September 12, 2018

The four major U.S. wireless carriers today detailed a new initiative that may soon let Web sites eschew passwords and instead authenticate visitors by leveraging data elements unique to each customer’s phone and mobile subscriber account, such as location, customer reputation, and physical attributes of the device. Here’s a look at what’s coming, and the potential security and privacy trade-offs of trusting the carriers to handle online authentication on your behalf.

Tentatively dubbed “Project Verify” and still in the private beta testing phase, the new authentication initiative is being pitched as a way to give consumers both a more streamlined method of proving one’s identity when creating a new account at a given Web site, as well as replacing passwords and one-time codes for logging in to existing accounts at participating sites.

Here’s a promotional and explanatory video about Project Verify produced by the Mobile Authentication Task Force, whose members include AT&T, Sprint, T-Mobile and Verizon:

The mobile companies say Project Verify can improve online authentication because they alone have access to several unique signals and capabilities that can be used to validate each customer and their mobile device(s). This includes knowing the approximate real-time location of the customer; how long they have been a customer and used the device in question; and information about components inside the customer’s phone that are only accessible to the carriers themselves, such as cryptographic signatures tied to the device’s SIM card.

The Task Force currently is working on building its Project Verify app into the software that gets pre-loaded onto mobile devices sold by the four major carriers. The basic idea is that third-party Web sites could let the app (and, by extension, the user’s mobile provider) handle the process of authenticating the user’s identity, at which point the app would interactively log the user in without the need of a username and password.

In another example, participating sites could use Project Verify to supplement or replace existing authentication processes, such as two-factor methods that currently rely on sending the user a one-time passcode via SMS/text messages, which can be intercepted by cybercrooks.

The carriers also are pitching their offering as a way for consumers to pre-populate data fields on a Web site — such as name, address, credit card number and other information typically entered when someone wants to sign up for a new user account at a Web site or make purchases online.

Johannes Jaskolski, general manager for Mobile Authentication Task Force and assistant vice president of identity security at AT&T, said the group is betting that Project Verify will be attractive to online retailers partly because it can help them capture more sign-ups and sales from users who might otherwise balk at having to manually provide lots of data via a mobile device.

“We can be a primary authenticator where, just by authenticating to our app, you can then use that service,” Jaskolski said. “That can be on your mobile, but it could also be on another device. With subscriber consent, we can populate that information and make it much more effortless to sign up for or sign into services online. In other markets, we have found this type of approach reduced [customer] fall-out rates, so it can make third-party businesses more successful in capturing that.”

Jaskolski said customers who take advantage of Project Verify will be able to choose what types of data get shared between their wireless provider and a Web site on a per-site basis, or opt to share certain data elements across the board with sites that leverage the app for authentication and e-commerce.

“Many companies already rely on the mobile device today in their customer authentication flows, but what we’re saying is there’s going to be a better way to do this in a method that is intended from the start to serve authentication use cases,” Jaskolski said. “This is what everyone has been seeking from us already in co-opting other mobile features that were simply never designed for authentication.”

‘A DISMAL TRACK RECORD’

A key question about adoption of this fledgling initiative will be how much trust consumers place with the wireless companies, which have struggled mightily over the past several years to validate that their own customers are who they say they are.

All four major mobile providers currently are struggling to protect customers against scams designed to seize control over a target’s mobile phone number. In an increasingly common scenario, attackers impersonate the customer over the phone or in mobile retail stores in a bid to get the target’s number transferred to a device they control. When successful, these attacks — known as SIM swaps and mobile number port-out scams —  allow thieves to intercept one-time authentication codes sent to a customer’s mobile device via text message or automated phone-call.

Nicholas Weaver, a researcher at the International Computer Science Institute and lecturer at UC Berkeley, said this new solution could make mobile phones and their associated numbers even more of an attractive target for cyber thieves.

Weaver said after he became a victim of a SIM swapping attack a few years back, he was blown away when he learned how simple it was for thieves to impersonate him to his mobile provider.

“SIM swapping is very much in the news now, but it’s been a big problem for at least the last half-decade,” he said. “In my case, someone went into a Verizon store, took over the account, and added themselves as an authorized user under their name — not even under my name — and told the store he needed a replacement phone because his broke. It took me three days to regain control of the account in a way that the person wasn’t able to take it back away from me.”

Weaver said Project Verify could become an extremely useful way for Web sites to onboard new users. But he said he’s skeptical of the idea that the solution would be much of an improvement for multi-factor authentication on third-party Web sites.

