
Phone Numbers Stink as Identity Proof - PaulHoule
https://krebsonsecurity.com/2019/03/why-phone-numbers-stink-as-identity-proof/
======
SwiftyBug
I justed logged in as someone else on Facebook using a phone number I
activated last week.

edit: there is another account linked to this phone number I activated last
week. I could log in as that user as well. When I chose to recover my account
and entered my phone number, Facebook listed all the accounts linked to this
phone number.

edit2: of course, I can also log in to these people Instagram accounts

~~~
mirimir
Wow. But predictable, as dead numbers are recycled.

And it's totally a Catch 22 for the previous "owner" of the number. Once
they've lost the number, any glitch in status of linked accounts that requires
phone authentication will lock them out. So if they forget to update
authentication numbers promptly, they risk losing control.

What a mess.

~~~
8note
that happened to my PayPal account.

~~~
mirimir
Did you recover it? And if you did, how?

------
jbarberu
I think a part of the problem is that some companies aren't very transparent
with how they're using your phone number. In my case I do want my bank to have
my phone number, in case they need to contact me. I would rather they don't
use it as a second factor (which I never knowingly agreed to) and I absolutely
don't want to be able to reset my password over SMS.

The yahoo example is horrifying.

~~~
PunksATawnyFill
What about the idiotic policy of requiring you to use an E-mail address as
your user ID?

Apple is going BACKWARD on this amateur-hour practice, now requiring your
Apple ID not only to be an E-mail address... but a WORKING one.

Stupid: [https://goldmanosi.blogspot.com/2012/06/forcing-people-to-
us...](https://goldmanosi.blogspot.com/2012/06/forcing-people-to-use-e-mail-
address-as.html)

~~~
wool_gather
If you're going to be forced to use an email address as an ID, which I agree
is poor practice, you'd _definitely_ want it to be an operational one that is
under your control.

Otherwise you're leaving an opening for someone else to come along later, set
up that address, and take over your account.

------
4FNET7
This is why I have 1-time codes printed out on paper stashed away in a safe
place. If I ever lose my phone, I can get back into the account without access
to SMS or an authenticator app.

~~~
giobox
This doesn’t solve the original problem though, this is just a potential
mitigation strategy for when/if it goes bad (e.g. the cell number is
hijacked).

It’s personally annoying to me how many 2 factor equipped sites force the use
of SMS as the second factor. I imagine the conversation with the PO/PM for the
feature must frequently include discussion of fears that allowing customers to
opt out of SMS 2FA and use their own code generation tools is risky; you are
relying on customer not screwing up to keep them as a paying customer.

They lose their personal Authenticator and recovery keys, it can be really
awkward to fix. SMS could be argued to be superficially more attractive in
this regard, given a cell number can be reissued unlike the permanently lost
authenticator device/app. Of course the security of SMS 2FA is terrible etc,
but I can understand some of the fear of the alternatives if you need to keep
customers happy and able to actually use your service.

------
Daishiman
Given that I travel all the time with several different SIM cards, I live in
fear that I might lose a SIM (they're tremendously easy drop, break or just
fall off from wherever you keep them) and have to wait for weeks before
getting back home to get one.

Or, you know, just travel to a jurisdiction where I can't get SMSs from my
home SIM.

By comparison one-time pads have been substantially easier to keep around and
protect.

~~~
hocuspocus
Services that assume phone numbers are some kind of stable ID are infuriating.

Recently I wanted to log in to AirBnB. I hadn't signed in in 3 years. I was
welcomed with a nice "We don't recognize this device. Get a code by text
message or phone call at <number at my previous country of residence>." The
thing is, I use social login on AirBnB! Specifically because I want to
delegate MFA to a service where I'll keep my profile and login information up
to date. I don't remember agreeing to my phone number being used as a second
factor or as a way to recover my account. So I contacted their customer
service and they unlocked my account within 2 days, without any further
verification.

~~~
gsich
Last time I used Airbnb they offered multiple verification options, including
mail.

~~~
kweks
The email option is displayed / hidden depending specific factors,
specifically if your GeoIP is in your original / standard country.

Had to do this last week, VPN to my home country to enable code via email.

Sheer stupidity.

------
PaulHoule
I would add that cellular phone vendors do not cover all of the POPs that they
claim they do in the U.S.

No way am I going to spend big money for a cell phone plan when I also have to
pay top dollar for a substandard landline and DSL. Sure, I could just use it
when I am out and about and find some alternative way to get calls when I get
home, but why reward the phone companies for underinvesting.

It used to be I could get a prepaid phone that was pretty good but the last
few ones I have tried I had awful coverage, maybe they are only using Sprint
for their networks now.

~~~
nfriedly
I hear what you're saying and don't disagree with you at all.

But one thing that I've found beneficial is that a lot of modern smartphones
support wifi calling. I haven't had a single dropped call in my basement since
enabling it.

------
jimbokun
Of course phone numbers stink as identity proof. But I thought that was the
reasoning behind MULTI-factor authentication?

Yes, someone could get your phone number someday. And someone could get your
password someday. But it's much less likely anyone would get both at the same
time.

