EmailDiscussions.com  

Go Back   EmailDiscussions.com > Discussions about Email Services > The Technical Zone...
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

The Technical Zone... The Geeky forum... Use this forum to discuss technical aspects of email, from authentication protocols to encryption.

Reply
 
Thread Tools
Old 29 Mar 2019, 12:59 PM   #1
EricG
Essential Contributor
 
Join Date: Aug 2009
Location: Canada
Posts: 226
Why Phone Numbers Stink As Identity Proof

Kreb's site is one of the best on security. This article explains how hijacking your phone number lets hackers break into accounts. Billions is stolen with this, often cryptocurrency.

Quote:
How exactly did we get to the point where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience? KrebsOnSecurity spoke about this at length with Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint.

Nixon said much of her perspective on mobile identity is colored by the lens of her work, which has her identifying some of the biggest criminals involved in hijacking phone numbers via SIM swapping attacks. Illegal SIM swaps allow fraudsters to hijack a targetís phoneís number and use it to steal financial data, passwords, cryptocurrencies and other items of value from victims.

Nixon said countless companies have essentially built their customer authentication around the phone number, and that a great many sites still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. In this attack, the fraudster doesnít need to know the victimís password to hijack the account: He just needs to have access to the targetís mobile phone number.

ďAs a consumer, Iím forced to use my phone number as an identity document, because sometimes thatís the only way to do business with a site online,Ē Nixon said. ďBut from that siteís side, when they see a password reset come in via that phone number, they have no way to know if thatís me. And thereís nothing anyone can do to stop it except to stop using phone numbers as identity documents.Ē
EricG is offline   Reply With Quote

Old 29 Mar 2019, 06:49 PM   #2
TenFour
Essential Contributor
 
Join Date: Feb 2017
Posts: 482
I've always thought this was true about phone numbers--commonsense. But, unfortunately many sites only let you use a phone number for 2FA or for recovery purposes. The good news is that unless you are specifically being targeted, your phone number is not likely to be randomly hacked at the same moment your online life is being hacked, unlike weak password-only protected sites. I've wondered if there could be some sort of service created that would provide you with a virtual phone number that could be used for authentication/recovery purposes only, but it was actually controlled by some super-secure company that then alerted you via a secure messaging app that such-and-such account sent such-and-such a code. This would also allow you to get codes if your personal phone number changed or was out of service for some reason. However, the longterm solution is to use some other means of authentication. Wherever possible I use an authenticator app and backup email addresses, and not a phone number.
TenFour is offline   Reply With Quote
Old 12 Apr 2019, 08:04 PM   #3
TenFour
Essential Contributor
 
Join Date: Feb 2017
Posts: 482
At least some service providers let you "lock" your SIM by setting a code or password that must be given in order to swap the SIM to another device. Here is what T Mobile says about it: https://www.t-mobile.com/responsibil...y/sim-security

Another option is to use a virtual phone number from providers like Google Voice. Then never give out the real phone number. The virtual number doesn't utilize a SIM.
TenFour is offline   Reply With Quote
Old 15 Apr 2019, 10:33 AM   #4
Steven Avery
Member
 
Join Date: Jul 2012
Posts: 46
I've tried using my Talkatone number. (Generally a good service.) About half the time the number is not accepted because it is sensed on the other end as a VOIP number, rather than a real cell. I doubt if Google Voice is any different.

Good information. Thanks.
Steven Avery is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 11:30 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy