Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

Phone Numbers Were Never Meant as ID. Now We're All At Risk (wired.com) 185

One key lesson from the recent T-Mobile and several other breaches: our phone numbers, that serve as a means to identity and verify ourselves, are increasingly getting targeted, and the companies are neither showing an appetite to work on an alternative identity management system, nor are they introducing more safeguards to how phone numbers are handled and exchanged. From a report: Identity management experts have warned for years about over-reliance on phone numbers. But the United States doesn't offer any type of universal ID, which means private institutions and even the federal government itself have had to improvise. As cell phones proliferated, and phone numbers became more reliably attached to individuals long term, it was an obvious choice to start collecting those numbers even more consistently as a type of ID. But over time, SMS messages, biometric scanners, encrypted apps, and other special functions of smartphones have evolved into forms of authentication as well.

"The bottom line is society needs identifiers," says Jeremy Grant, coordinator of the Better Identity Coalition, an industry collaboration that includes Visa, Bank of America, Aetna, and Symantec. "We just have to make sure that knowledge of an identifier can't be used to somehow take over the authenticator. And a phone number is only an identifier; in most cases, it's public." Think of your usernames and passwords. The former are generally public knowledge; it's how people know who you are. But you keep the latter guarded, because it's how you prove who you are.

The use of phone numbers as both lock and key has led to the rise, in recent years, of so-called SIM swapping attacks, in which an attacker steals your phone number. When you add two-factor authentication to an account and receive your codes through SMS texts, they go to the attacker instead, along with any calls and texts intended for the victim. Sometimes attackers even use inside sources at carriers who will transfer numbers for them.

This discussion has been archived. No new comments can be posted.

Phone Numbers Were Never Meant as ID. Now We're All At Risk

Comments Filter:
  • by QuietLagoon ( 813062 ) on Sunday August 26, 2018 @11:05AM (#57197430)
    For some reason, many of the vendors all but insist I provide them my mobile phone number. I always refuse because I know that once I give out the phone number, my phone will start ringing with telemarketing calls. They vendors say they want the mobile phone number for back-up identification purposes, but I just do not believe them.
    • by Anonymous Coward

      It's even more difficult when you don't have a phone. I typically avoid services that require a phone number, but some sites get 555-5555.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      I refuse to use my phone as an ID for the same reason. If you give any web site your phone number, chances are that it will be sold to telemarketers. They can say that by giving them your number (and because you have a business relationship with them) that its ok for them to give or sell your number to their business partners. We really need telemarketing to be outlawed. This should include political calls and calls from organizations or individuals asking for money. I also feel that the only way for s

      • I don't even care anymore. I never did contracts on my phones and always did prepaid. If I have a problem, I stop paying and get a new SIM card the next day with a new phone number.

        If marketers want to rely on phone numbers as accurate information, they're in for a shock.

        Thanks to phone companies making callerid completely useless and something we had/have to pay for (are we still being charged for this crap service????), who cares?

      • I happily give them my phone number. I just don't answer my phone except for whitelisted numbers that have a non-mute ringtone. Solves all manner of problems. A mute ringtone is one that makes zero noise, and that's the default on my phone.

        The day of unplanned voice telephone comms from random callers is past for me. You want me, then email me, or text me. We can arrange a phone call if need be; but cold calls? No. Not happening. Telemarketers and various other forms of similar lowlife have shit that bed be

        • by Agripa ( 139780 )

          I happily give them my phone number. I just don't answer my phone except for whitelisted numbers that have a non-mute ringtone. Solves all manner of problems. A mute ringtone is one that makes zero noise, and that's the default on my phone.

          The day of unplanned voice telephone comms from random callers is past for me. You want me, then email me, or text me. We can arrange a phone call if need be; but cold calls? No. Not happening. Telemarketers and various other forms of similar lowlife have shit that bed beyond all recovery.

          I don't pay any attention to voice messaging, either. The idea of someone trying leave me a voice message fills me with glee... they just spent some fraction of their life for nothing.

          They may wreck texting eventually as well. But perhaps not. The same filtering that works (and very well, too) with email could work with texting. Whitelists, smart filtering... bring it on, I say.

          I used to have a busy signal for my answering machine message. I wonder if any phones allow a different answer message for white listed and black listed numbers.

      • Unfortunately, we would need a change to the Constitution to ban the political calls. That legal precedent is already established, and it's why political campaigns are allowed to call even if your number is in the Do Not Call registry.
    • I always refuse because I know that once I give out the phone number, my phone will start ringing with telemarketing calls.

      Localised problem? I for one never give a second thought about handing out or typing my phone number in anywhere. Yet I have yet to receive a single telemarketing call that I didn't explicitly solicity ("enter your number and we will call you" from)

      Is this uniquely American? I know probably not unique, in Australia I got the occasional telemarketing call but they were mostly from the telecom company, and it's not like I can hide my number from them.

      • by l0n3s0m3phr34k ( 2613107 ) on Sunday August 26, 2018 @02:36PM (#57198428)
        It probably is uniquely American. In the past few months, everyone on my team at work has seen a MASSIVE uptick in fake calls, with faked Caller ID numbers. We are getting at least, between us, 2-3 a day. My assumption is that due to the roll-back of Net Neutrality, many of the scammers now realize there is very little the FCC will do about all of this, so have opened the floodgates.
        Most disturbing is that many of these calls are coming from areas in / near Washington DC, West Virginia, etc. We do have a decent-sized government contract, so it would seem whomever is selling this info KNOWS this and is trying to use these prefixes to get us to answer.
        • by Anonymous Coward

          Net neutrality.

          What can't we blame on it?

        • They are likely faking the area code and exchange. I live in Texas with a central Illinois phone number. I get calls all the time from people who admit they're in Florida or overseas, but from exchanges in central Illinois. VOIP services make this relatively simple to do. Heck, I have a VOIP number I could call from in Missouri, but I'm not in Missouri and have no physical phone there.

        • Pretty sure they are just spoofing random cell numbers. I have called some of these numbers back and they go to ordinary people, and I suspect I had one call where my number was being spoofed as a person called me asking who I was and why I called them.
          • Not at all. On my personal cell, the spam calls come from the same area code AND prefix. Sometimes they are only a few of the last four off from my phone number. When three people in the same department are getting spoofed calls from the same area code, statistically that is not random. I could do the same thing with freePBX if I wanted to, especially when placing calls to cell phones. It's trivial to make the outgoing number very similar to the number your calling, or having a correlation script match u
            • That is interesting. I assume the idea is that people will more likely pick up for a number that is from their area.
      • I'm in the UK and get a fair number of scam calls. I've had the same telephone number for 20 years. Not sure about Australia, but in the UK, mobile numbers are allocated with a small number of non-geographical area codes, so if you guess a random number in those area codes there's a very high probability that you'll get a real number. You can also easily find out the blocks allocated to different carriers, so I get a lot of scammers claiming to be from the company that I used when I first had the number
    • by ShanghaiBill ( 739463 ) on Sunday August 26, 2018 @03:10PM (#57198708)

      I receive telemarketing and scam calls almost everyday. None of them seem to be related to anything I have ever bought or any company that I do business with. They appear to be untargeted and random.

    • For some reason, many of the vendors all but insist I provide them my mobile phone number. I always refuse because I know that once I give out the phone number, my phone will start ringing with telemarketing calls. They vendors say they want the mobile phone number for back-up identification purposes, but I just do not believe them.

      They also ask for them places where telemarketing is not a thing. I suspect it is to better corrolate your date so they sell it for more money. Just give them a fake number or a temporary one.

    • For some reason, many of the vendors all but insist I provide them my mobile phone number. I always refuse because I know that once I give out the phone number, my phone will start ringing with telemarketing calls. They vendors say they want the mobile phone number for back-up identification purposes, but I just do not believe them.

