
Ask HN: Why are phone numbers considered a secure personal identifier? - diveanon
I travel quite a bit and change phone numbers often. Most of the time when I am traveling I am in locations that have poor or nonexistent cellular service.<p>This often causes problems with services (Paypal, banking apps, messangers, etc.) due to my inability use two factor auth and text-message based confirmation messages.<p>It seems to me that phone numbers are a horrible identifier due to the way they can be transferred between users of a carrier. Services like Ting have made short term numbers easy to use, and I often get two-factor auth messages from previous users of a number.<p>Is this purely a business case for data mining, or is there a legitimate security reason for relying on something as ephemeral as a phone number for critical identification mechanisms?<p>I have debated using Twilio to create my own number pool of international numbers and a way to check my messages via a web portal instead of relying on messaging. Are there any current apps &#x2F; services that already do this effectively?
======
michaelt
From companies' perspective, SMS has a critical property that U2F dongles and
TOTP authenticators lack: Restoring the user's access if they lose it is
someone else's problem.

With SMS login, if I lose my phone getting back into my account is an argument
between me and my phone provider. And blame for any mistakes in that process
lies squarely with my phone provider.

This avoids the "I lost the backup codes as it's 5 years since I printed them
out" problem.

Anyone involved in designing a 2FA system knows SMS isn't secure - companies
like Apple accept that insecurity, to avoid the support costs of the lost-
backup-codes problem.

~~~
kwhitefoot
Why does everyone assume that two factor authentication by mobile means SMS?
The SIM card (Subscriber Identity Module) has the features necessary to do it
and this is used in Norway to provide 2FA for logging in to banks and state
services like tax and health.

------
irjustin
You raise 2 points.

First is traveling quite a bit with poor cell signal. This one is unfortunate
especially with banks that have no alternative 2fa other than a phone based
OTP.

Why phone? I would believe it's the one thing that near ubiquitous that has a
very low barrier to entry. I never had to train my mother how to use OTP when
it's an SMS. If she was required to use google authenticator, I'd probably get
a phone call every time she had to login.

As for "phone numbers are a horrible identifier" I would say it is "secure
enough" for many scenarios.

Typically 2fa systems require a bad actor to have both a password and a
physical device.

To be pedantic, the OTP is not considered an identifier, but a password that
requires a physical device.

The barrier of a bad actor having both my PW and my device (as a PW) is
supposed to raise it high enough that it's unrealistic. Obviously this doesn't
work 100% of the time, because phishing and social engineering.

So, sure my device can change hands, but it is unlikely to have changed hands
AND that same person has my password AND they are a bad actor.

I live overseas (US expat). To get around many OTPs from US based services I
use: [https://anveo.com/](https://anveo.com/). Google Voice cannot do
shortcode SMS for places like Bank of America. The website looks like it was
built in 1995, but it's effective.

~~~
coyled
> Google Voice cannot do shortcode SMS for places like Bank of America.

This is an important point for OP to consider. Twilio definitely can't receive
SMS from US short codes[1]. When my number was at Google Voice I thought it
could receive messages from short codes, at least in the recent past, but I
ported it out so I can't test.

[1] -- [https://support.twilio.com/hc/en-
us/articles/223181668-Can-T...](https://support.twilio.com/hc/en-
us/articles/223181668-Can-Twilio-numbers-receive-SMS-from-a-short-code-)

~~~
slow_donkey
Don't know about BOA, but I've never had a problem receiving verification
codes on my voice number which is my daily driver.

------
swombat
Counterpoint: I’ve had the same number for 20 years. In all that time, I’ve
had maybe 5 instances where I needed to get a confirmation number and couldn’t
get enough reception.

It works well enough, the vast majority of the time, for the vast majority of
people. You’re an extreme edge case.

~~~
ricardobeat
Over 1.4 billion people travelled internationally in 2018. You’re making an
assumption based on a single data point, just as you imply the author to be.

Do you use PayPal? It’s impossible to even _login_ while you are abroad.

~~~
jedberg
> Do you use PayPal? It’s impossible to even login while you are abroad.

Are you sure? I'm in Eastern Europe right now and just logged in and sent
money.

~~~
jtfairbank
I was about to say, I've had no problems with PayPal after I moved to Serbia.
Venmo on the other hand...

------
dis-sys
No - it is not a secure personal identifier (in many countries).

