Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Monday March 18 2019, @04:23PM   Printer-friendly
from the your-call dept.

Security researcher Brian Krebs has posted an interview with Allison Nixon on why phone numbers are unsuitable for authentication and identification.

Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities. At the same time, when you lose control over a phone number — maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments — whoever inherits that number can then be you in a lot of places online.

How exactly did we get to the point where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience? KrebsOnSecurity spoke about this at length with Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Insightful) by Anonymous Coward on Monday March 18 2019, @04:30PM (13 children)

    by Anonymous Coward on Monday March 18 2019, @04:30PM (#816481)

    The companies pushing phone numbers as auth are very interested in tying online accounts to real names because that's where the marketing $$$ is. This never had anything to do with security.

    • (Score: 1, Insightful) by Anonymous Coward on Monday March 18 2019, @04:56PM (5 children)

      by Anonymous Coward on Monday March 18 2019, @04:56PM (#816495)

      exactly. any/most apps should have no need to tie your app id to your meatspace id. any that require that should be treated like the enemies of freedom that they are. instead dumb slaves just keep funding their children's enemies every chance they get.

      • (Score: 3, Insightful) by Pino P on Monday March 18 2019, @05:20PM (4 children)

        by Pino P (4721) on Monday March 18 2019, @05:20PM (#816513) Journal

        any/most apps should have no need to tie your app id to your meatspace id. any that require that should be treated like the enemies of freedom that they are.

        Are banks "enemies of freedom" in complying with anti-money-laundering regulations? Are streaming video on demand providers "enemies of freedom" in not allowing sharing a subscription with the whole neighborhood?

        • (Score: 2, Touché) by Anonymous Coward on Monday March 18 2019, @05:47PM

          by Anonymous Coward on Monday March 18 2019, @05:47PM (#816537)

          Yes?

        • (Score: 3, Informative) by sjames on Monday March 18 2019, @09:56PM (1 child)

          by sjames (2882) on Monday March 18 2019, @09:56PM (#816662) Journal

          Funny thing there. Several banks that carefully follow those anti money laundering laws fro their small customers just can't seem to catch the drug cartels laundering massive amounts of money through them...

          • (Score: 2) by canopic jug on Tuesday March 19 2019, @12:30PM

            by canopic jug (3949) Subscriber Badge on Tuesday March 19 2019, @12:30PM (#816924) Journal

            Funny thing there. Several banks that carefully follow those anti money laundering laws fro their small customers just can't seem to catch the drug cartels laundering massive amounts of money through them...

            The smaller you are the harder time they give you. Some people towards the low end of the financial spectrum are barely allowed to have accounts at all. Those at the very bottom are just plain denied accounts, which makes for a fun time in today's virtually cashless society. While on the other end, the banks appear to actively participate in the laundering:

            And so on... [transparency.org] around 50 banks were involved in that one scandal.

            The population of Sweden is about 10.2 million citizens and legal residents, Denmark 5.8 million, and Latvia just under 2 million.

            --
            Money is not free speech. Elections should not be auctions.
        • (Score: 0) by Anonymous Coward on Wednesday March 20 2019, @06:35PM

          by Anonymous Coward on Wednesday March 20 2019, @06:35PM (#817446)

          Are banks "enemies of freedom" in complying with anti-money-laundering regulations?

          Of course! money laundering laws are bullshit (especially having to ID just to do private business under the guise of stopping said bs money laundering) and the banksters are all guilty of sedition or complicit in it. Be ye glad that i don't control the military b/c there would be a great reckoning.

    • (Score: 2) by DannyB on Monday March 18 2019, @05:39PM (1 child)

      by DannyB (5839) Subscriber Badge on Monday March 18 2019, @05:39PM (#816529) Journal

      companies pushing phone numbers as auth are very interested in tying online accounts to real names because that's where the marketing $$$ is.

      Maybe in some cases.

      I suspect that the reason, years ago, that Yahoo started requiring a phone number for account creation was to eliminate the practice of creating hundreds of accounts. Not only are they disposable email spam traps, but they could be used to manipulate the comment moderation system.

      I had a friend, yeah, uh, it was a friend who did this. And that's the story I'm sticking to.

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
      • (Score: 0) by Anonymous Coward on Monday March 18 2019, @06:34PM

        by Anonymous Coward on Monday March 18 2019, @06:34PM (#816559)

        You are the right track but wrong decade. It gets back to in my memory you could get your child into school. Number was tied to an address., period. Ma Bell kept the phone books, kept billing records, handled reverse lookups of legal system. It was all inclusive. Since the bills were handled by the usps, it proved where you lived for school, driver license, voting reg, and so on. It is universal. Why we pay on our phone bills for access for low income.

        But if you think phone# is bad... SS#. Credit card, driver llicence, car tags. All fall into this same business - government hookups. For me it goes back to 1960’s. I still remember getting the party line in our home. We were the end of 7 homes on the same line.

        Never put your picture on a cr card. That makes it a legal if. So I arrested.you cr card number is part of the public record.

    • (Score: 0) by Anonymous Coward on Monday March 18 2019, @06:39PM (3 children)

      by Anonymous Coward on Monday March 18 2019, @06:39PM (#816560)

      I've even had some web shites swear up and down that I must give them a MOBILE phone number. Probably so they can spam text messages or some other gay shit. Although, so far my normal POTS "landline" number has worked. They reeeally want you to buy a cell phone!

      • (Score: 1, Funny) by Anonymous Coward on Monday March 18 2019, @09:21PM (1 child)

        by Anonymous Coward on Monday March 18 2019, @09:21PM (#816630)
        You'd be amazed how many websites that demand a phone number will accept numbers of the form:

        123-555-xxxx

        or

        123-456-7890

        The first is the directory assistance number in the US (which is why almost every phone number in a tv show is "YYY-555-XXXX" with YYY being the proper area code for the setting of the show.

        If anyone were to dial it (and yes, there are fools who will) they simply get the directory assistance folks at the phone company.

        The second should be obvious (sequence of digits).

        Both work because most web systems 'validation' of an entered phone number amounts to "does it contain digits?, are the right number of digits present?".

        • (Score: 1, Interesting) by Anonymous Coward on Monday March 18 2019, @11:15PM

          by Anonymous Coward on Monday March 18 2019, @11:15PM (#816695)

          Actaully now 555 is being used for phone#. TV and Movies are limited to 0100 to 0199 as suffix.

          Gone are the days of "Library 2-5000" or using a "bad number" like "Queenland 7-2345"

          Was a great MENSA gag:

          "Remember those SAT and ACT test you took back in college? Well you can find out what your IQ when you took those test. Just call 1-800-4-Your-IQ".

            Then watch the confusion when the "Q" was not found on the dial. To help you ask "maybe you should try "1-800-NEW-QUIZ" instead." and walk away.

      • (Score: 2) by Pino P on Wednesday March 20 2019, @06:05AM

        by Pino P (4721) on Wednesday March 20 2019, @06:05AM (#817250) Journal

        Twitter and Steam require a number that can receive SMS. Some users have claimed that voice-only lines can do text-to-speech for SMS, but both a POTS landline from Frontier nor "wireless home phone" service from AT&T have failed to do this.

    • (Score: 2) by RedIsNotGreen on Tuesday March 19 2019, @04:20AM

      by RedIsNotGreen (2191) on Tuesday March 19 2019, @04:20AM (#816796) Homepage Journal

      Don't forget surveillance.

  • (Score: 3, Funny) by Rosco P. Coltrane on Monday March 18 2019, @04:31PM

    by Rosco P. Coltrane (4757) on Monday March 18 2019, @04:31PM (#816482)

    Someone with that name must know a thing or two about abusing phones.

