Go Back > Discussions about Email Services > The Technical Zone...
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

The Technical Zone... The Geeky forum... Use this forum to discuss technical aspects of email, from authentication protocols to encryption.

Thread Tools
Old 29 Mar 2019, 12:59 PM   #1
Essential Contributor
Join Date: Aug 2009
Location: Canada
Posts: 252
Why Phone Numbers Stink As Identity Proof

Kreb's site is one of the best on security. This article explains how hijacking your phone number lets hackers break into accounts. Billions is stolen with this, often cryptocurrency.

How exactly did we get to the point where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience? KrebsOnSecurity spoke about this at length with Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint.

Nixon said much of her perspective on mobile identity is colored by the lens of her work, which has her identifying some of the biggest criminals involved in hijacking phone numbers via SIM swapping attacks. Illegal SIM swaps allow fraudsters to hijack a targetís phoneís number and use it to steal financial data, passwords, cryptocurrencies and other items of value from victims.

Nixon said countless companies have essentially built their customer authentication around the phone number, and that a great many sites still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. In this attack, the fraudster doesnít need to know the victimís password to hijack the account: He just needs to have access to the targetís mobile phone number.

ďAs a consumer, Iím forced to use my phone number as an identity document, because sometimes thatís the only way to do business with a site online,Ē Nixon said. ďBut from that siteís side, when they see a password reset come in via that phone number, they have no way to know if thatís me. And thereís nothing anyone can do to stop it except to stop using phone numbers as identity documents.Ē
EricG is offline   Reply With Quote

Old 29 Mar 2019, 06:49 PM   #2
Cornerstone of the Community
Join Date: Feb 2017
Posts: 740
I've always thought this was true about phone numbers--commonsense. But, unfortunately many sites only let you use a phone number for 2FA or for recovery purposes. The good news is that unless you are specifically being targeted, your phone number is not likely to be randomly hacked at the same moment your online life is being hacked, unlike weak password-only protected sites. I've wondered if there could be some sort of service created that would provide you with a virtual phone number that could be used for authentication/recovery purposes only, but it was actually controlled by some super-secure company that then alerted you via a secure messaging app that such-and-such account sent such-and-such a code. This would also allow you to get codes if your personal phone number changed or was out of service for some reason. However, the longterm solution is to use some other means of authentication. Wherever possible I use an authenticator app and backup email addresses, and not a phone number.
TenFour is offline   Reply With Quote
Old 12 Apr 2019, 08:04 PM   #3
Cornerstone of the Community
Join Date: Feb 2017
Posts: 740
At least some service providers let you "lock" your SIM by setting a code or password that must be given in order to swap the SIM to another device. Here is what T Mobile says about it:

Another option is to use a virtual phone number from providers like Google Voice. Then never give out the real phone number. The virtual number doesn't utilize a SIM.
TenFour is offline   Reply With Quote
Old 15 Apr 2019, 10:33 AM   #4
Steven Avery
Join Date: Jul 2012
Posts: 46
I've tried using my Talkatone number. (Generally a good service.) About half the time the number is not accepted because it is sensed on the other end as a VOIP number, rather than a real cell. I doubt if Google Voice is any different.

Good information. Thanks.
Steven Avery is offline   Reply With Quote
Old 11 May 2019, 11:06 PM   #5
Cornerstone of the Community
Join Date: Jul 2009
Posts: 876
When I created a rediffmail address for a family member some years ago, I used a disposable as the alternate email address out of necessity. Now an intercept page pesters for an update and a mobile number, although one can still click "ignore and go to inbox." As the disposable of course is long-defunct and the family member now has a usable alternative address (which wasn't the case long ago), it seemed sensible to change the disposable to a functional address, but rediffmail will not permit this unless one also provides a mobile number. It's both or nothing. Why do some providers fixate on this? It has been pointed out in this forum that a number is essentially useless insofar as increasing email security is concerned.

In any case, some people prefer to keep their mobile numbers private. Some years ago, there was a thread here about providing a mobile number when creating an email account. As always, some posters thought that those who did not want to provide a number were unreasonable or illogical. One of them asked:
Do you value your cell number more than your e-mails?
If you don't trust them with your cell number, why trust them with your e-mails?

I searched for this old exchange in hopes of providing just a link to it here but could not find it, so I'll quote my reply, which I feel is still relevant, and which also applies to my family member's reluctance to provide a mobile number to rediffmail after all these years. It is much more complicated than a matter of "trust" regarding the mobile number.


