Phone Numbers Were Never Meant as ID. Now We're All At Risk (wired.com) 185
One key lesson from the recent T-Mobile and several other breaches: our phone numbers, that serve as a means to identity and verify ourselves, are increasingly getting targeted, and the companies are neither showing an appetite to work on an alternative identity management system, nor are they introducing more safeguards to how phone numbers are handled and exchanged. From a report: Identity management experts have warned for years about over-reliance on phone numbers. But the United States doesn't offer any type of universal ID, which means private institutions and even the federal government itself have had to improvise. As cell phones proliferated, and phone numbers became more reliably attached to individuals long term, it was an obvious choice to start collecting those numbers even more consistently as a type of ID. But over time, SMS messages, biometric scanners, encrypted apps, and other special functions of smartphones have evolved into forms of authentication as well.
"The bottom line is society needs identifiers," says Jeremy Grant, coordinator of the Better Identity Coalition, an industry collaboration that includes Visa, Bank of America, Aetna, and Symantec. "We just have to make sure that knowledge of an identifier can't be used to somehow take over the authenticator. And a phone number is only an identifier; in most cases, it's public." Think of your usernames and passwords. The former are generally public knowledge; it's how people know who you are. But you keep the latter guarded, because it's how you prove who you are.
The use of phone numbers as both lock and key has led to the rise, in recent years, of so-called SIM swapping attacks, in which an attacker steals your phone number. When you add two-factor authentication to an account and receive your codes through SMS texts, they go to the attacker instead, along with any calls and texts intended for the victim. Sometimes attackers even use inside sources at carriers who will transfer numbers for them.
"The bottom line is society needs identifiers," says Jeremy Grant, coordinator of the Better Identity Coalition, an industry collaboration that includes Visa, Bank of America, Aetna, and Symantec. "We just have to make sure that knowledge of an identifier can't be used to somehow take over the authenticator. And a phone number is only an identifier; in most cases, it's public." Think of your usernames and passwords. The former are generally public knowledge; it's how people know who you are. But you keep the latter guarded, because it's how you prove who you are.
The use of phone numbers as both lock and key has led to the rise, in recent years, of so-called SIM swapping attacks, in which an attacker steals your phone number. When you add two-factor authentication to an account and receive your codes through SMS texts, they go to the attacker instead, along with any calls and texts intended for the victim. Sometimes attackers even use inside sources at carriers who will transfer numbers for them.
Mobile phone numbers are craved (Score:5, Insightful)
Re: (Score:1)
It's even more difficult when you don't have a phone. I typically avoid services that require a phone number, but some sites get 555-5555.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1, Insightful)
I refuse to use my phone as an ID for the same reason. If you give any web site your phone number, chances are that it will be sold to telemarketers. They can say that by giving them your number (and because you have a business relationship with them) that its ok for them to give or sell your number to their business partners. We really need telemarketing to be outlawed. This should include political calls and calls from organizations or individuals asking for money. I also feel that the only way for s
Re: Mobile phone numbers are craved (Score:2)
I don't even care anymore. I never did contracts on my phones and always did prepaid. If I have a problem, I stop paying and get a new SIM card the next day with a new phone number.
If marketers want to rely on phone numbers as accurate information, they're in for a shock.
Thanks to phone companies making callerid completely useless and something we had/have to pay for (are we still being charged for this crap service????), who cares?
Use your ringtones, Luke. (Score:3)
I happily give them my phone number. I just don't answer my phone except for whitelisted numbers that have a non-mute ringtone. Solves all manner of problems. A mute ringtone is one that makes zero noise, and that's the default on my phone.
The day of unplanned voice telephone comms from random callers is past for me. You want me, then email me, or text me. We can arrange a phone call if need be; but cold calls? No. Not happening. Telemarketers and various other forms of similar lowlife have shit that bed be
Re: (Score:2)
I happily give them my phone number. I just don't answer my phone except for whitelisted numbers that have a non-mute ringtone. Solves all manner of problems. A mute ringtone is one that makes zero noise, and that's the default on my phone.
