
Phone Numbers Were Never Meant as ID. Now We’re All at Risk - colinprince
https://www.wired.com/story/phone-numbers-indentification-authentication/
======
wtmt
> But the United States doesn't offer any type of universal ID, which means
> private institutions and even the federal government itself have had to
> improvise.

Oh, please! No! No! No! India bulldozed a national identification number
(called Aadhaar) on its residents and it has made more people vulnerable to
many kinds of attacks, including phone number hijacking, draining people’s
bank accounts, etc. To say that it’s been an unmitigated disaster would be an
understatement. As with things related to government, the governing
organization for Aadhaar, called UIDAI, always claims that it’s completely
secure, while ignoring the fact that linking one number to everything in one’s
life increases the attack surface and the severity of the threats.

So please research on the number of ways Aadhaar has failed, and is making
some feeble attempts to recover, before getting into a “let’s create a new
static number to identify people with instead of a phone number or SSN”.
That’d just be changing the narrative without achieving anything.

Bottom line, it’s not the phone number that’s the problem, but having a unique
and non-changing number and linking it to everything else (including one’s
phone numbers).

~~~
Lazare
I disagree; I think the issue is people using a mechanism for _identification_
as a mechanism for _authentication_.

If all it takes to drain someone's bank accounts is to be able to uniquely
identify them, then there's an enormous issue with the banking system.

> Bottom line, it’s not the phone number that’s the problem, but having a
> unique and non-changing number and linking it to everything else (including
> one’s phone numbers).

Totally disagree. Linking it to a phone number is fine, but the _entire point_
of such a number is that you should be able to print in on your business cards
or wear it on your t-shirt. :) Knowing it should grant no privileges to
anyone.

Of course, I think your underlying point is that the real issue isn't that we
want a good way of identifying people, it's that we want a good way of
_authenticating_ them, and we're no closer to solving that. And people keep
misusing ways of identifying people as ways of authenticating them. But maybe
we should be focusing on that instead?

~~~
slededit
Estonia gives everyone a smart card they can use to digitally sign things.
Obviously someone can steal your card but it's pretty hard to forge otherwise.

It's a solved problem, just nobody wants to fix it.

~~~
tripzilch
How much trouble are you in if your card gets stolen?

Would you call a number to temporarily block it, and a fine to get a new one?
If so, how does the call authenticate you?

Second question, "pretty hard to forge otherwise", is about roughly how hard?
Has it been proven possible / proof of concept? Or did you mean to say you're
unaware of any successful forgeries but (naturally/obviously) can't honestly
claim it's totally impossible, because you never know.

I'm real curious about the Estonian smart card thing. Does it work well? Can
you only sign government things with it, or really just about anything that
needs your authentication? (say, commercial contracts) Does it have a
private/public key type of thing so that you could also encrypt something with
someone's public key so that only that one individual cardholder can ever
decrypt it?

~~~
theshrike79
Basically it's a physical device that stores your private key.

So if you can forge that, you can crack open the whole Internet :)

------
simmons
Bootstrapping identity is a very hard problem, and implementors can't resist
the easy path of piggy-backing on someone else's identity or authentication
system -- social security numbers, email addresses, telephone numbers, etc.

AT&T is being sued by someone who lost $24M in cryptocurrency because someone
decided to piggy-back authentication on AT&T. While AT&T should certainly be
called out for having sloppy security, I can't help but feel that they never
really signed up for the job of protecting such a valuable asset. It's like
trying to protect Fort Knox with a consumer-grade padlock, then going after
the padlock manufacturer when someone cuts it open.

~~~
supertrope
This is fundamentally a regulatory and economic problem. The exact challenge-
response flow and physical artifacts/electronic credentials we use to assert
identity and request access with change over time. Businesses are only
motivated to prevent fraud if they will be liable for losses. They have
managed to label it "identity theft," as if you forgot to lock up your
bicycle, and give ironic post-breach advice to their customers like installing
anti-virus software and not surrendering information to unsolicited callers.

Incentives need to be aligned. The Trump Administration cancelled the
investigation into Equifax. Target's stock price barely budged. Regulations
may not be a panacea as the OPM breach suggests. "Cyber insurance" is an
interesting market. Ideally insurers would require best practices to be
followed for policy issuance and claim payout. But that can lead to compliance
box checking, and litigation/coverage struggles instead of actual security.