In my view, it is not that simple at all, because there are many different levels of value and of (semi)-privacy that each individual tends to place on the use and contents of any given email account.

I grant in advance that nobody has real or absolute privacy on the Internet, especially against a determined hacker or an official agency, so that's not what I mean. I'm talking about generalized comfort levels. Just as one tends to adjust the level of specific or "real" information that one willingly reveals in different places on line, the same thing is true of different email accounts. The same thing can definitely *not* be said, however, about a mobile phone number, because the information it inherently reveals is greater by many orders of magnitude.

It seems to me that asking "Do you value your cell number more than your e-mails? If you don't trust them with your cell number, why trust them with your e-mails?" sets up an erroneous equivalence. Someone might "trust" Yahoo (or any other provider) with casual emails, but not necessarily with a full name, home address, work address, financial information, and so on. Giving a mobile number surrenders all of that information for most people, since we usually receive our mobile telephone bills at our homes or offices and pay them with credit cards or from bank accounts. In European countries, even people who use prepaid phones must provide real information that they wouldn't necessarily want Yahoo or any provider and all of its "partners" to have. Why should Yahoo et al. have all the demographic and personal information available from such a source, which nowadays also means buying habits, political affiliations, sexual interests, income level, type of neighborhood where one lives, the value of one's house and often even a picture of it, the names of one's neighbors, and a great deal more.

And please, I hope nobody replies by observing that we already have no privacy or anonymity anyway, or by citing the old canard to the effect that "Why would you care if you have nothing to hide?"

Everything is relative. It is true that we have already surrendered a frightening amount of privacy both online and elsewhere, and that very little about our lives can realistically be kept truly private these days, but that doesn't mean we should feel comfortable about it, or that we should willingly give away personal information just because somebody asks for it. If that were the case and doing so conferred any real benefit, then every member of EMD would use a real name and put a home address in the "location" field, but we don't do that, nor would we appreciate being told that providing it was conditional for joining the forum, even if the information were not publicly displayed. That doesn't mean we don't trust Edwin or that we have something to hide, only that we value a commonsensical degree of semi-privacy and would feel uncomfortable surrendering it.

Most of us use different email accounts for different purposes. We reserve one or more accounts for very personal communication and use others for more general and casual use, no matter how innocent that may be. The same thing applies to the amount of information we feel comfortable providing when we open and maintain those accounts.

Email accounts are simply not equivalent to mobile phone numbers in terms of privacy, not even close. Mobile phone numbers are much more closely tied to the most intimate details of someone's "real" life, and they provide an easy portal in that direction. That is why many users will never give out a mobile number to Google or Yahoo or any other provider, as a matter of principle. What might be gained in what is mostly an illusion of "security" is more than lost in a needless surrender of a sort of privacy that is still very real.

In my view, that is the appropriate equation in terms of calculating matters like "value" and "trust" in this particular context.

communicant is offline   Reply With Quote
Old 11 May 2019, 11:17 PM   #6
Cornerstone of the Community
Join Date: Feb 2017
Posts: 740
There are numerous ways to protect a phone number you wish to keep as private as possible. One easy one is to use Google Voice as your primary number that you give out to most people and businesses, keeping the actual phone number tied to your phone private. SMS security codes don't always work when sent to Google Voice so that won't work in every situation. Another option is to get a second line on an existing account. You can purchase another number on T Mobile for $10 extra a month, allowing you to keep one number private. You can also lock down your SIM with a special code that is required to do the SIM swap thing. Some people purchase a cheap prepaid phone with limited service that they mainly use as an emergency phone, and to receive security codes for those services that require them. Leave it in your car most of the time as an emergency phone, but use that number to give out to businesses. With cell phones it is easy to set them up to only ring for those you want to hear from and let every other call go to voicemail--the important ones will leave a message and the scammers will give up. Or, the simplest of all, use a different email service, or other service, that doesn't require a phone number to sign up.
TenFour is offline   Reply With Quote
Old 19 May 2019, 01:51 AM   #7
The "e" in e-mail
Join Date: Jan 2002
Location: San Francisco
Posts: 2,429
Apropos giving out Google voice numbers to companies to receive messages such as 2FA: I used to find that this was often not successful but for the last year or so Iíve been having no trouble- has worked every time.
elvey is offline   Reply With Quote

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump

All times are GMT +9. The time now is 04:38 PM.


Copyright 1998-2013. All Rights Reserved. Privacy Policy