“The carriers have a dismal track record of authenticating the user,” he said. “If the carriers were trustworthy, I think this would be unequivocally a good idea. The problem is I don’t trust the carriers.”

It probably doesn’t help that all of the carriers participating in this effort were recently caught selling the real-time location data of their customers’ mobile devices to a host of third-party companies that utterly failed to secure online access to that sensitive data.

On May 10, The New York Times broke the news that a cell phone location tracking company called Securus Technologies had been selling or giving away location data on customers of virtually any major mobile network provider to local police forces across the United States.

A few weeks after the NYT scoop, KrebsOnSecurity broke the story that LocationSmart — a wireless data aggregator — hosted a public demo page on its Web site that would let anyone look up the real-time location data on virtually any U.S. mobile subscriber.

In response, all of the major mobile companies said they had terminated location data sharing agreements with LocationSmart and several other companies that were buying the information. The carriers each insisted that they only shared this data with customer consent, although it soon emerged that the mobile giants were instead counting on these data aggregators to obtain customer consent before sharing this location data with third parties, a sort of transitive trust relationship that appears to have been completely flawed from the get-go.

AT&T’s Jaskolski said the mobile giants are planning to use their new solution to further protect customers against SIM swaps.

“We are planning to use this as an additional preventative control,” Jaskolski said. “For example, just because you swap in a new SIM, that doesn’t mean the mobile authentication profile we’ve created is ported as well. In this case, porting your sim won’t necessarily port your mobile authentication profile.”

Jaskolski emphasized that Project Verify would not seek to centralize subscriber data into some new giant cross-carrier database.

“We’re not going to be aggregating and centralizing this subscriber data, which will remain with each carrier separately,” he said. “And this is very much a pro-competition solution, because it will be portable by design and is not designed to keep a subscriber stuck to one specific carrier. More importantly, the user will be in control of whatever gets shared with third parties.”

My take? The carriers can make whatever claims they wish about the security and trustworthiness of this new offering, but it’s difficult to gauge the sincerity and accuracy of those claims until the program is broadly available for beta testing and use — which is currently slated for sometime in 2019.

I am not likely to ever take the carriers up on this offer. In fact, I’ve been working hard of late to disconnect my digital life from these mobile providers. And I’m not about to volunteer more information than necessary beyond the bare minimum needed to have wireless service.

As with most things related to cybersecurity and identity online, much will depend on the default settings the carriers decide to stitch into their apps, and more importantly the default settings of third-party Web site apps designed to interact with Project Verify.

Jaskolski said the coalition is hoping to kick off the program next year in collaboration with some major online e-commerce platforms that have expressed interest in the initiative, although he declined to talk specifics on that front. He added that the mobile providers are currently working through exactly what those defaults might look like, but also acknowledged that some of those platforms have expressed an interest in forcing users to opt-out of sharing specific subscriber data elements.

“Users will be able to see exactly what attributes will be shared, and they can say yes or no to those,” he said. “In some cases, the [third-party site] can say here are some things I absolutely need, and here are some things we’d like to have. Those are some of the things we’re working through now.”


101 thoughts on “U.S. Mobile Giants Want to be Your Online Identity

  1. agen domino

    It’s so annoying to know that privacy todays is not private anymore. Very sad to hear that. If you think not to expose your identity to public internet don’t waste your time to install not necessary apps

  2. ale

    cell phone networks are not secure or private. and they want to be our online identity? what could possibly go wrong? lol

  3. Catwhisperer

    That’s great when you log into a website using your device. But what about when you try to go to the same website using your desktop browser? Will your ISP also have the same app capability?

    1. Readership1

      Doubt it.

      Since there’s sharing of the endpoint router, everyone in the same dorm or home looks the same to an ISP.

  4. John

    “Jaskolski said the coalition is hoping to kick off the program next year in collaboration with some major online e-commerce platforms that have expressed interest in the initiative, although he declined to talk specifics on that front.”

    Hmmmm. don’t consider Yahoo an online ecommerce platform, but I bet they’ll figure prominently in the industry support section of the rollout announcement.

    This article actually helps clear things up for me. Before reading this, I couldn’t understand why a large Internet company like Yahoo still wasn’t providing secure token-based two-factor authentication options to help protect user accounts. Just made no sense at all.