~~~
samatman
What you say about Target's stock price is true, but markets exist to price
assets, not to punish malefactors. What this shows is that the market decided
losing a ton of data wouldn't affect Target's bottom line; this supports your
point about incentives but is itself not something in need of adjustment. The
market is literally signaling that losing customer data isn't going to cost a
company anything.

------
twblalock
Phone numbers are obviously flawed as identifiers, but so are social security
numbers, drivers license numbers, etc. If the United States introduced a
national ID it, how would it avoid the same problems as the de-facto national
ID, the social security number?

Biometric data can be replicated, e.g. fake fingerprints and synthesized
voices. Good facial recognition is still a step ahead of scammers but they may
catch up at some point. And you can't easily change your biometric data if
someone manages to make a copy.

At this point everyone knows passwords by themselves are not good enough.

Physical tokens like Yubikeys can be stolen, although that's clearly more
difficult than stealing some of these other identifiers.

If everyone had a cryptographic private key, they would have to store it
somewhere -- how would they keep it secure without resorting to one of the
flawed systems I just mentioned?

So, I find it difficult to blame companies for using phone numbers as
identifiers -- it's easy, and all of the alternatives are also flawed. I
haven't seen any foolproof identifier, probably because it's not possible to
create one.

~~~
solatic
> If the United States introduced a national ID it, how would it avoid the
> same problems as the de-facto national ID, the social security number

Everyone gets a national ID number. This number is considered public and is
used for signing up for public and private services.

Everyone gets a ID card, issued by the government. This ID card holds a
private key, used to enter legally-binding agreements, and the card is printed
with the photo of the holder. Attempts to use the card to authorize purchases
online redirect to a government-managed identity provider (think SAML 2.0),
where the user must provide either a password (preferable) or, if there is no
password, some other knowledge proof that is not discernible from the physical
ID card, either of which were set up when the card was issued. When people
become incapacitated for publicly-known reasons (incarceration,
hospitalization, etc.), their public certificates are temporarily added to a
revocation list. When issued, the card comes with three one-time-use secret
codes, each of which triggers a 24-hour temporary revocation, which must be
kept secret-enough to prevent abuse. Obtaining more temporary revocation
codes, or permanent revocation (in case of loss or theft), or
password/knowledge proof reset without the previous password/knowledge proof,
is handled in physically secure government facilities, by providing DNA and
other biometrics, that were registered when the card was issued and are not
used for any other purpose. Corruption is combated at the DNA-collection stage
by requiring the secure facilities to actually collect fresh physical samples
each time - this constitutes a biological sort of paper trail for auditing
revocation requests.

No, it's not impossible to game the system. People can be bribed to overlook
the photo; DNA can be stolen and used to continually permanently-revoke
victims. Paper trails are not magic cure-alls. There are serious ethical
concerns with entrusting the government with a populace's DNA (particularly,
the potential to re-index it for the purposes of ethnic cleansing). And yet,
when compared to modern-day systems, I'm hard-pressed to complain. If you ask,
quite simply, which is better, the system proposed above or the contemporary
system, one or the other, I have a hard time imagining people defending the
contemporary system.

~~~
TazeTSchnitzel
What you have described is (mostly) how Swedish society already works. Even
the SAML part — we'll be forced to support eIDAS as of next month!

Everyone resident in Sweden must be registered in the Swedish Population
Register, and receives a personal identity number. Due to the Swedish
constitution, information held by the government must be publicly available,
so people's names, dates of birth, addresses and indeed identity numbers are
not secret (though the last of these isn't on Google). This means that in
order to prove your identity, people use ID cards and corresponding digital ID
issued by the government and banks. Said digital ID is a passcode-protected
certificate, either on a phone, a computer, or a physical ID card.

The government doesn't have your DNA here though, although citizens' passports
and ID cards contain fingerprint data.

------
toast0
Tieing 2fa directly to the phone is much better than tieing it to a phone
number, until you don't control your phone. Then, how do you recover? You
can't go down to the local Google (or whoever) kiosk, prove your identity, and
get a new device added to 2fa, but you can get a new sim (downside, so can
pretty much any carrier kiosk employee, or social engineer).