  • (Score: 4, Insightful) by bradley13 on Monday March 18 2019, @04:47PM (9 children)

    by bradley13 (3053) on Monday March 18 2019, @04:47PM (#816490) Homepage Journal

    Identification is a serious problem, for which there simply is no perfect solution. Biometrics can be fakes or stolen - heck, you could demand DNA analysis, and I can steal some of your skin flakes. Passwords can be compromised, for example, by keyloggers. Phones can be stolen. Hence, the old saw: "something you have, something you know, something you are" - it's through the combination of different types of identification that we can reach some reasonable level of certainty.

    Now, the problem pointed out in TFA is one step more difficult: it's what to do when someone loses one of their factors of multi-factor authentication. Many sites may have 2FA, but allow a reset of one of the factors using the other. For example, a "lost password" reset using only a code sent to your phone (or your email). In fact, that pretty much eliminates any benefit of 2FA.

    The right way to handle that is to introduce an additional factor in that case. For example, financial institutions often ask for information from your last monthly statement. Almost any e-commerce site could do something similar, for example, asking you a question about the last order that you placed. Of course, some people really won't remember, and your agents cannot give in to sob stories, because that plays into the hands of fraudsters.

    tl;dr: The problem isn't phone numbers per se, it's too few factors. A service serious about security can never allow an action (like a password reset) based on a single identifying factor. Have/Know/Are - pick two, in order to reset the third.

    --
    Everyone is somebody else's weirdo.
    • (Score: 0) by Anonymous Coward on Monday March 18 2019, @05:20PM

      by Anonymous Coward on Monday March 18 2019, @05:20PM (#816515)

      Those crypto-dongle-thingies are far better than a phone number. Use one+a passphrase and a second one (not in the same place as the first) for recovery.

      Yes, you could be robbed or they could have some bug in their keygen, but that's far less likely than a helpful call center worker who knows first hand the pain of bureaucracy and just wants to help.

    • (Score: 0) by Anonymous Coward on Monday March 18 2019, @08:10PM (1 child)

      by Anonymous Coward on Monday March 18 2019, @08:10PM (#816601)

      You only need one factor - your government issued photo ID card, presented in person. Whatever else you try, such as a phone number, social security number, biometrics, dongles, passwords, etc., will all prove inadequate. All can be stolen or forged. A photo ID is much more difficult to forge and the photo prevents it from being used when stolen, so it should be required any time authentication is required, such as when applying for any kind of credit. Doing so will drastically reduce indentity theft. It happened to me last year, when some jerk stole my identity to get three months of Comcast service. If he had had to present identification before getting credit, he would not have been able to do it. Learn from this and support photo ID requirement.

      • (Score: 0) by Anonymous Coward on Monday March 18 2019, @09:24PM

        by Anonymous Coward on Monday March 18 2019, @09:24PM (#816633)

        You only need one factor - your government issued photo ID card, presented in person.

        Spoken as if there are not folks out there who will, for a fee, create you a "government issued photo ID card", with your photo, and a name/identity of your choice.

        Yes, generally out of reach of the common person, but the common person is not who is being defended against here, it is the criminal who is already up to no good and is trying to impersonate you who is being defended against.

    • (Score: 1) by nitehawk214 on Monday March 18 2019, @08:13PM (4 children)

      by nitehawk214 (1304) on Monday March 18 2019, @08:13PM (#816603)

      Companies prefer fake 2-factor authentication [thedailywtf.com]. Which is something you know and... something else you know.

      Or they will pretend it is something you have by sending a code to your phone. Except it isn't making sure its a phone you have, just a phone number, which is the same as something you know and something else you know.

      Its cheap and they get to look like they are doing 2fa which makes for good marketing.

      --
      "Don't you ever miss the days when you used to be nostalgic?" -Loiosh
      • (Score: 2) by urza9814 on Tuesday March 19 2019, @07:31PM (3 children)

        by urza9814 (3954) on Tuesday March 19 2019, @07:31PM (#817108) Journal

        Eh, maybe I'm missing your point, but every variant of "something you have" tends to actually be "something you know" in practice. Even a DNA sample is ultimately just transmitting the DNA sequences, so it's really about knowing those, not having them (unless the authenticator is going to open up a testing lab and take samples in person...which is impractical for most use cases)

        The problem with phone numbers is that they don't even approximate something YOU have, they approximate something YOUR PHONE COMPANY has. "Something you have" sound be as secure as your own personal physical security standards, but a phone number is often only as secure as your provider's hiring practices for tier one support...