      I agree with you and this is exactly why I still have a land line. It seems to really be VOIP from my cable TV provider, but it works exactly as a true land line. Still rings phones plugged into a wall phone jack. I've got Nomorobo (https://www.nomorobo.com/ ) on it, which does an excellent job for free of stopping telemarketers. So now if anybody demands a phone number for any reason, they get the land line. They can send SMS ("texts" to USA people) all day to it and it will do nothing. They can cal

    • I have a land line and a cellphone number. I provide the landline to anyone who asks, but leave the cellphone to myself. I have set up the landline to forward calls to the cellphone

  • by Vermonter ( 2683811 ) on Sunday August 26, 2018 @11:09AM (#57197448)

    And that's caused all kinds of problems with identity theft in recent years. I'm not surprised we are making the same stupid mistake with phone numbers.

    • by Anonymous Coward

      And that's caused all kinds of problems with identity theft in recent years. I'm not surprised we are making the same stupid mistake with phone numbers.

      You're absolutely right. Phone numbers and Social Security numbers were never intended to be used as identification.

      And there's a simple, common sense solution to the problem. A national I.D. system. But every time someone proposes it, all of the tinfoil hat luddites immediately start screeching that it will inevitably lead to 1984-style Big Brother. (see the comment just below as an example)

      • Solution -- minimize the requirement for identification. Allow anonymity in as many situations as possible. Free services like GMail do not need to know our identities, though it should be optional for things like password recovery.
        • Maybe it should be optional to give your phone number, but there should be no expectation that it would work for long. I live in the UK, and, like many others have a work phone, a private phone, and a pay-as-you-go SIM to call overseas - 3p a minute instead of 130p a minute that the large carriers charge. But pay-as-you-go SIMS for international calls operate a deal where it is cheaper to get a new SIM than to top up "sure we make a loss, but we will make it up with volume" (Their CFOs are probably leprecha
      • by MrL0G1C ( 867445 )

        That's as good as a bar code on your wrist. And how would it be any different from SSN? What are you going to do, plug your ID card into a USB slot? The downsides look bigger than the upsides to me.

        I sign in to my bank without an national ID no problem (not just user+pw), the biggest ID problem has been over-reliance on drivers license and passport for people who don't have those. My bank threatened to close my account because I hadn't shown ID AGAIN for the umpteenth fucking time, like I suddenly because s

      • National ID wouldn't solve this problem, it would make things worse. Letting government handle ID has always been a disaster the perpetrates identity theft to a whole new level.

        Meanwhile, I have no problem generating my own keys and handing them out to my employees to identify me and vice versa. If I have a problem like feeling compromised, I simply change my key. Letting government handle that portion would result in massive red tape and difficulties in changing your ID when compromised.

        • National ID wouldn't solve this problem

          This is not supported by evidence. Plenty of countries have a national ID with a unique public identifier, and it works fine. Meanwhile "identity theft" is almost entirely an American problem.

          Only America uses the same number for both identification and authentication, thus requiring it to be both widely known and secret ... and only Americans are oblivious enough to believe this is "normal".

      • You're absolutely right. Phone numbers and Social Security numbers were never intended to be used as identification.

        And there's a simple, common sense solution to the problem. A national I.D. system. But every time someone proposes it, all of the tinfoil hat luddites immediately start screeching that it will inevitably lead to 1984-style Big Brother. (see the comment just below as an example)

        Phone numbers and social security numbers ain't exactly similar. One has to apply for an SSN from the government. Phone numbers - one can change one's numbers anytime one feels like, for something like $15. As a previous poster said, he can change it at will making it completely worthless for ID

        But since SSNs are already required for identification, here is an idea that would work. Modify the SSN card to become a biometric card w/ photos, SSN and any biometric information that's needed, as well as one

  • by Anonymous Coward

    hey, anything symantec is pushing makes me want to take my chances with my phone number! any coalition with visa, boa, and symantec scares me

  • Wait, what? (Score:4, Insightful)

    by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Sunday August 26, 2018 @11:12AM (#57197466) Homepage Journal

    But the United States doesn't offer any type of universal ID,

    Yes, it does, and it's called a passport. Each passport has a unique "book number". The US also issues "passport cards" to passport holders. This is a federally-issued, unique identification card which is considered valid ID.

