Why Phone Numbers Stink As Identity Proof

EricG · 29 Mar 2019, 12:59 PM

Kreb's site is one of the best on security. This article explains how hijacking your phone number lets hackers break into accounts. Billions is stolen with this, often cryptocurrency.

Quote:

How exactly did we get to the point where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience? KrebsOnSecurity spoke about this at length with Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint.

Nixon said much of her perspective on mobile identity is colored by the lens of her work, which has her identifying some of the biggest criminals involved in hijacking phone numbers via SIM swapping attacks. Illegal SIM swaps allow fraudsters to hijack a target’s phone’s number and use it to steal financial data, passwords, cryptocurrencies and other items of value from victims.

Nixon said countless companies have essentially built their customer authentication around the phone number, and that a great many sites still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. In this attack, the fraudster doesn’t need to know the victim’s password to hijack the account: He just needs to have access to the target’s mobile phone number.

“As a consumer, I’m forced to use my phone number as an identity document, because sometimes that’s the only way to do business with a site online,” Nixon said. “But from that site’s side, when they see a password reset come in via that phone number, they have no way to know if that’s me. And there’s nothing anyone can do to stop it except to stop using phone numbers as identity documents.”

TenFour · 29 Mar 2019, 06:49 PM

I've always thought this was true about phone numbers--commonsense. But, unfortunately many sites only let you use a phone number for 2FA or for recovery purposes. The good news is that unless you are specifically being targeted, your phone number is not likely to be randomly hacked at the same moment your online life is being hacked, unlike weak password-only protected sites. I've wondered if there could be some sort of service created that would provide you with a virtual phone number that could be used for authentication/recovery purposes only, but it was actually controlled by some super-secure company that then alerted you via a secure messaging app that such-and-such account sent such-and-such a code. This would also allow you to get codes if your personal phone number changed or was out of service for some reason. However, the longterm solution is to use some other means of authentication. Wherever possible I use an authenticator app and backup email addresses, and not a phone number.

TenFour · 12 Apr 2019, 08:04 PM

At least some service providers let you "lock" your SIM by setting a code or password that must be given in order to swap the SIM to another device. Here is what T Mobile says about it: https://www.t-mobile.com/responsibil...y/sim-security

Another option is to use a virtual phone number from providers like Google Voice. Then never give out the real phone number. The virtual number doesn't utilize a SIM.

Steven Avery · 15 Apr 2019, 10:33 AM

I've tried using my Talkatone number. (Generally a good service.) About half the time the number is not accepted because it is sensed on the other end as a VOIP number, rather than a real cell. I doubt if Google Voice is any different.

Good information. Thanks.

communicant · 11 May 2019, 11:06 PM

When I created a rediffmail address for a family member some years ago, I used a disposable as the alternate email address out of necessity. Now an intercept page pesters for an update and a mobile number, although one can still click "ignore and go to inbox." As the disposable of course is long-defunct and the family member now has a usable alternative address (which wasn't the case long ago), it seemed sensible to change the disposable to a functional address, but rediffmail will not permit this unless one also provides a mobile number. It's both or nothing. Why do some providers fixate on this? It has been pointed out in this forum that a number is essentially useless insofar as increasing email security is concerned.

In any case, some people prefer to keep their mobile numbers private. Some years ago, there was a thread here about providing a mobile number when creating an email account. As always, some posters thought that those who did not want to provide a number were unreasonable or illogical. One of them asked:
____________________
Do you value your cell number more than your e-mails?
If you don't trust them with your cell number, why trust them with your e-mails?
____________________

I searched for this old exchange in hopes of providing just a link to it here but could not find it, so I'll quote my reply, which I feel is still relevant, and which also applies to my family member's reluctance to provide a mobile number to rediffmail after all these years. It is much more complicated than a matter of "trust" regarding the mobile number.

________________________________________

In my view, it is not that simple at all, because there are many different levels of value and of (semi)-privacy that each individual tends to place on the use and contents of any given email account.

I grant in advance that nobody has real or absolute privacy on the Internet, especially against a determined hacker or an official agency, so that's not what I mean. I'm talking about generalized comfort levels. Just as one tends to adjust the level of specific or "real" information that one willingly reveals in different places on line, the same thing is true of different email accounts. The same thing can definitely *not* be said, however, about a mobile phone number, because the information it inherently reveals is greater by many orders of magnitude.

It seems to me that asking "Do you value your cell number more than your e-mails? If you don't trust them with your cell number, why trust them with your e-mails?" sets up an erroneous equivalence. Someone might "trust" Yahoo (or any other provider) with casual emails, but not necessarily with a full name, home address, work address, financial information, and so on. Giving a mobile number surrenders all of that information for most people, since we usually receive our mobile telephone bills at our homes or offices and pay them with credit cards or from bank accounts. In European countries, even people who use prepaid phones must provide real information that they wouldn't necessarily want Yahoo or any provider and all of its "partners" to have. Why should Yahoo et al. have all the demographic and personal information available from such a source, which nowadays also means buying habits, political affiliations, sexual interests, income level, type of neighborhood where one lives, the value of one's house and often even a picture of it, the names of one's neighbors, and a great deal more.