        • (Score: 1) by nitehawk214 on Wednesday March 20 2019, @03:18PM (2 children)

          by nitehawk214 (1304) on Wednesday March 20 2019, @03:18PM (#817361)

          That is a good point, fake-2-factor is still miles better than phone number based security.

          And for anyone with a password manager;, the security questions is just another 128-bit hashed password.

          --
          "Don't you ever miss the days when you used to be nostalgic?" -Loiosh
          • (Score: 3, Interesting) by urza9814 on Wednesday March 20 2019, @03:36PM (1 child)

            by urza9814 (3954) on Wednesday March 20 2019, @03:36PM (#817371) Journal

            The problem I have with security questions is when the company asking for them lies about their purpose.

            I had to create security questions for my 401k account. They (M-F-ing Wells Fargo...not my choice) told me the security question would only be used in case I forgot my password. Well, I knew that wasn't going to happen, and they wouldn't let me create my own questions, so I threw a bunch of garbage into the boxes and figured it didn't matter.

            Then their servers got compromised, and they decided everyone had to reset their passwords...using the security questions. Apparently it wasn't just in case I forgot my password, it was also in case they got breached. Took almost a year to regain access to my account...

            • (Score: 2) by nitehawk214 on Friday March 22 2019, @02:22PM

              by nitehawk214 (1304) on Friday March 22 2019, @02:22PM (#818404)

              You should treat any security question as "another password", and one that is viewable by their employees and anyone that cracks their site. Never use the same security question answer on two sites.

              Someone on Soylent pointed me at a passphrase generator. I can't remember which one, but this [untroubled.org] is a decent one. Set it to create a bunch of short words that are easy to say over the phone without confusion.

              --
              "Don't you ever miss the days when you used to be nostalgic?" -Loiosh
    • (Score: 2) by urza9814 on Tuesday March 19 2019, @07:02PM

      by urza9814 (3954) on Tuesday March 19 2019, @07:02PM (#817102) Journal

      The problem is than a phone number isn't actually "something you have" -- it's something the phone company has which they temporarily lend to you.

  • (Score: 0) by Anonymous Coward on Monday March 18 2019, @04:56PM (3 children)

    by Anonymous Coward on Monday March 18 2019, @04:56PM (#816496)

    thats easy. the mobile phone is not open.
    you cannot just "run a webserver" on the mobile phone network.
    the internet is a overlay network ontop.
    the mobile phone network is closed. its a goldmine for clubberments to go digging in times of need with shovels made from paper permissions using the sweet of artifically restricted radiowave spectrum...
    money and laws, lots of laws and a "old boys club" mentality (no woman and chinese allowed) govern it.
    thus the feeling of restrictedness arises onto which one grafts the security that is lacking on the real internet network.
    the internet is a cloud. sit anywhere and use. the mobile phone is a personal terminal nobody wants to share... like a toothbrush.
    we, the user cannot extend the mobile phone network like we can endlessly extend the internet from our backyard.
    new "baremetal" services cannot be added to the mobilefone network, of which there only seems to be one anyway "sms".
    no chance in hell a new service like http or irc or ftp, which are baremetal on tcp/ip networks, can be added.

    • (Score: 2) by Acabatag on Tuesday March 19 2019, @02:27AM (2 children)

      by Acabatag (2885) on Tuesday March 19 2019, @02:27AM (#816760)

      If you live in an urban enough area, you can do all your 'mobile internet' on free wi-fi connections, using a phone that isn't activated to any entity. Pull the SIM card out of it, in fact. Or you can buy an iPod Touch if you're ridiculously foolish (any $20 subsidized no-contract Android phone is the equivalent). You do not need to be a tracked entity to use the mobile internet.