The day of unplanned voice telephone comms from random callers is past for me. You want me, then email me, or text me. We can arrange a phone call if need be; but cold calls? No. Not happening. Telemarketers and various other forms of similar lowlife have shit that bed beyond all recovery.
I don't pay any attention to voice messaging, either. The idea of someone trying leave me a voice message fills me with glee... they just spent some fraction of their life for nothing.
They may wreck texting eventually as well. But perhaps not. The same filtering that works (and very well, too) with email could work with texting. Whitelists, smart filtering... bring it on, I say.
I used to have a busy signal for my answering machine message. I wonder if any phones allow a different answer message for white listed and black listed numbers.
Re: (Score:2)
Re: (Score:2)
I always refuse because I know that once I give out the phone number, my phone will start ringing with telemarketing calls.
Localised problem? I for one never give a second thought about handing out or typing my phone number in anywhere. Yet I have yet to receive a single telemarketing call that I didn't explicitly solicity ("enter your number and we will call you" from)
Is this uniquely American? I know probably not unique, in Australia I got the occasional telemarketing call but they were mostly from the telecom company, and it's not like I can hide my number from them.
Re:Mobile phone numbers are craved (Score:5, Informative)
Most disturbing is that many of these calls are coming from areas in / near Washington DC, West Virginia, etc. We do have a decent-sized government contract, so it would seem whomever is selling this info KNOWS this and is trying to use these prefixes to get us to answer.
Re: Mobile phone numbers are craved (Score:2, Insightful)
Net neutrality.
What can't we blame on it?
Re: (Score:2)
They are likely faking the area code and exchange. I live in Texas with a central Illinois phone number. I get calls all the time from people who admit they're in Florida or overseas, but from exchanges in central Illinois. VOIP services make this relatively simple to do. Heck, I have a VOIP number I could call from in Missouri, but I'm not in Missouri and have no physical phone there.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Mobile phone numbers are craved (Score:5, Informative)
I receive telemarketing and scam calls almost everyday. None of them seem to be related to anything I have ever bought or any company that I do business with. They appear to be untargeted and random.
Re: (Score:2)
For some reason, many of the vendors all but insist I provide them my mobile phone number. I always refuse because I know that once I give out the phone number, my phone will start ringing with telemarketing calls. They vendors say they want the mobile phone number for back-up identification purposes, but I just do not believe them.
They also ask for them places where telemarketing is not a thing. I suspect it is to better corrolate your date so they sell it for more money. Just give them a fake number or a temporary one.
Re: (Score:2)
For some reason, many of the vendors all but insist I provide them my mobile phone number. I always refuse because I know that once I give out the phone number, my phone will start ringing with telemarketing calls. They vendors say they want the mobile phone number for back-up identification purposes, but I just do not believe them.
I agree with you and this is exactly why I still have a land line. It seems to really be VOIP from my cable TV provider, but it works exactly as a true land line. Still rings phones plugged into a wall phone jack. I've got Nomorobo (https://www.nomorobo.com/ ) on it, which does an excellent job for free of stopping telemarketers. So now if anybody demands a phone number for any reason, they get the land line. They can send SMS ("texts" to USA people) all day to it and it will do nothing. They can cal
Re: (Score:2)
I have a land line and a cellphone number. I provide the landline to anyone who asks, but leave the cellphone to myself. I have set up the landline to forward calls to the cellphone
Re: (Score:2)
SSN was never meant to be used as ID either (Score:5, Insightful)
And that's caused all kinds of problems with identity theft in recent years. I'm not surprised we are making the same stupid mistake with phone numbers.
Re: (Score:1)
And that's caused all kinds of problems with identity theft in recent years. I'm not surprised we are making the same stupid mistake with phone numbers.