And please, I hope nobody replies by observing that we already have no privacy or anonymity anyway, or by citing the old canard to the effect that "Why would you care if you have nothing to hide?"

Everything is relative. It is true that we have already surrendered a frightening amount of privacy both online and elsewhere, and that very little about our lives can realistically be kept truly private these days, but that doesn't mean we should feel comfortable about it, or that we should willingly give away personal information just because somebody asks for it. If that were the case and doing so conferred any real benefit, then every member of EMD would use a real name and put a home address in the "location" field, but we don't do that, nor would we appreciate being told that providing it was conditional for joining the forum, even if the information were not publicly displayed. That doesn't mean we don't trust Edwin or that we have something to hide, only that we value a commonsensical degree of semi-privacy and would feel uncomfortable surrendering it.

Most of us use different email accounts for different purposes. We reserve one or more accounts for very personal communication and use others for more general and casual use, no matter how innocent that may be. The same thing applies to the amount of information we feel comfortable providing when we open and maintain those accounts.

Email accounts are simply not equivalent to mobile phone numbers in terms of privacy, not even close. Mobile phone numbers are much more closely tied to the most intimate details of someone's "real" life, and they provide an easy portal in that direction. That is why many users will never give out a mobile number to Google or Yahoo or any other provider, as a matter of principle. What might be gained in what is mostly an illusion of "security" is more than lost in a needless surrender of a sort of privacy that is still very real.

In my view, that is the appropriate equation in terms of calculating matters like "value" and "trust" in this particular context.

________________________________________

TenFour · 11 May 2019, 11:17 PM

There are numerous ways to protect a phone number you wish to keep as private as possible. One easy one is to use Google Voice as your primary number that you give out to most people and businesses, keeping the actual phone number tied to your phone private. SMS security codes don't always work when sent to Google Voice so that won't work in every situation. Another option is to get a second line on an existing account. You can purchase another number on T Mobile for $10 extra a month, allowing you to keep one number private. You can also lock down your SIM with a special code that is required to do the SIM swap thing. Some people purchase a cheap prepaid phone with limited service that they mainly use as an emergency phone, and to receive security codes for those services that require them. Leave it in your car most of the time as an emergency phone, but use that number to give out to businesses. With cell phones it is easy to set them up to only ring for those you want to hear from and let every other call go to voicemail--the important ones will leave a message and the scammers will give up. Or, the simplest of all, use a different email service, or other service, that doesn't require a phone number to sign up.

elvey · 19 May 2019, 01:51 AM

Apropos giving out Google voice numbers to companies to receive messages such as 2FA: I used to find that this was often not successful but for the last year or so I’ve been having no trouble- has worked every time.

29 Mar 2019, 06:49 PM	#2
TenFour Master of the @ Join Date: Feb 2017 Location: USA Posts: 1,722	I've always thought this was true about phone numbers--commonsense. But, unfortunately many sites only let you use a phone number for 2FA or for recovery purposes. The good news is that unless you are specifically being targeted, your phone number is not likely to be randomly hacked at the same moment your online life is being hacked, unlike weak password-only protected sites. I've wondered if there could be some sort of service created that would provide you with a virtual phone number that could be used for authentication/recovery purposes only, but it was actually controlled by some super-secure company that then alerted you via a secure messaging app that such-and-such account sent such-and-such a code. This would also allow you to get codes if your personal phone number changed or was out of service for some reason. However, the longterm solution is to use some other means of authentication. Wherever possible I use an authenticator app and backup email addresses, and not a phone number.

12 Apr 2019, 08:04 PM	#3
TenFour Master of the @ Join Date: Feb 2017 Location: USA Posts: 1,722	At least some service providers let you "lock" your SIM by setting a code or password that must be given in order to swap the SIM to another device. Here is what T Mobile says about it: https://www.t-mobile.com/responsibil...y/sim-security Another option is to use a virtual phone number from providers like Google Voice. Then never give out the real phone number. The virtual number doesn't utilize a SIM.

15 Apr 2019, 10:33 AM	#4
Steven Avery Member Join Date: Jul 2012 Posts: 48	I've tried using my Talkatone number. (Generally a good service.) About half the time the number is not accepted because it is sensed on the other end as a VOIP number, rather than a real cell. I doubt if Google Voice is any different. Good information. Thanks.