    After reading this, though, I think maybe now I finally understand. Yahoo – owned by Verizon – doesn’t want to provide users with common/industry-standard secure token-based authentication options, out of concern/fear that users will choose to use them. Apparently Verizon-owned Yahoo would rather basically force their users to choose between (1) awful security (SMS/call-based) and (2) their new _untested-but-please-ignore-the-rampant-SIM-swaps-and-our-lousy-industry-track-record-on-security-and-user-privacy-and-just-trust-us-anyway-pretty-please_ mobile industry solution Project Verify.

  5. IA Eng

    NAHHHHHH. I will pass. I dont do mobile purchases. I’d like to know their story when some one pilfers a persons phone, sits in a car and logs right in. Ease of security and the mining of personal habits, choice and such, its all big brother tracking not only your personal habits but your purchases as well.

    Add in the amount of direct “personalized” advertisements and potential us mail spammage from this so called new technology.

    They can have it. I’m flushing this app should it be included in an update.

  6. Hailey Tresch

    Does project verify use face recognition like the IPhone X? If so, I feel like mobile payments could catch on to this idea by requiring facial recognition at checkout. Thanks for the post and answers!
    Hailey content writer at PayFrog merchantcardservicespro.com

  7. Peter Quirk

    I have many concerns about this proposal.

    1. How does it work when I’m overseas?

    2. If the Telcos have done deals with non-US networks, what guarantees are there that my privacy is protected, and under what laws is it protected?

    3. If the Telcos haven’t been able to eliminate the security vulnerabilities in SS7, how will they eliminate the inevitable security vulnerabilities in this system?

    4. If the Telcos can’t stop stop marketers from spoofing phone numbers in my LATA, what guarantees are there for the security of this system?

    5. How does it work with eSIMs?

    6. If my privacy (or worse) is compromised, can I sue in court, or in a class action, or am I locked into their arbitration agreements?

    7. Has the security of this design been publicly reviewed by a diverse panel of engineers, computer scientists, financial services people, hackers, and competitors?

    8. What is the effort/reward ratio? Would an adversarial state deem it to be worth developing hacks against this system for the rewards it can yield?

    9. Others have commented on the difficulty of transferring your identity from one carrier to another. I think we might want to create a diverse system of authorities rather than a system of just 4 (maybe 3 in the future) carriers, and make it very easy for you to move your identity from one authority to another. Even better, randomly move people from one authority to another periodically, in the same way that many companies are adopting short-lived certificates that are automatically renewed. Doing so could reduce the reward for penetrating a single authority.

    10. How much does the security of the system depend on the mobile devices being patched regularly? I have an unlocked Samsung Galaxy S9 that hasn’t received an update since June. There seems to be no duty of care, nor any regulatory pressure on device manufacturers, to keep devices secure.

    11. Does this system require enabling legislation? Is an electronic signature submitted on a device authenticated by Project Verify considered legal everywhere?

    12. Does the current CALEA legislation enable LEOs to request my identity information?

    13. When you consider that Telcos were granted retroactive immunity for violating the FISA law in the past, what guarantees are there that they won’t violate the laws again, and seek retroactive immunity?

    1. Supernaut I

      @Peter Quirk. These are great questions. I have some more info for you that might help. Before that – just a disclaimer, I’m very familiar with what Project Verify is, but I am not associated with these carriers.

      How does it work when I’m overseas?
      A. As long as you have network connectivity via either cell tower or wifi, it will work. Your mobile network connection needs to be active only periodically to verify that its still in ‘good standing’. Its based on Open ID connect and for more info look up GSMA Mobile Connect. Its designed to work worldwide across carriers.

      2. If the Telcos have done deals with non-US networks, what guarantees are there that my privacy is protected, and under what laws is it protected?
      A. None required. Also, the service is built privacy ground up and lets any existing PII (including passwords) reside with the current end points. It does not create a new honeypot of CII or PII

      3. If the Telcos haven’t been able to eliminate the security vulnerabilities in SS7, how will they eliminate the inevitable security vulnerabilities in this system?
      A. Current SS7 vulnerabilities do not impact the solution. Its based on PKI and the private key resides on the end user device (within the software though-so not perfect)

      4. If the Telcos can’t stop stop marketers from spoofing phone numbers in my LATA, what guarantees are there for the security of this system? Its not enough to just have access to the phone number. This service is immune to fraud that occurs after a SIM swap too – in that it cannot prevent sim swap, but if you are a victim of sim swap, the fraudster will not have access to this service as a result of it. The private key is on your device, and is a hash of your phone number and several other parameters. It also creates a partial 2 way trust where in if you are phished, you will only be providing your phone number to the phishing website. but they would not have the trust certificates necessary to initiate the authentication transaction.