You're absolutely right. Phone numbers and Social Security numbers were never intended to be used as identification.
And there's a simple, common sense solution to the problem. A national I.D. system. But every time someone proposes it, all of the tinfoil hat luddites immediately start screeching that it will inevitably lead to 1984-style Big Brother. (see the comment just below as an example)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
That's as good as a bar code on your wrist. And how would it be any different from SSN? What are you going to do, plug your ID card into a USB slot? The downsides look bigger than the upsides to me.
I sign in to my bank without an national ID no problem (not just user+pw), the biggest ID problem has been over-reliance on drivers license and passport for people who don't have those. My bank threatened to close my account because I hadn't shown ID AGAIN for the umpteenth fucking time, like I suddenly because s
Re: SSN was never meant to be used as ID either (Score:2)
National ID wouldn't solve this problem, it would make things worse. Letting government handle ID has always been a disaster the perpetrates identity theft to a whole new level.
Meanwhile, I have no problem generating my own keys and handing them out to my employees to identify me and vice versa. If I have a problem like feeling compromised, I simply change my key. Letting government handle that portion would result in massive red tape and difficulties in changing your ID when compromised.
Re: (Score:2)
National ID wouldn't solve this problem
This is not supported by evidence. Plenty of countries have a national ID with a unique public identifier, and it works fine. Meanwhile "identity theft" is almost entirely an American problem.
Only America uses the same number for both identification and authentication, thus requiring it to be both widely known and secret ... and only Americans are oblivious enough to believe this is "normal".
Re: (Score:2)
Re: (Score:2)
You're absolutely right. Phone numbers and Social Security numbers were never intended to be used as identification.
And there's a simple, common sense solution to the problem. A national I.D. system. But every time someone proposes it, all of the tinfoil hat luddites immediately start screeching that it will inevitably lead to 1984-style Big Brother. (see the comment just below as an example)
Phone numbers and social security numbers ain't exactly similar. One has to apply for an SSN from the government. Phone numbers - one can change one's numbers anytime one feels like, for something like $15. As a previous poster said, he can change it at will making it completely worthless for ID
But since SSNs are already required for identification, here is an idea that would work. Modify the SSN card to become a biometric card w/ photos, SSN and any biometric information that's needed, as well as one
the george orwell coalition (Score:1)
hey, anything symantec is pushing makes me want to take my chances with my phone number! any coalition with visa, boa, and symantec scares me
Wait, what? (Score:4, Insightful)
Yes, it does, and it's called a passport. Each passport has a unique "book number". The US also issues "passport cards" to passport holders. This is a federally-issued, unique identification card which is considered valid ID.
We also now have Real ID [wikipedia.org], which is a federal standard for acceptable identification. Real ID-qualified identification cards by definition involve linked databases.
Arguably, however, what is needed online is a uniquely-issued cryptographic signature, which is passphrase-protected. This could actually be used to secure online communications. It could be given out by post offices, which seems logical since they are the place where most people go to process their passport application and because the post office is about communication.
I thought most US citizens had no passport (Score:2)
Each passport has a unique "book number". The US also issues "passport cards" to passport holders.
I was under the impression that most U.S. citizens who do not travel internationally do not carry a U.S. passport. The United States has a lot more area in which one can legally travel on ground without a passport than somewhere like Europe, whose countries are closer in size to the several states of the U.S. So what should a service that requires a passport "book number" do for U.S. subscribers who do not carry a passport? Require them to obtain one? I was under the further impression that the cost in time
Re: (Score:2)
Quite so.
Nonetheless, it is AVAILABLE to any US Citizen, even if you have no intention of ever leaving your hometown, much less that USA....
Re: (Score:1)
Not true. In the United States, people who owe debts like unpaid child support, or fines from court cannot get passports. And now that college debt is spiraling and people with humanities try to duck them by "teaching English in Asia", how long until college debt blocks you from getting a passport too.