11 May 2019, 11:06 PM	#5
communicant Cornerstone of the Community Join Date: Jul 2009 Posts: 879	When I created a rediffmail address for a family member some years ago, I used a disposable as the alternate email address out of necessity. Now an intercept page pesters for an update and a mobile number, although one can still click "ignore and go to inbox." As the disposable of course is long-defunct and the family member now has a usable alternative address (which wasn't the case long ago), it seemed sensible to change the disposable to a functional address, but rediffmail will not permit this unless one also provides a mobile number. It's both or nothing. Why do some providers fixate on this? It has been pointed out in this forum that a number is essentially useless insofar as increasing email security is concerned. In any case, some people prefer to keep their mobile numbers private. Some years ago, there was a thread here about providing a mobile number when creating an email account. As always, some posters thought that those who did not want to provide a number were unreasonable or illogical. One of them asked: ____________________ Do you value your cell number more than your e-mails? If you don't trust them with your cell number, why trust them with your e-mails? ____________________ I searched for this old exchange in hopes of providing just a link to it here but could not find it, so I'll quote my reply, which I feel is still relevant, and which also applies to my family member's reluctance to provide a mobile number to rediffmail after all these years. It is much more complicated than a matter of "trust" regarding the mobile number. ________________________________________ In my view, it is not that simple at all, because there are many different levels of value and of (semi)-privacy that each individual tends to place on the use and contents of any given email account. I grant in advance that nobody has real or absolute privacy on the Internet, especially against a determined hacker or an official agency, so that's not what I mean. I'm talking about generalized comfort levels. Just as one tends to adjust the level of specific or "real" information that one willingly reveals in different places on line, the same thing is true of different email accounts. The same thing can definitely not be said, however, about a mobile phone number, because the information it inherently reveals is greater by many orders of magnitude. It seems to me that asking "Do you value your cell number more than your e-mails? If you don't trust them with your cell number, why trust them with your e-mails?" sets up an erroneous equivalence. Someone might "trust" Yahoo (or any other provider) with casual emails, but not necessarily with a full name, home address, work address, financial information, and so on. Giving a mobile number surrenders all of that information for most people, since we usually receive our mobile telephone bills at our homes or offices and pay them with credit cards or from bank accounts. In European countries, even people who use prepaid phones must provide real information that they wouldn't necessarily want Yahoo or any provider and all of its "partners" to have. Why should Yahoo et al. have all the demographic and personal information available from such a source, which nowadays also means buying habits, political affiliations, sexual interests, income level, type of neighborhood where one lives, the value of one's house and often even a picture of it, the names of one's neighbors, and a great deal more. And please, I hope nobody replies by observing that we already have no privacy or anonymity anyway, or by citing the old canard to the effect that "Why would you care if you have nothing to hide?" Everything is relative. It is true that we have already surrendered a frightening amount of privacy both online and elsewhere, and that very little about our lives can realistically be kept truly private these days, but that doesn't mean we should feel comfortable about it, or that we should willingly give away personal information just because somebody asks for it. If that were the case and doing so conferred any real benefit, then every member of EMD would use a real name and put a home address in the "location" field, but we don't do that, nor would we appreciate being told that providing it was conditional for joining the forum, even if the information were not publicly displayed. That doesn't mean we don't trust Edwin or that we have something to hide, only that we value a commonsensical degree of semi-privacy and would feel uncomfortable surrendering it. Most of us use different email accounts for different purposes. We reserve one or more accounts for very personal communication and use others for more general and casual use, no matter how innocent that may be. The same thing applies to the amount of information we feel comfortable providing when we open and maintain those accounts. Email accounts are simply not equivalent to mobile phone numbers in terms of privacy, not even close. Mobile phone numbers are much more closely tied to the most intimate details of someone's "real" life, and they provide an easy portal in that direction. That is why many users will never give out a mobile number to Google or Yahoo or any other provider, as a matter of principle. What might be gained in what is mostly an illusion of "security" is more than lost in a needless surrender of a sort of privacy that is still very real. In my view, that is the appropriate equation in terms of calculating matters like "value" and "trust" in this particular context. ________________________________________

11 May 2019, 11:17 PM	#6
TenFour Master of the @ Join Date: Feb 2017 Location: USA Posts: 1,722	There are numerous ways to protect a phone number you wish to keep as private as possible. One easy one is to use Google Voice as your primary number that you give out to most people and businesses, keeping the actual phone number tied to your phone private. SMS security codes don't always work when sent to Google Voice so that won't work in every situation. Another option is to get a second line on an existing account. You can purchase another number on T Mobile for $10 extra a month, allowing you to keep one number private. You can also lock down your SIM with a special code that is required to do the SIM swap thing. Some people purchase a cheap prepaid phone with limited service that they mainly use as an emergency phone, and to receive security codes for those services that require them. Leave it in your car most of the time as an emergency phone, but use that number to give out to businesses. With cell phones it is easy to set them up to only ring for those you want to hear from and let every other call go to voicemail--the important ones will leave a message and the scammers will give up. Or, the simplest of all, use a different email service, or other service, that doesn't require a phone number to sign up.

19 May 2019, 01:51 AM	#7
elvey The "e" in e-mail Join Date: Jan 2002 Location: San Francisco Posts: 2,458	Apropos giving out Google voice numbers to companies to receive messages such as 2FA: I used to find that this was often not successful but for the last year or so I’ve been having no trouble- has worked every time.