      5. How does it work with eSIMs? Its not based on SIMs, so it will continue to work in an eSIM landscape.

      6. If my privacy (or worse) is compromised, can I sue in court, or in a class action, or am I locked into their arbitration agreements? I’m not sure how to answer that yet, but, the service itself does not create a new repository of PII, so it will not add to existing privacy concerns. In the event of a hack on the back end of this service, the most that can be compromised is token associations.

      7. Has the security of this design been publicly reviewed by a diverse panel of engineers, computer scientists, financial services people, hackers, and competitors? Elsewhere yes and ongoing, but not yet in the US.

      8. What is the effort/reward ratio? Would an adversarial state deem it to be worth developing hacks against this system for the rewards it can yield? High effort/low reward. Any central repository will only have token associations and the public key. assuming hacking it is as difficult or easy as hacking the telco databases itself, you are more likely to get better info doing the latter.

      9. Others have commented on the difficulty of transferring your identity from one carrier to another. I think we might want to create a diverse system of authorities rather than a system of just 4 (maybe 3 in the future) carriers, and make it very easy for you to move your identity from one authority to another. Even better, randomly move people from one authority to another periodically, in the same way that many companies are adopting short-lived certificates that are automatically renewed. Doing so could reduce the reward for penetrating a single authority.

      A. The original concept was designed to be carrier agnostic and portable. I’m not sure yet whether this has been maintained in this particular instance.

      10. How much does the security of the system depend on the mobile devices being patched regularly? I have an unlocked Samsung Galaxy S9 that hasn’t received an update since June. There seems to be no duty of care, nor any regulatory pressure on device manufacturers, to keep devices secure.
      A. somewhat. A device security flaw could possibly be used to compromise the private key. However, its not easily scalable since you would have to compromise individual devices and each would obviously have different keys.

      11. Does this system require enabling legislation? Is an electronic signature submitted on a device authenticated by Project Verify considered legal everywhere?
      A. Possibility in the future. May require moving the keys into the SIM or TEE, which is complicated at the moment.

      12. Does the current CALEA legislation enable LEOs to request my identity information?
      A. This is an interesting question because there are several scenarios both on the carrier level and the individual user level. on the carrier level, there is limited information created by this service that would be of value to LEO. Maybe token associations could be used? im not sure. on the end user level it would remain same as today – if u have a fingerprint lock, you could be forced to unlock, the phone as well as the app. if you have a pin instead then you should be safer from that since you dont have to divulge it.

      13. When you consider that Telcos were granted retroactive immunity for violating the FISA law in the past, what guarantees are there that they won’t violate the laws again, and seek retroactive immunity? Can’t answer that since its not my area of expertise. But i think this question may not apply in this particular case.

  8. SkunkWerks

    *listens to the ad*

    “The average mobile user manages 92 passwords”

    Yeah, and somewhere around 95% of them are either the same password or basically the same password with minor variations.

    Never been sure that’s a problem with passwords.

    Still, I guess when you put it that way: what’s the functional difference between putting all your eggs in one basket by not having different passwords, and you putting all your eggs in one basket by the “one password to rule them all” gambit?

    I dunno, I’m still feeling like the “let us take all this off your hands” sort of option is by nature a poor choice to make. People already don’t understand their own security needs at even superficial levels, and honestly that’s a lot of the “problem” right there.

    How does agreed-upon obfuscation to the mechanisms themselves help matters any?

  9. c/od

    Google has been uncovered in their video that they will subvert any and all whom are NOT Hillary Clinton clones. Yahoo, At&t, and the rest are on board! You could bet you last dollar on this statement. Go watch the 1984 movie and reflect on it…..This will take about 30 seconds or less for the hammer blow to hurt your brain. Project VERITAS caught federal employees stating’ no- body can touch us”.. Remove all pics off your phone, all docs , all & anything that ties you to them…because they own it. Calls only.
    NO WI-FI! patch cord cat 5 to desktop and laptop-NO WI-FI.
    Intel agencies already followed one person to their/there’s Bitcoin account. you cannot out smart them as they have Cray systems and beyond that you paid for to trash you.Get it!
    Carry on.

  10. JLW

    All I can say is “Never, Ever, Period”

    The telcos can barely manage my phone account data.

    Any communication I have ever had with them is generally followed by a double-vodka to relax

    There is NO WAY would I EVER willingly give them ANY additional personal info …

    … which they have EVERY incentive to monetize …

    … and few — if any — penalties for failing to protect.

Comments are closed.