      • (Score: 0) by Anonymous Coward on Tuesday March 19 2019, @03:18PM (1 child)

        by Anonymous Coward on Tuesday March 19 2019, @03:18PM (#816976)

        that's not what mobile internet means.

        mobile internet is cell phone/cell device or other telecommunications signaling technology based internet in a closed circuit.

        what you are describing is free wifi; it's just that a lot of different devices can easily take advantage of it, provided the barriers to connect are not too great.

        one cannot just connect to a mobile internet service--you *always* have to have paid upfront. mobile internet means you don't have to find a place with free wifi and hope the signal is good. regular people can't provide mobile internet from their car, but they might share their connection via p2p wifi sharing.

        or blokes like me use a pringles can to steal someone elses and share that, and its as mobile as the direction i point it despite it always giving me access to someone else from my same static location.

        • (Score: 2) by Pino P on Wednesday March 20 2019, @06:08AM

          by Pino P (4721) on Wednesday March 20 2019, @06:08AM (#817251) Journal

          I think Acabatag's claim is that free Wi-Fi can substitute for cellular Internet for most urban users. But for me, relying on free Wi-Fi hasn't worked while riding as a passenger in a car or bus because by the time my device has associated, the vehicle has moved out of range even before the captive portal page finishes loading.

  • (Score: 0) by Anonymous Coward on Monday March 18 2019, @05:01PM (2 children)

    by Anonymous Coward on Monday March 18 2019, @05:01PM (#816498)

    Anytime you deploy a security system to the masses, it has to work for really dumb people.

    If not for that, a working solution is easy. Have everybody generate random 8192-bit prime numbers, securely in their head, and then multiply them. It's just mental math. Now, using the various RSA-related algorithms, we have highly secure authentication and even encryption. It's perfect if we ban brain scanners. It should be easier than the alternative of remembering 10000 different passwords, and it is nicely secure against even man-in-the-middle attacks at the keyboard.

    Getting to this solution requires doing something about the dumb people, and mass euthanasia gets a bad rap. Maybe we could put all the dumb people in medically-induced comas.

    • (Score: 0) by Anonymous Coward on Monday March 18 2019, @05:11PM

      by Anonymous Coward on Monday March 18 2019, @05:11PM (#816507)

      and mass euthanasia gets a bad rap.

      Rappers create lots of bad rap about many topics, but what does this have to do with the rest of your post?

    • (Score: 0) by Anonymous Coward on Monday March 18 2019, @05:23PM

      by Anonymous Coward on Monday March 18 2019, @05:23PM (#816517)

      Getting to this solution requires doing something about the dumb people,

      How about measuring galvanic skin response while a person is masturbating.

      Then, when you need to authenticate, you start stroking, rubbing, vibrating, whatever.

      I imagine that would work for just about everyone, no matter how dumb. amirite?

  • (Score: 4, Funny) by Anonymous Coward on Monday March 18 2019, @05:20PM (3 children)

    by Anonymous Coward on Monday March 18 2019, @05:20PM (#816514)

    This is such a horrible thing.

    Somehow, everyone has my phone number -- 867 5309.

    It's made my life a living hell. Fuck everything, I'm done. I'm going over the bridge right now!

    --Jenny

    • (Score: 0) by Anonymous Coward on Monday March 18 2019, @08:41PM

      by Anonymous Coward on Monday March 18 2019, @08:41PM (#816616)

      Jenny! Don't change your number!

    • (Score: 2) by sjames on Monday March 18 2019, @10:05PM

      by sjames (2882) on Monday March 18 2019, @10:05PM (#816668) Journal

      After that, the lead singer became a computer consultant. Perhaps that's the answer to TFA?!?

    • (Score: 0) by Anonymous Coward on Tuesday March 19 2019, @06:45AM

      by Anonymous Coward on Tuesday March 19 2019, @06:45AM (#816834)

      I know it is the standard to break a phone number in the NANP into a group of 3 then 4, but it really bugs me when that particular number is not 4 then 3.

