View Single Post
Old 29 Mar 2019, 12:59 PM   #1
Essential Contributor
Join Date: Aug 2009
Location: Canada
Posts: 230
Why Phone Numbers Stink As Identity Proof

Kreb's site is one of the best on security. This article explains how hijacking your phone number lets hackers break into accounts. Billions is stolen with this, often cryptocurrency.

How exactly did we get to the point where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience? KrebsOnSecurity spoke about this at length with Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint.

Nixon said much of her perspective on mobile identity is colored by the lens of her work, which has her identifying some of the biggest criminals involved in hijacking phone numbers via SIM swapping attacks. Illegal SIM swaps allow fraudsters to hijack a targetís phoneís number and use it to steal financial data, passwords, cryptocurrencies and other items of value from victims.

Nixon said countless companies have essentially built their customer authentication around the phone number, and that a great many sites still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. In this attack, the fraudster doesnít need to know the victimís password to hijack the account: He just needs to have access to the targetís mobile phone number.

ďAs a consumer, Iím forced to use my phone number as an identity document, because sometimes thatís the only way to do business with a site online,Ē Nixon said. ďBut from that siteís side, when they see a password reset come in via that phone number, they have no way to know if thatís me. And thereís nothing anyone can do to stop it except to stop using phone numbers as identity documents.Ē
EricG is offline   Reply With Quote