Re: (Score:2)
Nonetheless, [a U.S. passport] is AVAILABLE to any US Citizen, even if you have no intention of ever leaving your hometown
And a burner phone and pay-as-you-go plan are available to every US resident. It's just a cost in time and money to obtain either a burner phone or a passport, especially if your vital records are hundreds of miles away in another state.
Re: (Score:2)
Yes, it does, and it's called a passport. Each passport has a unique "book number". The US also issues "passport cards" to passport holders. This is a federally-issued, unique identification card which is considered valid ID.
How is this any different from a Social Security card, which is also a federally-issued, unique identification card? How does issuing everyone a passport solve any problem?
Re: (Score:2)
Re:Wait, what? (Score:4, Interesting)
Each passport has a unique "book number". The US also issues "passport cards" to passport holders. This is a federally-issued, unique identification card which is considered valid ID.
How is this any different from a Social Security card, which is also a federally-issued, unique identification card? How does issuing everyone a passport solve any problem?
I don't now that it fully solves any problem, but I took exception to the false claim that there is not a federal ID besides the social security card. It's harder to falsely get your hands on a passport than a social security card, though neither are impossible since there's always good old theft. However, social security cards don't have a photograph on them.
Re: (Score:2)
Re:Wait, what? (Score:5, Interesting)
How is this any different from a Social Security card, which is also a federally-issued, unique identification card? How does issuing everyone a passport solve any problem?
Dunno how to break it to you youngsters, but my SSN is being **used** as a unique ID, but in fact it is not a traceable identification number. Like everyone born in the antediluvian epoch (more or less pre-Reagan), I walked into a federal office one day and asked for a SSN. They asked my name, typed up a card, and there I was. Basically same procedure as happens now if you want to pull an EIN for a trust.
Just like phone numbers, SSNs are being misused for something they were not intended.
Re:Wait, what? (Score:5, Interesting)
Why not adopt a points based system like in other countries? Bring enough uniquely identifiable information to a table to qualify for whatever important thing you are doing. Passport, drivers license or other government issued photo ID = 50 points, birth certificate or other government official issued document without photo ID, 40 points, credit card or financial documents 20 points, addressed letter from a recognised institution = 10 points.
Need to open a bank account, take out a home loan, or apply for a visa, pony up 100 points, Need to buy a phone, pony up 40, etc.
That solves the whole problem of having to force people to obtain a specific form of ID, it also solves the problem of a single unique document covering everything.
Re: (Score:2)
But jesus man, it involves fucking MATH! How do you expect to explain to people that they don't have enough IDs? How do you expect the poor employees in charge of figuring out if they have enough to determine if they do or not? Fucking lookup tables, a calculator, slide rule, couple of Tarot cards.....might as well have a giant hunk of graph paper where you put all the IDs on it and ask the employees to integrate the area.
I'm just advocating that everyone get a QR code tattooed on them at birth. Then you ju
Re: (Score:2)
How do you expect to explain to people that they don't have enough IDs?
Jokes aside, no it doesn't it's actually quite easy.
Fucking lookup tables
Yep that's the easiest way. Normally you just tell people the ID rules: I need one of any of these, and two of any of these. Or none of these, and 3 of these. It's really very very simple.
You were quipping with lookup tables, but often that's precisely what you get given :-)
Re: (Score:3)
Drawing in people with free services (Score:4, Interesting)
A personal anecdote: I have a GMail account I use at home, everything works well enough (despite the awful interface).
I sometimes want to use it at the local hackerspace, I try to log in, and after I enter my password it tells me "we don't recognize this computer, give us your phone number and we'll send you an SMS message to continue"(*).
I absolutely do not want to give Google my phone number, but there's no way around this.
My account is not compromised, I've got a respectable password, and this didn't used to be a requirement.
Basically, they've lured everyone in with a free service, and now they're drawing in other personal information in order to continue to use it. I fear that one day they will simply decide to require a phone number from my home computer, and then I'll be fucked because I will have to give it to them or else lose all functionality of GMail.