    We also now have Real ID [wikipedia.org], which is a federal standard for acceptable identification. Real ID-qualified identification cards by definition involve linked databases.

    Arguably, however, what is needed online is a uniquely-issued cryptographic signature, which is passphrase-protected. This could actually be used to secure online communications. It could be given out by post offices, which seems logical since they are the place where most people go to process their passport application and because the post office is about communication.

    • Each passport has a unique "book number". The US also issues "passport cards" to passport holders.

      I was under the impression that most U.S. citizens who do not travel internationally do not carry a U.S. passport. The United States has a lot more area in which one can legally travel on ground without a passport than somewhere like Europe, whose countries are closer in size to the several states of the U.S. So what should a service that requires a passport "book number" do for U.S. subscribers who do not carry a passport? Require them to obtain one? I was under the further impression that the cost in time

      • I was under the impression that most U.S. citizens who do not travel internationally do not carry a U.S. passport.

        Quite so.

        Nonetheless, it is AVAILABLE to any US Citizen, even if you have no intention of ever leaving your hometown, much less that USA....

        • by Anonymous Coward

          Not true. In the United States, people who owe debts like unpaid child support, or fines from court cannot get passports. And now that college debt is spiraling and people with humanities try to duck them by "teaching English in Asia", how long until college debt blocks you from getting a passport too.

        • by tepples ( 727027 )

          Nonetheless, [a U.S. passport] is AVAILABLE to any US Citizen, even if you have no intention of ever leaving your hometown

          And a burner phone and pay-as-you-go plan are available to every US resident. It's just a cost in time and money to obtain either a burner phone or a passport, especially if your vital records are hundreds of miles away in another state.

    • But the United States doesn't offer any type of universal ID,

      Yes, it does, and it's called a passport. Each passport has a unique "book number". The US also issues "passport cards" to passport holders. This is a federally-issued, unique identification card which is considered valid ID.

      How is this any different from a Social Security card, which is also a federally-issued, unique identification card? How does issuing everyone a passport solve any problem?

      • Exactly: you'll just be trading the current problems of a social security number for the same problems in a passport book number.
      • Re:Wait, what? (Score:4, Interesting)

        by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Sunday August 26, 2018 @12:55PM (#57197910) Homepage Journal

        Each passport has a unique "book number". The US also issues "passport cards" to passport holders. This is a federally-issued, unique identification card which is considered valid ID.

        How is this any different from a Social Security card, which is also a federally-issued, unique identification card? How does issuing everyone a passport solve any problem?

        I don't now that it fully solves any problem, but I took exception to the false claim that there is not a federal ID besides the social security card. It's harder to falsely get your hands on a passport than a social security card, though neither are impossible since there's always good old theft. However, social security cards don't have a photograph on them.

      • Re:Wait, what? (Score:5, Interesting)

        by cellocgw ( 617879 ) <cellocgw@gmaEINS ... minus physicist> on Sunday August 26, 2018 @01:26PM (#57198056) Journal

        How is this any different from a Social Security card, which is also a federally-issued, unique identification card? How does issuing everyone a passport solve any problem?

        Dunno how to break it to you youngsters, but my SSN is being **used** as a unique ID, but in fact it is not a traceable identification number. Like everyone born in the antediluvian epoch (more or less pre-Reagan), I walked into a federal office one day and asked for a SSN. They asked my name, typed up a card, and there I was. Basically same procedure as happens now if you want to pull an EIN for a trust.
        Just like phone numbers, SSNs are being misused for something they were not intended.

    • Re:Wait, what? (Score:5, Interesting)

      by thegarbz ( 1787294 ) on Sunday August 26, 2018 @04:38PM (#57199280)

      Why not adopt a points based system like in other countries? Bring enough uniquely identifiable information to a table to qualify for whatever important thing you are doing. Passport, drivers license or other government issued photo ID = 50 points, birth certificate or other government official issued document without photo ID, 40 points, credit card or financial documents 20 points, addressed letter from a recognised institution = 10 points.

      Need to open a bank account, take out a home loan, or apply for a visa, pony up 100 points, Need to buy a phone, pony up 40, etc.