Also, phone numbers are pretty useful for contacting people, and most people
have an address book with their friends and family and other important
contacts. There's tremendous social value for people in those numbers
continuing to work, to the extent possible. You're never going to be able to
tell everyone who might want to know when your number changes, especially if
you for a new number when yours was assigned to someone else.

~~~
Aaargh20318
> how do you recover?

* By using the TOTP recovery codes (you did write them down, right ?)

* By using a TOTP client on another device (the client I use syncs it's (encrypted) database with all my iDevices)

* By restoring from a backup of your phone (you do have a backup, right ?)

~~~
brazzledazzle
The iCloud backup of my phone when restored to another phone didn’t bring over
any of my authenticators. I don’t know if a physical backup would or not but
it’s worth noting.

~~~
drb91
Well, if that were not the case, your apple id would be the second factor to
everything.

~~~
brazzledazzle
You're right. I'm not criticizing, just noting it for anyone that might think
the online backup would be sufficient after reading the comment I replied to.

------
jkingsbery
I implemented number porting for a startup I worked for. It's all pretty
scary: yes, it's easy to impersonate someone if you have some information
about them, but some carriers don't check any sort of porting pin at all. That
is, attackers sometimes do not need to impersonate you, they just have to ask
for your number.

It would be great if we all had something big more secure, but in the meantime
understand your carrier's port out process and that you have your number
secured.

------
ggm
My UK NI number is burned into my brain. It might be because it was given to
me at a highly emotional time (transition from school to unemployment and
university) or because I had to know it to complete forms (UB-40 and P-45
employment status).

From thirty years distance, trying to re-connect to my UK pension rights, as a
non-resident migrant, it floated back up into my consciousness instantly. I
suspect even with dementia its one of the digit strings I'll hang onto.

FWIW former forces probably have their serial number forwards and backwards
because of hazing. I only have my NI number because of money.

------
gonmf
We should more than ever be teaching everyone not to use their real name on
the internet, not to give out their phone number or private email address. In
the internet and for businesses for advertising or any other avoidable
purpose. This would eventually prevent the assumption that everybody has a
phone number that can be used as authentication, or even worse, a Facebook
account!

------
guru4consulting
Every factor is vulnerable.. phones, phone provider, gmail accounts, yubi keys
and even yourself. What if someone points a gun at you and asks you to
transfer all the bitcoins?

Why not distribute the authentication factors among multiple trusted parties
instead of a single person? This would not scale for normal use cases, but
could help for mission critical updates. For example, if I change my gmail
password or port my phone number or update my auth factors (which are all
considered major/mission critical changes), then the change has to be verified
by at least 51% of my trusted contacts. So, instead of verifying
authentication just with me, the provider has to send 2fa tokens to all my
trusted parties (my spouse/partner, close friends, family members, etc). If 3
(out of 5) have verified and approved the change, then the provider would
implement the change.

------
heinrichf
Never meant for identification purposes, just like social security numbers:

[https://www.npr.org/templates/transcript/transcript.php?stor...](https://www.npr.org/templates/transcript/transcript.php?storyId=593603674)

(interesting Planet Money episode on the history of the SSN)

------
aviv
I repeat this on related threads: taking over _any_ US phone number's
inbound/outbound SMS traffic with the ability to intercept inbound SMS as well
as send SMS originating from a particular number is dangerously easy. It takes
one minute, and ALL numbers are vulnerable. Worse, there is no fix for this.
Never ever use SMS for authentication, or sensitive communication of any kind.

I believe this is being exploited on a regular basis and people just have no
clue. This is likely used for anything from gaining access to email accounts
to insider trading to political leverage to who the heck knows what else.

~~~
scient
There are a couple of vendors out there who at least try to detect SIM
swapping and traffic hijacking. It's better than nothing and eliminates the
simplest attacks, but still has it flaws, including happy path case support
(like only working on the network and needing a smart phone).

------
nkkollaw
So, do phone numbers get recycled?

For instance, if I change phone company and decide not to keep the number or
they're unable to transfer it, can it be assigned to someone else?