Stupid question, is it straightforward to change the phone number you are
using for a second factor for most web sites?

~~~
romwell
Once you add the "reset password using phone number" feature, as many sites
do, you go from multi-factor to SINGLE factor for MANY websites.

And that's a factor you don't have complete control over and once you lose,
you lose forever.

The best part? Right, you can lose your phone number if you lose your phone,
because T-Mobile allows one to reset their account via SMS.

You can lose your phone number if you misstep just once. My mom got one of
those scam calls from people pretending to be customer service. They asked her
to read off the numbers from an SMS to verify her identity, and she did.

She got lucky because the account is in my name. Otherwise, the scammers would
have had complete control over all lines. They'd have transferred it to
themselves, amd used that to take over ALL other accounts.

And that has happened many thousands of times:

[https://motherboard.vice.com/en_us/article/gy8bxy/t-mobile-t...](https://motherboard.vice.com/en_us/article/gy8bxy/t-mobile-
text-warning-phone-hijacking-number-port-out-scam)

------
jammygit
What do you use instead of phone numbers that average people would be able to
use? Is email with an MFA option the best bet right now? In that case, what do
email providers use - recovery email addresses?

Faxing in photos of ID is just asking for someone to forget to delete it too,
having it end up in some data dump one day

~~~
xfitm3
Recovery codes + virtual TOTP.

------
mises
Let's be honest: a lot of companies is use phone numbers to limit the number
of accounts one can create. Email accounts are a dime a dozen. This is not fun
for those of us who like to use many different accounts for different things.

------
3xblah
One website I know uses postal mail to send a confirmation code.

This seems much more trustworthy to me than mobile phone numbers.

However I am curious to hear counterarguments, if there are any.

~~~
xfitm3
Snail mail MFA only proves you have access to the mailbox. Phone numbers are
typically personal, not shared. Addresses are typically shared.

~~~
3xblah
That is a fair point. How would you counter the following?

When a call is made or a text is sent to a mobile number is is not addressed
to anyone in particular. It is addressed to the number only.

Mobile phone "MFA" only proves someone has access to the SIM card. It could be
anyone.

When a letter is sent to a mailing address, it can be addressed to a
particular person.

In many countries, there are laws that protect postal mail from tampering.

------
nukeop
That's why everyone sane avoids giving out their phone numbers to any company
except dire necessities, like maybe banks. Use U2F, don't use "google
authenticators" or any other pseudo-2FA. No website has any business knowing
your phone number.

Bonus: phone number databases are used in online tracking for connecting
accounts across many websites to datamine more accurate data and form better
profiles. Everyone privacy minded should be aware of this.

~~~
Spivak
What do you have against TOTP? It doesn't require turn over your phone number,
just that you store the key somewhere secure-ish.

~~~
nukeop
Nothing against TOTP per se, but plenty enough against Google Authenticator
and its typical use cases. If you log into a website on your phone and use an
authenticator running on the same phone, it's not 2FA, it's just two
passwords.

~~~
vinay427
This depends on your threat model. Imagine someone looking over your shoulder
while you type in your password and TOTP token. Without TOTP, they would be
able to log into your account on a different device without having your
current device. With TOTP, they would need some way to get the correct token
when they login, which is much more difficult and more easily noticed by you.

------
RcouF1uZ4gsC
Phone numbers are pretty ok as a second factor. For a general purpose website
I doubt any more than 10% of people will ever get anything like a Yubikey. As
for using a TOTP app such as Google Authenticator, I myself have been
personally burned when I wiped my phone and forgot to backup the TOTP codes.

Phone numbers combined with SMS are not perfect, but they are something the
average user has, something that the average user can recover (if they lose a
phone, they can get a new one but still keep the same number). No, they are
not perfect, and if you are being targeted, they will not help you, but most
people are not targeted, but they do use bad passwords and using phone numbers
as the 2nd factor improves security.

~~~
guitarbill
> For a general purpose website I doubt any more than 10% of people will ever
> get anything like a Yubikey

I bought a bunch of Yubikeys and tried giving them away like candy to friends
and family. I couldn't even give them away; people still weren't interested,
including several developers (!).

We'll never be able to save everyone, so my only wish now is that for the
people who do care, everybody implements 2FA/WebAuthn properly and uniformly.
Even that we're so far away from. Maybe eventually we'll get to some level of
herd immunity, where >90% of accounts are 2FA protected, so trying to exploit
them is a massive waste of time, and can be detected early.

~~~
JohnFen
> I couldn't even give them away; people still weren't interested, including
> several developers (!).

I'm a developer and I own a couple of Yubikeys that I picked up to play with
the concept. I don't actually use them for real authentication, though.

Now, I know that I'm a weirdo, but the reason I don't use them for real is
because they're less convenient for me than just using unique, strong
passwords.

~~~
lisper
Also, you can lose a yubikey even more easily than you can lose a phone
(because yubikeys are smaller and you typically use them less often).

~~~
scottlocklin
Don't you people use keys? Stick them on your keychain!

~~~
hombre_fatal
You need multiple yubikeys. The problem is that they don't use some sort of
derived key concept to make syncing easy. You need them physically present to
add them to new accounts. You can't just lock one away in the safety deposit
box. So you'll probably just lose them both if you lose one.

I'm not surprised nobody uses them.

The only practical application I can think of is some sort of central
authority configuration like a corporation where yubikeys are given to
employees.

~~~
8note
I've got one on my keys, and one stuck in the back of my monitor.

sure, somebody could steal it, but I'm bit going to lose it

------
hiei
My phone number is still all over the internet - thankfully from the previous
owner and their personal information. I have had this number for 12 years now

------
dontbenebby
One thing I recently did was sign up for Google Voice, then move all the sites
that insist on SMS authentication over to that phone number.

In addition to (hopefully) cutting down on spam calls, it's much _much_ harder
to hijack my google account than a cell phone account

(Just be sure to turn call and text forwarding _off_ )

~~~
RcouF1uZ4gsC
Which is great until you post a video on YouTube with copyrighted music in the
background, and the algorithm decides to lock you out of all your Google
accounts.

~~~
lohszvu
Or you store legal files on your gdrive that Google thinks violates their
policies and bans your account.