      That solves the whole problem of having to force people to obtain a specific form of ID, it also solves the problem of a single unique document covering everything.

      • But jesus man, it involves fucking MATH! How do you expect to explain to people that they don't have enough IDs? How do you expect the poor employees in charge of figuring out if they have enough to determine if they do or not? Fucking lookup tables, a calculator, slide rule, couple of Tarot cards.....might as well have a giant hunk of graph paper where you put all the IDs on it and ask the employees to integrate the area.

        I'm just advocating that everyone get a QR code tattooed on them at birth. Then you ju

        • How do you expect to explain to people that they don't have enough IDs?

          Jokes aside, no it doesn't it's actually quite easy.

          Fucking lookup tables

          Yep that's the easiest way. Normally you just tell people the ID rules: I need one of any of these, and two of any of these. Or none of these, and 3 of these. It's really very very simple.

          You were quipping with lookup tables, but often that's precisely what you get given :-)

    • Comment removed based on user account deletion
  • by Okian Warrior ( 537106 ) on Sunday August 26, 2018 @11:20AM (#57197512) Homepage Journal

    A personal anecdote: I have a GMail account I use at home, everything works well enough (despite the awful interface).

    I sometimes want to use it at the local hackerspace, I try to log in, and after I enter my password it tells me "we don't recognize this computer, give us your phone number and we'll send you an SMS message to continue"(*).

    I absolutely do not want to give Google my phone number, but there's no way around this.

    My account is not compromised, I've got a respectable password, and this didn't used to be a requirement.

    Basically, they've lured everyone in with a free service, and now they're drawing in other personal information in order to continue to use it. I fear that one day they will simply decide to require a phone number from my home computer, and then I'll be fucked because I will have to give it to them or else lose all functionality of GMail.

    It sucks. They don't tell you how to get around it, they only give explanations of "this is for *your* security!".

    Giving google my phone number doesn't increase security, but they've drawn everyone in with the free service.

    (*) Also, I have no idea how they "recognize" my home computer, since I regularly delete cookies from my system and re-login. Perhaps the "delete cookies" feature doesn't do what they say it does.

    • by Anonymous Coward

      >(*) Also, I have no idea how they "recognize" my home computer, since I regularly delete cookies from my system and re-login. Perhaps the "delete cookies" feature doesn't do what they say it does.

      If you use Chrome to login, then I'm sure there's all kinds of machine identifiers the browser passes on to Google. You probably need to use a third party program to delete caches and cookies and other tracking bits. Also get new IP either by issuing a dhcp release command or use a proxy or vpn.

    • They recognize it from the IP (geolocation).
      • And your MAC address, and your router's MAC address, and quite probably hashes of your directories, and any other conceivable invasion of privacy they have not yet been caught doing.

        Google's entire turnover depends on invading your privacy. You bet they are good at it.

      • Comment removed based on user account deletion
    • by Anonymous Coward

      Use POP/IMAP instead when out and about.

      You're hopefully not accessing gmail from a strange machine in the hackspace, so presumably you have a computer (laptop, phone, VAX/VMS because IDK what people drag to your hackspace...) with you, on which you can install a client.

      The "need a phone number" bit is, indeed, disgusting.

      IIRC you can also get around it by entering username/pwd credentials, then once they've POSTed but before the return page load, hit esc, and go straight to inbox page.

      Finally, you could se

      • Use POP/IMAP instead when out and about.

        I've had a GMail account since the old days when you had to have an "invitation" to get one.

        Whether I'm at home or away, I *ALWAYS* use POP/IMAP and a real e-mail client.

        There simply is no reason to use Google's retarded, constantly subject-to-change-on-a-whim, web interface.

        • by ahodgson ( 74077 )

          I've had Google refuse to allow POP or IMAP connections from a new IP unless I logged into webmail first. And provided the phone number to do so. Gmail's totally useless, don't know why anyone puts up with it. At least when my own server has problems I can just fix it.

          • And I don't know why anyone would put up with running their own server and be forced to play IT when off the clock and on personal time.