~~~
kickling
Happened to my number at least (I live in Sweden). A person sent me a text
message saying he had my previous number and that he got frequent calls from
my friends.

~~~
nkkollaw
Jesus... Yes, this is NOT good, considering the number of services that you
can log in into with just a SMS confirmation (my bank, for instance).

------
jwr
I see no problem with using phone numbers can be used as an ID. They should
not be used for _authentication_ though.

For some reason it has become fashionable to force 2-factor authentication on
users using SMS as the 2nd factor. That is a terrible idea, and yet it
proliferates, especially at most calcified institutions (banks, DMV, twitter).
This has to end.

------
Spooky23
The US absolutely offers universal id, it’s just federated. All states will
have common identity standards shortly (all but 2-3 do today).

There’s a parallel system through the various passport and trusted traveler
schemes that are controlled by the US government directly as well.

------
badrabbit
Neither were social security numbers. If OPM and equifax breaches weren't
enough,I don't know what is.

I think the west as a whole would change fast when this information is used
against them in war with a formidable adversary(russia,china...)

------
cyphunk
Lebanon was fun. When I arrived and purchased a SIM card, after getting on the
different smartphone instamessage systems everyone that knew the previous
owner started contacting me.

------
mschuster91
Well, Germany could have provided a (relatively) easy solution with the new
(ah well, 10 years old by now) Personalausweis identity cards - they're RFID
capable and contain crypto functions.

Actually, there _is_ a solution for using them to sign stuff - but it's
proprietary in any case, and requires expensive certificates.

~~~
gsich
Not everyone has a Personalausweis.

~~~
mschuster91
Nearly all Germans do have one (yes, I know, having a passport is
sufficient... but, anecdata, never met anyone with only a passport), and iirc
the Elektronischer Aufenthaltstitel required for non-German residents of
Germany has the same functions.

It's a perfect model of "the tech would be there but government is
incompetent/corrupt and so it is not freely available for the benefit of
citizens".

------
jt2190
tl;dr

> The use of phone numbers as both lock and key has led to the rise, in recent
> years, of so-called SIM swapping attacks, in which an attacker steals your
> phone number. When you add two-factor authentication to an account and
> receive your codes through SMS texts, they go to the attacker instead, along
> with any calls and texts intended for the victim. Sometimes attackers even
> use inside sources at carriers who will transfer numbers for them.

------
11thEarlOfMar
We're seeing more biometric authentication with fingerprints, face
recognition, perhaps retina scan. How do these methods perform in practice,
considering both their contribution to security and their practical
application?

I currently authenticate on my iPhone with fingerprint. How hard is that to
crack? If you had the victim's fingerprint, it's apparently trivial [1]. But
accessing my fingerprint is not something that a random hacker/thief on the
Internet would reasonably be able to do.

Since our phones are becoming our life-key. Would a 3-factor authentication
sufficiently protect us?

Something you have: SmartPhone.

Something you know: Password.

Unique part of you: Fingerprint.

[1] [https://www.businessinsider.com/fingerprint-hacked-
smartphon...](https://www.businessinsider.com/fingerprint-hacked-
smartphones-2016-3)

~~~
3pt14159
Fingerprints are so fucking dumb.

You can't change them and you leave them everywhere!

They're good against stopping your nosy family members from seeing your
password, but what am I supposed to do when dining or paying someone? Wear
gloves?

If the cybersec game turns into "collect physical fingerprints" then the gangs
are going to collect physical fingerprints and then what?

What we need is something dynamic that's hard to fake, like a human voice or
face, tied to a government issued cryptographic device with no input ports /
volatile memory / inbound network adapter.

You say a challenge sentence out loud. The device validates. Then the device
signs or authenticates or whatever. For integrity it could optionally encrypt
and broadcast what happened.

You lose the device, you get a new one just like you get a passport. In person
with other documents, etc.

This really isn't that hard. We could have done it decades ago.

~~~
gregknicholson
> government issued cryptographic device

I don't trust my government to be competent at cryptography.

Some people don't trust their government to be non-malicious.

~~~
smnrchrds
> I don't trust my government to be competent at cryptography.

Which government is it? If it is the US, you might as well not trust any
cryptographic schemes, considering how many of them were developed by NSA.

~~~
gsich
Not the ones that "count" or should be used. Just look at the Dual_EC_DRBG
desaster.