According to Australian laws, someone can port your mobile number to his/her
sim card by filing an online form, as long as they know your date of birth and
account number, that person can take your phone number away in minutes.
Nothing need to be done in person, no ID will be asked. In fact, the laws are
made to explicitly forbid such checks under the name of giving consumers easy
way to transfer to a different provider. You will get a SMS on your phone
notifying you that someone has ported your number away and the next thing that
is going to happen is that the offender is going to recover your
paypal/gmail/online banking password using your phone number - time to say
goodbye to your money in your account.

The story here is simple - phone numbers are misued by many as some kind of
personal identifier, it is a feature with close to zero security protection in
many countries. Mobile providers don't have any motivation to further secure
it as they never claimed it to be secure and they didn't make $ out of it.

~~~
vntok
Is the port done immediately or do you have something like 24+h between
receiving the port notification and it becoming active to reverse the process
and/or login to your accounts and activate Google Auth?

~~~
dis-sys
It is done immediately.

------
zimbatm
> I have debated using Twilio to create my own number pool of international
> numbers and a way to check my messages via a web portal instead of relying
> on messaging. Are there any current apps / services that already do this
> effectively?

I had the same idea and have been using Twillio to forward SMS / Voice to my
phone. The idea being that a Twillio number should be harder for an attacker
to port.

There are a few issues with that approach:

* SMS are only received if they come from the same country as the phone number.

* SMS issued by my bank not arriving. Maybe related to the first issue.

* Voice calls take a few more rings before they are passed through, meaning that calls are more likely to get dropped by the caller.

Other than that it works beautifully.

------
pjc50
Well, what else are you going to use for a secure personal identifier? Email?
Credit card? Neither of those are especially more secure, and it's at least
slightly harder to get a new phone number (and much harder to get a _specific_
phone number) than an email address. This raises the cost of spam slightly.

Systems which actually need to secure a large amount of digital valuables or
face customer complaints (i.e. games) get their customers to use hardware
tokens or mobile-based 2FA.

~~~
alain_gilbert
Up until very recently, AT&T forced me to have a "four digits" password to
login on their website (prepaid phone).

That's how secure I see phones.

------
ypkuby
> I travel quite a bit and change phone numbers often. Most of the time when I
> am traveling I am in locations that have poor or nonexistent cellular
> service.

Use Twilio or VOIP.ms, very cheap. You can do 2fa easily, just top up $20. I
find that the biggest cost for me personally doing this is the $1/month phone
number rental fee. I use maybe ~50c every month on 2fa. It's an already solved
problem.

> I have debated using Twilio to create my own number pool of international
> numbers and a way to check my messages via a web portal instead of relying
> on messaging. Are there any current apps / services that already do this
> effectively?

VOIP.ms has a very nice SMS gateway, they will automatically relay SMS
messages to your email address. You pay a bit of a premium for it (eg, of SMS
cost 0.001c, you pay 0.0015c if I recall correctly) - but it's almost
immediately delivered without issue.

------
zxcvbn4038
Common fallacy is that phone numbers uniquely identify a person or a
geographic location. Neither has ever been true but that is the real reason
banks want your phone number so bad. It wasn't so long ago that you couldn't
even get a loan or credit card in the US without a phone in your name.

My phone number came from an old alt.phreaking post and has run busy
continuously since at least 1982. If banks try to SMS authenticate me then
instead of their app or web banking, I just link the account to another bank
that doesn't do SMS. These days I pay for everything with credit cards anyway
and the bank is just there to insure and hold my funds until I pay the cards,
so I don't need much from them besides an ATM card and the ACH numbers.

I've noticed that all of the synchrony branded credit card sites require SMS
only for password changes, and when prompting you they pull a list of every
phone you've ever owned from a Transunion skip-trace database. If they wanted
to authenticate me again before entering an area of elevated security they
could just ask for my password again - but they don't, and they don't ask for
any credentials when changing the phone number, so that suggests to me that
security isn't the reason they are prompting for SMS authentication.

SMS validation or not, don't try to access the web portal for a Synchrony
issued credit card from outside the US, they typically block the account with
SMS validation for 3-4 days. Several times I've forgotten to turn of my VPN
and ended up sending them paper checks in order to pay my bill on time.

Plus I think we've sufficiently proven that phone numbers are susceptible to
SS7 and social engineering attacks, anyone with my mother's maiden name, DOB,
and social security number can take over my phone and all the information is
easily acquired from Transunion or Experian. The best thing NIST ever did as
depreciate SMS auth for all the reasons I just described. The worst thing NIST
ever did was backtrack on the first thing.

There are financial services companies out there that give a damn about
security. Shout out to Robinhood for enabling strong passwords (32
characters!) and standard TOTP. They are the only financial services company
I've found that offers TOTP. As soon as they have a cash management account I
think that is where I'm going to park my funds.

(E*Trade has 2FA also but you have to buy a hardware dongle from them. I
appreciate the effort but paging Captain Marvel just the same.)

------
smilesnd
[https://krebsonsecurity.com/2019/03/why-phone-numbers-
stink-...](https://krebsonsecurity.com/2019/03/why-phone-numbers-stink-as-
identity-proof/)

They are cheap way for companies and developers to add a second identity to
your account.

------
davewiner
They aren't secure.

I had a phone number hijacked a few years ago, and it took a lot of
perseverance to retake control of the number. The phone company (AT&T) didn't
know how to handle it. What they did understand is how to close an account. So
one of the times I regained control (only to be sure I'd lose it again, soon)
I quickly got them to delete the account. That did it.

Ever since that happened and I see a system for 2FA that is based on a phone
number, I think it's just security theater, they must know there's nothing
secure about it.

------
quexy
We need a DNS service for telephone numbers. This would remove the need for
number porting when you switch providers and would give you the ability to use
other phone numbers when abroad.