            I don't have an issue with Gmail. For the price (tracking me and needing my phone number) it's worth it to me. I don't want to dick around with a server at home and making sure that it's up-to-date and secure, that my firewall is playing nice with my server, etc. I want the most minimal home IT setup I can get away with, because I have better shit to do than play IT on nigh

    • I sometimes want to use it at the local hackerspace, I try to log in, and after I enter my password it tells me "we don't recognize this computer, give us your phone number and we'll send you an SMS message to continue"(*).

      I absolutely do not want to give Google my phone number, but there's no way around this.

      You can protect a Google account with two-factor auth, using an authentication app like OTP Auth - does this “give us your phone number” query still occur if you have that enabled?

      It wouldn’t make any security sense, but I wouldn’t be surprised if it does. Google does seem to be getting more in-your-face with regard to its information grabbing and sharing.

    • A personal anecdote: I have a GMail account I use at home, everything works well enough (despite the awful interface).

      I sometimes want to use it at the local hackerspace, I try to log in, and after I enter my password it tells me "we don't recognize this computer, give us your phone number and we'll send you an SMS message to continue"(*).

      I absolutely do not want to give Google my phone number, but there's no way around this.

      Get a free Google Voice number - then use that. It works great. It will receive the SMS no problem.

    • by Anonymous Coward

      I lost my Yahoo email after the Oauth acquisition, because I had given them an entirely nonsensical "backup email address" years ago after too many nagging messages.
      It's in the form "a@a.a" which obviously leads nowhere.
      So, be careful as you can lose access to an account entirely if you were to enter a bogus phone number or backup email "for your security and convenience".

      Back up the data you may have under your email account, because you may be a computer failure away from losing your access with no phone

    • Until this hit the front page, I believed it was for our security, too: https://yro.slashdot.org/story... [slashdot.org]

    • by geggam ( 777689 )

      Should give you an idea of how they fingerprint you. There are several other metrics especially with javascript

      $ echo ' 192.168.1.245 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36' | md5
      ff218f1f924e6eb7d71cf3cdfe8ddb29

    • Thunderbird is one viable solution to GMail's annoying interface.

    • by jcam2 ( 248062 )

      Unfortunately account hijacking due to password re-use is so common that Google has to detect what look like suspicious logins (ie. from a different device, or in a different country, or at an unusual time) and ask additional challenge questions. However, in this case you can enter ANY phone number - it doesn't have to be your own.

    • I absolutely do not want to give Google my phone number, but there's no way around this.

      a) Google have your phone number even if you think they don't.
      b) Use the Google Authenticator app instead, it's a fuckton better than SMS anyway.

      • b) Use the Google Authenticator app instead, it's a fuckton better than SMS anyway.

        So I avoid providing a phone number to Google service X by using a Google app on a device almost certainly tied explicitly to my phone number.

        • So I avoid providing a phone number to Google service X by using a Google app on a device almost certainly tied explicitly to my phone number.

          So you almost certainly don't have a clue about how the app works. It's not tied to your phone number any more than Google Maps is.

          • [A TOTP app is] not tied to your phone number any more than Google Maps is.

            First, Google Maps is in fact tied to your phone number. The Google Maps app [google.com] requests permission to "send SMS messages", "directly call phone numbers", and "read phone status and identity".

            Second, as I wrote in another comment [slashdot.org], Google considers TOTP secondary. A Google Account holder must first set up 2sv through SMS, U2F, or Google Search prompts before setting up TOTP, and two of these three options are tied to either a cellular plan or a mobile device running iOS or Android with Google Play.

            • First, Google Maps is in fact tied to your phone number.

              Congratulations. You just reiterated point 1 in my original post.

              and two of these three options are tied to either a cellular plan

              Your second point is missing a point. Or rather I'll make the point for you: One of these is not tied to your cellular plan. Which all brings me back to my original post which I will re-quote here for properity:
              " a) Google have your phone number even if you think they don't.
              b) Use the Google Authenticator app instead, it's a fuckton better than SMS anyway."

              • by tepples ( 727027 )

                If you use a U2F key as your primary, Google wants a backup phone but will accept printing backup codes with a printer. Do most households with a computer even own a printer anymore?

  • by spyfrog ( 552673 ) on Sunday August 26, 2018 @11:21AM (#57197514) Homepage
    Well, at least you easily can change your phone number if you need to - like an identity theft. Good luck with that if you happen to live where I live where the most common used identification number is our equalient of the American social security number. A number that is more or less impossible to change and that is considered public information by the government.
  • by Anonymous Coward

    Jenny, Jenny, who can I turn to?
    You give me something I can hold on to
    I know you'll think I'm like the others before
    Who saw your name and number on the wall?

    Jenny, I've got your number
    I need to make you mine
    Jenny, don't change your number

    Jenny, Jenny, you're the girl for me
    You don't know me but you make me so happy
    I tried to call you before but I lost my nerve
    I tried my imagination but I was disturbed

  • The problem is trying to use a plain string of numbers and/or characters as an ID. That basically forces you to transmit the ID in cleartext any time you use it, so anyone can pretend to be you by copying it (SSN) or requesting the number be transferred to a new device (phone number). What's needed is some type of encrypted challenge-response as a form of ID. With two-factor encryption, this would be
    • A challenge sent to you encrypted with the challenger's private key and your advertised public key.
    • You
  • by Anonymous Coward

    "But the United States doesn't offer any type of universal ID"

    That's intentional and even desirable. Creating a centralized and authoritative database of citizens identities is a surefire way of accelerating the surveillance state even faster than it is currently going. It also sets up a controlling authority that most likely can't be escaped and WILL be abused, for example if you become an "undesirable" all the government has to do to vastly curtail your freedoms (apartment, driving, flying, etc) is deny

    • State's already routinely pull Driver's Licenses for non-driving offense. Having something that is just for ID and can't be revoked except for fraud is better than a patchwork of documents that can be pulled for various excuses. And you can't have an authoritative name/identity system without an authority, and you can't be certain who you are dealing with without an authoritative system.

  • Comment removed based on user account deletion
  • >"But the United States doesn't offer any type of universal ID, which means private institutions and even the federal government itself have had to improvise."

    Well, they do, it is the SSN (Social Security Number)... which was never supposed to be or meant to be some type of general-purpose, national ID number. In any case, it is not desirable to have a national ID number, anyway. Why? Because it destroys freedom and privacy by making being anonymous difficult and encourages tracking and cross-referenc

  • by lkcl ( 517947 ) <lkcl@lkcl.net> on Sunday August 26, 2018 @01:19PM (#57198006) Homepage

    " But you keep the latter guarded, because it's how you prove who you are. "

    nooOoo: when you type in a password, it authenticates the *username*. it does *not* authenticate the *user*.

  • Their main complaint that "phone number were not meant to be used as IDs" is that they are not secure and someone could hijack your number using a hacked SIM or whatever. So, instead of making the federal government blow billions of dollars creating a new ID numbers when we already have SS, not just force companies to make the SIMs more secure? This is probably Oracle backed FUD, since any massive new government database means more money for them, although IBM got the original SS contract along with other b

  • by Anonymous Coward

    As someone who hasn't had a phone number for the last 15 years, I don't understand. Please explain how a phone number is a form of ID.

  • It's a simple matter of Identification vs. Authorization, phone numbers (like fingerprints) are great for identification but horrible for authorization because of the ease they can be used fraudulently, i.e. generate false positives. I'm always amazed at how so many security "professionals" can't seem to grasp this simple concept.

    • "phone numbers (like fingerprints) are great for identification but horrible for authorization"

      Most of the 50 or so phone numbers I've had in various locations around the world (prepay mobile sims) have been reassigned to someone else within 12 months of going idle.

      Tell me, how is that good for identification?