It sucks. They don't tell you how to get around it, they only give explanations of "this is for *your* security!".
Giving google my phone number doesn't increase security, but they've drawn everyone in with the free service.
(*) Also, I have no idea how they "recognize" my home computer, since I regularly delete cookies from my system and re-login. Perhaps the "delete cookies" feature doesn't do what they say it does.
Re: (Score:1)
>(*) Also, I have no idea how they "recognize" my home computer, since I regularly delete cookies from my system and re-login. Perhaps the "delete cookies" feature doesn't do what they say it does.
If you use Chrome to login, then I'm sure there's all kinds of machine identifiers the browser passes on to Google. You probably need to use a third party program to delete caches and cookies and other tracking bits. Also get new IP either by issuing a dhcp release command or use a proxy or vpn.
Re: (Score:2)
Re: (Score:2)
Google's entire turnover depends on invading your privacy. You bet they are good at it.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Use POP/IMAP instead when out and about.
You're hopefully not accessing gmail from a strange machine in the hackspace, so presumably you have a computer (laptop, phone, VAX/VMS because IDK what people drag to your hackspace...) with you, on which you can install a client.
The "need a phone number" bit is, indeed, disgusting.
IIRC you can also get around it by entering username/pwd credentials, then once they've POSTed but before the return page load, hit esc, and go straight to inbox page.
Finally, you could se
Re: (Score:3)
Use POP/IMAP instead when out and about.
I've had a GMail account since the old days when you had to have an "invitation" to get one.
Whether I'm at home or away, I *ALWAYS* use POP/IMAP and a real e-mail client.
There simply is no reason to use Google's retarded, constantly subject-to-change-on-a-whim, web interface.
Re: (Score:2)
I've had Google refuse to allow POP or IMAP connections from a new IP unless I logged into webmail first. And provided the phone number to do so. Gmail's totally useless, don't know why anyone puts up with it. At least when my own server has problems I can just fix it.
Re: (Score:2)
And I don't know why anyone would put up with running their own server and be forced to play IT when off the clock and on personal time.
I don't have an issue with Gmail. For the price (tracking me and needing my phone number) it's worth it to me. I don't want to dick around with a server at home and making sure that it's up-to-date and secure, that my firewall is playing nice with my server, etc. I want the most minimal home IT setup I can get away with, because I have better shit to do than play IT on nigh
Re: (Score:2)
I sometimes want to use it at the local hackerspace, I try to log in, and after I enter my password it tells me "we don't recognize this computer, give us your phone number and we'll send you an SMS message to continue"(*).
I absolutely do not want to give Google my phone number, but there's no way around this.
You can protect a Google account with two-factor auth, using an authentication app like OTP Auth - does this “give us your phone number” query still occur if you have that enabled?
It wouldn’t make any security sense, but I wouldn’t be surprised if it does. Google does seem to be getting more in-your-face with regard to its information grabbing and sharing.
TOTP needs SMS, U2F, or Android/iPhone/iPad first (Score:5, Informative)
Setting up Google Authenticator or another TOTP app requires first setting up either SMS, U2F, or Google Search prompts, and printing backup codes. From "Install Google Authenticator" [google.com]:
The phrase "2-Step Verification turned on" links to "Turn on 2-Step Verification" [google.com], which implies that you'll need to have one of these:
A. A mobile phone to receive SMS.
B. A USB security key implementing FIDO U2F and a desktop or laptop computer running a compatible version of the Google Chrome browser. I haven't tested whether Chromium from a GNU/Linux distribution works as well or whether U2F is one of the proprietary extras included only in Google Chrome. In addition, the U2F key has to have been manufactured in batches of at least 100,000 [chromium.org].
C. A phone or tablet with the Gmail or Google Search app installed (which works only on iOS or Android with Google Play, not AOSP alone or Windows Phone). This was introduced fairly recently, and I began using 2FA on Google once it was introduced.
You'll also need to own a second phone as a backup [google.com] or a printer to receive backup codes [google.com].
Re: (Score:2)
Re: (Score:3)
If you can have only one computer running at once, use the U2F key + printed backup codes method. Then plug the key into the USB port of whatever PC you use with your Google Account.
Re: (Score:2)
A personal anecdote: I have a GMail account I use at home, everything works well enough (despite the awful interface).
I sometimes want to use it at the local hackerspace, I try to log in, and after I enter my password it tells me "we don't recognize this computer, give us your phone number and we'll send you an SMS message to continue"(*).
I absolutely do not want to give Google my phone number, but there's no way around this.
Get a free Google Voice number - then use that. It works great. It will receive the SMS no problem.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
VPN doesn't give you a street address or bank account in the appropriate country.
Re: (Score:1)
I lost my Yahoo email after the Oauth acquisition, because I had given them an entirely nonsensical "backup email address" years ago after too many nagging messages.
It's in the form "a@a.a" which obviously leads nowhere.
So, be careful as you can lose access to an account entirely if you were to enter a bogus phone number or backup email "for your security and convenience".
Back up the data you may have under your email account, because you may be a computer failure away from losing your access with no phone
Re: (Score:1)
Until this hit the front page, I believed it was for our security, too: https://yro.slashdot.org/story... [slashdot.org]
Re: (Score:2)
Should give you an idea of how they fingerprint you. There are several other metrics especially with javascript
$ echo ' 192.168.1.245 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36' | md5
ff218f1f924e6eb7d71cf3cdfe8ddb29
Re: (Score:3)
Thunderbird is one viable solution to GMail's annoying interface.
Re: (Score:2)
Unfortunately account hijacking due to password re-use is so common that Google has to detect what look like suspicious logins (ie. from a different device, or in a different country, or at an unusual time) and ask additional challenge questions. However, in this case you can enter ANY phone number - it doesn't have to be your own.
Re: (Score:2)
I absolutely do not want to give Google my phone number, but there's no way around this.
a) Google have your phone number even if you think they don't.
b) Use the Google Authenticator app instead, it's a fuckton better than SMS anyway.
Re: (Score:2)
b) Use the Google Authenticator app instead, it's a fuckton better than SMS anyway.
So I avoid providing a phone number to Google service X by using a Google app on a device almost certainly tied explicitly to my phone number.
Re: (Score:2)
So I avoid providing a phone number to Google service X by using a Google app on a device almost certainly tied explicitly to my phone number.
So you almost certainly don't have a clue about how the app works. It's not tied to your phone number any more than Google Maps is.
Google Maps requests your phone number (Score:2)
[A TOTP app is] not tied to your phone number any more than Google Maps is.
First, Google Maps is in fact tied to your phone number. The Google Maps app [google.com] requests permission to "send SMS messages", "directly call phone numbers", and "read phone status and identity".
Second, as I wrote in another comment [slashdot.org], Google considers TOTP secondary. A Google Account holder must first set up 2sv through SMS, U2F, or Google Search prompts before setting up TOTP, and two of these three options are tied to either a cellular plan or a mobile device running iOS or Android with Google Play.
Re: (Score:2)
First, Google Maps is in fact tied to your phone number.
Congratulations. You just reiterated point 1 in my original post.
and two of these three options are tied to either a cellular plan
Your second point is missing a point. Or rather I'll make the point for you: One of these is not tied to your cellular plan. Which all brings me back to my original post which I will re-quote here for properity:
" a) Google have your phone number even if you think they don't.
b) Use the Google Authenticator app instead, it's a fuckton better than SMS anyway."
Re: (Score:2)
If you use a U2F key as your primary, Google wants a backup phone but will accept printing backup codes with a printer. Do most households with a computer even own a printer anymore?