~~~
sfifs
Most countries already have number porting. International porting is probably
a 0.1% problem and there are solutions for that (eg. Skype number)

------
jedberg
Because most software engineers don't get proper security training, and make
mistakes like this all the time. And even when they have the proper training,
they often get outvoted by product managers who either don't have the training
or don't care.

It's insanely easy to "steal" a cell number for a few minutes by advertising
that number to a small carrier. Phone numbers are not at all secure.

But since most people aren't targeted and there is no easy replacement, phone
based 2fa lives on.

------
dyu
Also a nasty surprise when you travel to another country and realize your
mobile plan cannot have roaming, and you have no service at all.

------
barry0079
I'm reminded of the following which was posted to HN a while back.
[https://github.com/googlei18n/libphonenumber/blob/master/FAL...](https://github.com/googlei18n/libphonenumber/blob/master/FALSEHOODS.md)

------
ecesena
You can use google voice for free, and get text also via email. This way you
don't even have to worry about swapping the number.

Edit: as others mentioned this sort of defeat 2FA, but I read the OP message
as not trying to have a good 2FA solution, but being forced to use SMS by
banks & co.

------
Tistron
Related to this I wonder why we haven't got some TNS (like DNS) yet, that can
give us a persistent symbolic phone-address untethered to the details of your
current carrier or country? Has somebody tried it?

------
tjoff
I just assume it is for data mining and advertising reasons. No reason to give
into that, I just blacklist any service that depend on it. Or use a burner
number if I really need it.

------
netsharc
Nowadays you need to register with photo ID to get a mobile number, it seems
like it's an anti-crime as well as anti- (let's say the magic T-word
together...) terrorism move to require a phone number. Because if something
goes wrong from the authorities' point of view, then they can always subpoena
the mobile carrier to get your identity.

AFAIK it's even "illegal" to give a SIM card to a 3rd person with updating
this information.

~~~
jedberg
> Nowadays you need to register with photo ID to get a mobile number

I just got a new number last week with cash. I bought a pre-paid SIM in
Amsterdam. They gave me bonus credit for giving my name and address, but if I
didn't want the credit, I wouldn't have had to give them any identifying info
at all.

------
Spooky23
You’re unusual, relatively speaking. Most people keep numbers for decades.

------
docker_up
Short answer: it's not. It's the lazy personal identifier.

------
flavor8
MFA: Something you know, something you are, something you have.

------
gregcohn
I wrote about this a while back. [https://medium.com/@gregcohn/burners-dont-
hack-uber-people-d...](https://medium.com/@gregcohn/burners-dont-hack-uber-
people-do-b747e48893ef)

TL;DR Phone numbers are not unique ID keys for people. But it seems like many
companies view it as an easy, cheap 2nd factor (generally, "something you
have"), to be combined with a strong password ("something you know").

The problem of course being that SIM-bound number can be hacked or stolen, and
non-SIM-bound numbers are not actually "something you have". If a Google Voice
number is controlled by the same login as a gmail account, there goes your 2nd
factor.

A lot of people do use Burner for this per the link above. (I'm a founder).