  • I get a rush of phone calls sometimes from people saying "Hey, you called me, who is this? Why do you KEEP calling me?" My response is usually dumbfounded and the conversation ends with the caller just as confused, but sometimes they get angry and say "put me on your DO NOT CALL LIST!" So my number is spoofed. Verizon tells me there's not a damn thing they can do about it. Sucks since it is a business line and I take calls from clients every day, but Verizon has their money from me (well, probably mill

    • The problem is that the spoofing happens at the spoofer's end, and they aren't using Verizon so Verizon can't do a thing about it. You'd have to talk to the telco the spoofer uses for their line, and they have no incentive to do anything because the person complaining isn't a paying customer and the spoofer is. The only real solution is what we did with email spam with blacklists of entire providers. (NB: no it didn't eliminate email spam, but it cut it down significantly and made it a whole lot easier to f

      • "The problem is that the spoofing happens at the spoofer's end"

        Correct

        "and they aren't using Verizon so Verizon can't do a thing about it"

        Wildly incorrect.

        Verizon has routing information about the call provided at a much deeper layer than the presentation layer, but as they (and other telcos) are paid to terminate those spoofed calls, they choose to look the other way until compelled(*) to do something about it.

        (*) Either by government edict (happening in some countries and meeting strong resistance from t

        • Verizon isn't in a position to figure out whether the info is being maliciously spoofed or not. There's lots of legitimate reasons to spoof the CID data so it differs from the ANI or billing data. Calls from a large business, for instance, where the outgoing lines are distinct from the incoming lines and you want the CID to refer to the number the receiver can call to reach the business. Calls from a call center serving multiple clients, too, where it's better to have the CID reflect the number assigned to

  • My wife's phone number got hijacked and ported to another provider.
    This was used to attack the bank account and open new credit accounts.
    We responded quickly and luckily our bank had very safe procedures.
    But a lot of banks aren't as good. The police weren't very useful.
    We now have extra protections in place.

  • Man, young people these days are so ignorant of history. It's really pretty concerning to those who aren't.

    There is a REASON people don't want a "universal ID". And it has to do with something called "1984"

    But it's not limited to 1984. Our parents (if you're older) and grandparents, and great-grandparents fought tooth and nail against any kind of Federal ID.

    It's actually kind of common to think that people in the past were less sophisticated than you are, and therefore not quite as bright. In simpler terms, many people seem to fall into the trap of thinking people generations ago as not ignorant (compared to today's knowledge), but actually stupid.

    That's a mistaken viewpoint.

    There is a reason Social Security was never allowed to pass, unless it was promised that the Social Security number would NEVER be a "federal ID".

    And the promise was made, and Social Security passed.

    And years later, the government made SSN a valid ID for national credit companies. In other words: betrayal of their promise.

    Better wake up, people. I984 is looking you in the face. Right now. If you don't see those encroachments coming down on you, in the name of "convenience", you're just naive.
  • Why should anyone care?

    You need to track connections, accounts, logical device interfaces and logical user instances, but not physical people or physical things. Even a license plate just correlates a registration of a logical notion of a car with a registration of a logical notion of the owner. Not a physical thing.

    The physical world is not related to the logical world. You don't need to track physical people and there need not be a 1:1 relationship to logical data. So a logical person entity can be multip

  • "But the United States doesn't offer any type of universal ID"
    Why on earth would I WANT a universal ID system. Who does that benefit? NOT the consumer, NOT the average person in society. While the lack of one might be some inconvenience, and it certainly increases the chance of crime. The social and political cost of making it easy for any political group who takes power to track everyone and anyone they 'don't like' and to IDENTIFY them easily is not worth the convince. The reality is that sometimes in

  • "As cell phones proliferated, and phone numbers became more reliably attached to individuals long term"

    In the USA maybe.
    In other parts of the world people have multiple mobile numbers or dump them every year or so with a change in contract.

    As a reliable identification method they were always questionable and showed a marked US-centricism in software that was clearly broken from the outset.

  • The article seems to be more about pushing a solution of a central ID system as a presumed solution to the identity theft problem, even though it was the requirement that SSN's be associated with financial accounts that began the whole problem. Specifically:

    "But the United States doesn't offer any type of universal ID, which means private institutions and even the federal government itself have had to improvise."

    What's needed is better anonymity not increased centralized identity. On top of that, to

If you didn't have to work so hard, you'd have more time to be depressed.

Working...