  • (Score: 2) by srobert on Monday March 18 2019, @05:38PM (3 children)

    by srobert (4803) on Monday March 18 2019, @05:38PM (#816528)

    ... phones were attached to the wall with wires and most families just had one number. It was associated with a house and the family that lived there or business. Now a phone is more of a individual thing that we carry in our pockets, so could be an individual ID if it were more immutable.

    • (Score: 2, Interesting) by Anonymous Coward on Monday March 18 2019, @09:32PM (2 children)

      by Anonymous Coward on Monday March 18 2019, @09:32PM (#816644)

      The problem, which the article mentions, is that it (phone number) was never designed, nor intended, to be immutable. Phone numbers changed all the time. Pre mobile phones, simply moving around within the same town often involved a change of phone number (due to the way that phone exchanges were related to geographic areas).

      And, because they were designed to change, they were also designed to be recycled (because the way they got allocated, the phone system had its own version of IPV4 running out, because huge ranges of numbers were simply not usable due to the way the switching equipment worked. I.e., area codes were three digits with the middle digit being a zero or a 1 (212, 203, etc.) But because of the way the switches worked, an exchange portion could not itself use a zero or one in the middle digit (because otherwise the switch would 'see' an area code instead).

      So for the 212 area code, any exchange of the form 212-x0x or 212-x1x so one could not allocate 212-212-1234. As well, within the exchanges, middle digits of 9 used to mean pay phones, so 212-292-1111 would be a pay phone somewhere in the 212 area code, within the 292 exchange. So most of the x9x-yyyy number range went unallocated as well.

      So lots of waste, so recycling the numbers that were available to use was critical.

      But that recycling means that using phone numbers as an 'identity' was never a good idea.

      • (Score: 0) by Anonymous Coward on Tuesday March 19 2019, @10:28AM

        by Anonymous Coward on Tuesday March 19 2019, @10:28AM (#816883)

        Then why keep requiring one?
        Google won't let me back into my email without one. So I pay for email now.

      • (Score: 2) by urza9814 on Tuesday March 19 2019, @08:26PM

        by urza9814 (3954) on Tuesday March 19 2019, @08:26PM (#817122) Journal

        And non-recyclable phone numbers also become a vector for abuse and harassment... Particularly since they're generally treated as public information. Which is why phone companies can be legally required to allow users to change their numbers.

        Using public contact information as a means of identity verification just isn't a good idea. Something like email might be marginally better since it's easy to register multiple addresses and easy to retain old addresses to prevent recycling... Except email has plenty of its own security problems...

  • (Score: 1) by tbuskey on Monday March 18 2019, @09:53PM (2 children)

    by tbuskey (6127) on Monday March 18 2019, @09:53PM (#816660)

    I usually try to enter 000-000-0000 as a phone number if it's required. It works often, but not all the time.

    I cannot report an electrical outage without the required phone number tied to my account. Recently, I was getting 3-4 phone calls a day from CVS with a robot telling me to sign up for autorefill. I had set text alerts, but never agreed to getting an actual call.

    Right now, we're near peak phone where everyone has a phone number. It will pass. We used to be at peak TV where everyone watched television too

    • (Score: 2) by Acabatag on Tuesday March 19 2019, @02:34AM (1 child)

      by Acabatag (2885) on Tuesday March 19 2019, @02:34AM (#816763)

      I am more and more tempted just to get a trac-phone for voice calls and let my 'smartphone' become a wi-fi terminal. There is wi-fi at work. There is wi-fi at home. There is wi-fi most of the places I eat lunch and shop at. I could still carry my phone and use it almost anywhere. There is offline mapping software that will work with GPS on the disconnected phone to navigate.

      • (Score: 2) by Pino P on Wednesday March 20 2019, @06:14AM

        by Pino P (4721) on Wednesday March 20 2019, @06:14AM (#817255) Journal

        Let me guess: either you drive or cycle everywhere (and have little use for a vehicle other than navigation and music), or you use offline-first applications on the smartphone while a passenger. That's one reason I resisted getting a smartphone for several years: I could find much more offline-first software on laptops than on smartphones.

(1)