and start spamming as there is no restriction on what they can read. However we do have GDPR.

However I must say that it is not used enough. Not even as an option. I would LOVE if e.g. my provider would have it as an option to verify if it is me or (espeically) my telecom operator.

OTOH if I need to change anything with my Telco, I just go to the store, they read the card and I am identified.

Yes, fraud is always possible.Perhaps people do not trust the code. Well, it IS OSS, so please, I beg you, find issues with it and tell the people who maintain the code. The more issues are found, the safer it will get, as they then can be resolved.

Drawing in people with free services

[Okian+Warrior]

A personal anecdote: I have a GMail account I use at home, everything works well enough (despite the awful interface).

I sometimes want to use it at the local hackerspace, I try to log in, and after I enter my password it tells me "we don't recognize this computer, give us your phone number and we'll send you an SMS message to continue"(*).

I absolutely do not want to give Google my phone number, but there's no way around this.

My account is not compromised, I've got a respectable password, and this didn't used to be a requirement.

Basically, they've lured everyone in with a free service, and now they're drawing in other personal information in order to continue to use it. I fear that one day they will simply decide to require a phone number from my home computer, and then I'll be fucked because I will have to give it to them or else lose all functionality of GMail.

It sucks. They don't tell you how to get around it, they only give explanations of "this is for *your* security!".

Giving google my phone number doesn't increase security, but they've drawn everyone in with the free service.

(*) Also, I have no idea how they "recognize" my home computer, since I regularly delete cookies from my system and re-login. Perhaps the "delete cookies" feature doesn't do what they say it does.

Re:Drawing in people with free services

[rudy_wayne]

Use POP/IMAP instead when out and about.

I've had a GMail account since the old days when you had to have an "invitation" to get one.

Whether I'm at home or away, I *ALWAYS* use POP/IMAP and a real e-mail client.

There simply is no reason to use Google's retarded, constantly subject-to-change-on-a-whim, web interface.

Re:Drawing in people with free services

[Scarletdown]

Thunderbird is one viable solution to GMail's annoying interface.

Re:Drawing in people with free services

[tepples]

VPN doesn't give you a street address or bank account in the appropriate country.

At least you can change it

[spyfrog]

Well, at least you easily can change your phone number if you need to - like an identity theft. Good luck with that if you happen to live where I live where the most common used identification number is our equalient of the American social security number. A number that is more or less impossible to change and that is considered public information by the government.

TOTP needs SMS, U2F, or Android/iPhone/iPad first

[tepples]

Setting up Google Authenticator or another TOTP app requires first setting up either SMS, U2F, or Google Search prompts, and printing backup codes. From "Install Google Authenticator":

To use Google Authenticator on your Android device, you'll need:
[...]
2-Step Verification turned on

The phrase "2-Step Verification turned on" links to "Turn on 2-Step Verification", which implies that you'll need to have one of these:

A. A mobile phone to receive SMS.
B. A USB security key implementing FIDO U2F and a desktop or laptop computer running a compatible version of the Google Chrome browser. I haven't tested whether Chromium from a GNU/Linux distribution works as well or whether U2F is one of the proprietary extras included only in Google Chrome. In addition, the U2F key has to have been manufactured in batches of at least 100,000.
C. A phone or tablet with the Gmail or Google Search app installed (which works only on iOS or Android with Google Play, not AOSP alone or Windows Phone). This was introduced fairly recently, and I began using 2FA on Google once it was introduced.

You'll also need to own a second phone as a backup or a printer to receive backup codes.

false correlation

[lkcl]

" But you keep the latter guarded, because it's how you prove who you are. "

nooOoo: when you type in a password, it authenticates the *username*. it does *not* authenticate the *user*.

Re:super-fail

[tepples]

If you can have only one computer running at once, use the U2F key + printed backup codes method. Then plug the key into the USB port of whatever PC you use with your Google Account.

Re:They were EXACTLY meant as ID!

You must be a millenial, phone numbers were never uniquely tied to individual people. Early on, phone numbers weren't necessarily even tied to a single residence, or have you never heard of a party line?

A phone number is just like a snail mail or email address, it doesn't guarantee that there's only one person attached to that number and it doesn't guarantee that one person doesn't have multiple numbers. Which is terrible as a means of identification. And that's before you even start to think about spoofing and unauthorized access to the number.

When you place a call, send a letter or email, you're just directing the message to a particular place, there may be one person there or you may have to have that person direct you to the intended recipient.

Use your ringtones, Luke.

[fyngyrz]

I happily give them my phone number. I just don't answer my phone except for whitelisted numbers that have a non-mute ringtone. Solves all manner of problems. A mute ringtone is one that makes zero noise, and that's the default on my phone.

The day of unplanned voice telephone comms from random callers is past for me. You want me, then email me, or text me. We can arrange a phone call if need be; but cold calls? No. Not happening. Telemarketers and various other forms of similar lowlife have shit that bed beyond all recovery.

I don't pay any attention to voice messaging, either. The idea of someone trying leave me a voice message fills me with glee... they just spent some fraction of their life for nothing.

They may wreck texting eventually as well. But perhaps not. The same filtering that works (and very well, too) with email could work with texting. Whitelists, smart filtering... bring it on, I say.

Americans don't WANT any kind of "Universal ID"

[Jane+Q.+Public]

Man, young people these days are so ignorant of history. It's really pretty concerning to those who aren't.

There is a REASON people don't want a "universal ID". And it has to do with something called "1984"

But it's not limited to 1984. Our parents (if you're older) and grandparents, and great-grandparents fought tooth and nail against any kind of Federal ID.

It's actually kind of common to think that people in the past were less sophisticated than you are, and therefore not quite as bright. In simpler terms, many people seem to fall into the trap of thinking people generations ago as not ignorant (compared to today's knowledge), but actually stupid.

That's a mistaken viewpoint.

There is a reason Social Security was never allowed to pass, unless it was promised that the Social Security number would NEVER be a "federal ID".

And the promise was made, and Social Security passed.

And years later, the government made SSN a valid ID for national credit companies. In other words: betrayal of their promise.

Better wake up, people. I984 is looking you in the face. Right now. If you don't see those encroachments coming down on you, in the name of "convenience", you're just naive.