At least you can change it (Score:4, Insightful)
Define const Jenny == 8675309 (Score:1)
Jenny, Jenny, who can I turn to?
You give me something I can hold on to
I know you'll think I'm like the others before
Who saw your name and number on the wall?
Jenny, I've got your number
I need to make you mine
Jenny, don't change your number
Jenny, Jenny, you're the girl for me
You don't know me but you make me so happy
I tried to call you before but I lost my nerve
I tried my imagination but I was disturbed
Problem isn't phone numbers or SSNs (Score:2)
Ah, a "solution" worse than the problem. (Score:1)
"But the United States doesn't offer any type of universal ID"
That's intentional and even desirable. Creating a centralized and authoritative database of citizens identities is a surefire way of accelerating the surveillance state even faster than it is currently going. It also sets up a controlling authority that most likely can't be escaped and WILL be abused, for example if you become an "undesirable" all the government has to do to vastly curtail your freedoms (apartment, driving, flying, etc) is deny
Re: (Score:2)
State's already routinely pull Driver's Licenses for non-driving offense. Having something that is just for ID and can't be revoked except for fraud is better than a patchwork of documents that can be pulled for various excuses. And you can't have an authoritative name/identity system without an authority, and you can't be certain who you are dealing with without an authoritative system.
Re: (Score:2)
Not really (Score:2)
>"But the United States doesn't offer any type of universal ID, which means private institutions and even the federal government itself have had to improvise."
Well, they do, it is the SSN (Social Security Number)... which was never supposed to be or meant to be some type of general-purpose, national ID number. In any case, it is not desirable to have a national ID number, anyway. Why? Because it destroys freedom and privacy by making being anonymous difficult and encourages tracking and cross-referenc
false correlation (Score:4)
" But you keep the latter guarded, because it's how you prove who you are. "
nooOoo: when you type in a password, it authenticates the *username*. it does *not* authenticate the *user*.
The article misses the solution (typical of Wired) (Score:1)
Their main complaint that "phone number were not meant to be used as IDs" is that they are not secure and someone could hijack your number using a hacked SIM or whatever. So, instead of making the federal government blow billions of dollars creating a new ID numbers when we already have SS, not just force companies to make the SIMs more secure? This is probably Oracle backed FUD, since any massive new government database means more money for them, although IBM got the original SS contract along with other b
How does that work? (Score:1)
As someone who hasn't had a phone number for the last 15 years, I don't understand. Please explain how a phone number is a form of ID.
Identification vs. Authorization (Score:2)
It's a simple matter of Identification vs. Authorization, phone numbers (like fingerprints) are great for identification but horrible for authorization because of the ease they can be used fraudulently, i.e. generate false positives. I'm always amazed at how so many security "professionals" can't seem to grasp this simple concept.
Re: (Score:2)
"phone numbers (like fingerprints) are great for identification but horrible for authorization"
Most of the 50 or so phone numbers I've had in various locations around the world (prepay mobile sims) have been reassigned to someone else within 12 months of going idle.
Tell me, how is that good for identification?
Hold the telcos responsible (Score:2)
I get a rush of phone calls sometimes from people saying "Hey, you called me, who is this? Why do you KEEP calling me?" My response is usually dumbfounded and the conversation ends with the caller just as confused, but sometimes they get angry and say "put me on your DO NOT CALL LIST!" So my number is spoofed. Verizon tells me there's not a damn thing they can do about it. Sucks since it is a business line and I take calls from clients every day, but Verizon has their money from me (well, probably mill
Re: (Score:2)
The problem is that the spoofing happens at the spoofer's end, and they aren't using Verizon so Verizon can't do a thing about it. You'd have to talk to the telco the spoofer uses for their line, and they have no incentive to do anything because the person complaining isn't a paying customer and the spoofer is. The only real solution is what we did with email spam with blacklists of entire providers. (NB: no it didn't eliminate email spam, but it cut it down significantly and made it a whole lot easier to f
Re: (Score:2)
"The problem is that the spoofing happens at the spoofer's end"
Correct
"and they aren't using Verizon so Verizon can't do a thing about it"
Wildly incorrect.
Verizon has routing information about the call provided at a much deeper layer than the presentation layer, but as they (and other telcos) are paid to terminate those spoofed calls, they choose to look the other way until compelled(*) to do something about it.
(*) Either by government edict (happening in some countries and meeting strong resistance from t
Re: (Score:2)
Verizon isn't in a position to figure out whether the info is being maliciously spoofed or not. There's lots of legitimate reasons to spoof the CID data so it differs from the ANI or billing data. Calls from a large business, for instance, where the outgoing lines are distinct from the incoming lines and you want the CID to refer to the number the receiver can call to reach the business. Calls from a call center serving multiple clients, too, where it's better to have the CID reflect the number assigned to
phone number got hijacked (Score:2)
My wife's phone number got hijacked and ported to another provider.
This was used to attack the bank account and open new credit accounts.
We responded quickly and luckily our bank had very safe procedures.
But a lot of banks aren't as good. The police weren't very useful.
We now have extra protections in place.
Americans don't WANT any kind of "Universal ID" (Score:3)
There is a REASON people don't want a "universal ID". And it has to do with something called "1984"
But it's not limited to 1984. Our parents (if you're older) and grandparents, and great-grandparents fought tooth and nail against any kind of Federal ID.
It's actually kind of common to think that people in the past were less sophisticated than you are, and therefore not quite as bright. In simpler terms, many people seem to fall into the trap of thinking people generations ago as not ignorant (compared to today's knowledge), but actually stupid.
That's a mistaken viewpoint.
There is a reason Social Security was never allowed to pass, unless it was promised that the Social Security number would NEVER be a "federal ID".
And the promise was made, and Social Security passed.
And years later, the government made SSN a valid ID for national credit companies. In other words: betrayal of their promise.
Better wake up, people. I984 is looking you in the face. Right now. If you don't see those encroachments coming down on you, in the name of "convenience", you're just naive.
Since there is no need for tracking a person (Score:2)
Why should anyone care?
You need to track connections, accounts, logical device interfaces and logical user instances, but not physical people or physical things. Even a license plate just correlates a registration of a logical notion of a car with a registration of a logical notion of the owner. Not a physical thing.
The physical world is not related to the logical world. You don't need to track physical people and there need not be a 1:1 relationship to logical data. So a logical person entity can be multip
Why on earth? (Score:2)
"But the United States doesn't offer any type of universal ID"
Why on earth would I WANT a universal ID system. Who does that benefit? NOT the consumer, NOT the average person in society. While the lack of one might be some inconvenience, and it certainly increases the chance of crime. The social and political cost of making it easy for any political group who takes power to track everyone and anyone they 'don't like' and to IDENTIFY them easily is not worth the convince. The reality is that sometimes in
"long term?" (Score:2)
"As cell phones proliferated, and phone numbers became more reliably attached to individuals long term"
In the USA maybe.
In other parts of the world people have multiple mobile numbers or dump them every year or so with a change in contract.
As a reliable identification method they were always questionable and showed a marked US-centricism in software that was clearly broken from the outset.
Need anonymoty, not a "universal ID" (Score:2)
"But the United States doesn't offer any type of universal ID, which means private institutions and even the federal government itself have had to improvise."
What's needed is better anonymity not increased centralized identity. On top of that, to
Re: (Score:2, Interesting)
You must be a millenial, phone numbers were never uniquely tied to individual people. Early on, phone numbers weren't necessarily even tied to a single residence, or have you never heard of a party line?
A phone number is just like a snail mail or email address, it doesn't guarantee that there's only one person attached to that number and it doesn't guarantee that one person doesn't have multiple numbers. Which is terrible as a means of identification. And that's before you even start to think about spoofing