The four major U.S. wireless carriers today detailed a new initiative that may soon let Web sites eschew passwords and instead authenticate visitors by leveraging data elements unique to each customer’s phone and mobile subscriber account, such as location, customer reputation, and physical attributes of the device. Here’s a look at what’s coming, and the potential security and privacy trade-offs of trusting the carriers to handle online authentication on your behalf.
Tentatively dubbed “Project Verify” and still in the private beta testing phase, the new authentication initiative is being pitched as a way to give consumers both a more streamlined method of proving one’s identity when creating a new account at a given Web site, as well as replacing passwords and one-time codes for logging in to existing accounts at participating sites.
Here’s a promotional and explanatory video about Project Verify produced by the Mobile Authentication Task Force, whose members include AT&T, Sprint, T-Mobile and Verizon:
The mobile companies say Project Verify can improve online authentication because they alone have access to several unique signals and capabilities that can be used to validate each customer and their mobile device(s). This includes knowing the approximate real-time location of the customer; how long they have been a customer and used the device in question; and information about components inside the customer’s phone that are only accessible to the carriers themselves, such as cryptographic signatures tied to the device’s SIM card.
The Task Force currently is working on building its Project Verify app into the software that gets pre-loaded onto mobile devices sold by the four major carriers. The basic idea is that third-party Web sites could let the app (and, by extension, the user’s mobile provider) handle the process of authenticating the user’s identity, at which point the app would interactively log the user in without the need of a username and password.
In another example, participating sites could use Project Verify to supplement or replace existing authentication processes, such as two-factor methods that currently rely on sending the user a one-time passcode via SMS/text messages, which can be intercepted by cybercrooks.
The carriers also are pitching their offering as a way for consumers to pre-populate data fields on a Web site — such as name, address, credit card number and other information typically entered when someone wants to sign up for a new user account at a Web site or make purchases online.
Johannes Jaskolski, general manager for Mobile Authentication Task Force and assistant vice president of identity security at AT&T, said the group is betting that Project Verify will be attractive to online retailers partly because it can help them capture more sign-ups and sales from users who might otherwise balk at having to manually provide lots of data via a mobile device.
“We can be a primary authenticator where, just by authenticating to our app, you can then use that service,” Jaskolski said. “That can be on your mobile, but it could also be on another device. With subscriber consent, we can populate that information and make it much more effortless to sign up for or sign into services online. In other markets, we have found this type of approach reduced [customer] fall-out rates, so it can make third-party businesses more successful in capturing that.”
Jaskolski said customers who take advantage of Project Verify will be able to choose what types of data get shared between their wireless provider and a Web site on a per-site basis, or opt to share certain data elements across the board with sites that leverage the app for authentication and e-commerce.
“Many companies already rely on the mobile device today in their customer authentication flows, but what we’re saying is there’s going to be a better way to do this in a method that is intended from the start to serve authentication use cases,” Jaskolski said. “This is what everyone has been seeking from us already in co-opting other mobile features that were simply never designed for authentication.”
‘A DISMAL TRACK RECORD’
A key question about adoption of this fledgling initiative will be how much trust consumers place with the wireless companies, which have struggled mightily over the past several years to validate that their own customers are who they say they are.
All four major mobile providers currently are struggling to protect customers against scams designed to seize control over a target’s mobile phone number. In an increasingly common scenario, attackers impersonate the customer over the phone or in mobile retail stores in a bid to get the target’s number transferred to a device they control. When successful, these attacks — known as SIM swaps and mobile number port-out scams — allow thieves to intercept one-time authentication codes sent to a customer’s mobile device via text message or automated phone-call.
Nicholas Weaver, a researcher at the International Computer Science Institute and lecturer at UC Berkeley, said this new solution could make mobile phones and their associated numbers even more of an attractive target for cyber thieves.
Weaver said after he became a victim of a SIM swapping attack a few years back, he was blown away when he learned how simple it was for thieves to impersonate him to his mobile provider.
“SIM swapping is very much in the news now, but it’s been a big problem for at least the last half-decade,” he said. “In my case, someone went into a Verizon store, took over the account, and added themselves as an authorized user under their name — not even under my name — and told the store he needed a replacement phone because his broke. It took me three days to regain control of the account in a way that the person wasn’t able to take it back away from me.”
Weaver said Project Verify could become an extremely useful way for Web sites to onboard new users. But he said he’s skeptical of the idea that the solution would be much of an improvement for multi-factor authentication on third-party Web sites.
“The carriers have a dismal track record of authenticating the user,” he said. “If the carriers were trustworthy, I think this would be unequivocally a good idea. The problem is I don’t trust the carriers.”
It probably doesn’t help that all of the carriers participating in this effort were recently caught selling the real-time location data of their customers’ mobile devices to a host of third-party companies that utterly failed to secure online access to that sensitive data.
On May 10, The New York Times broke the news that a cell phone location tracking company called Securus Technologies had been selling or giving away location data on customers of virtually any major mobile network provider to local police forces across the United States.
A few weeks after the NYT scoop, KrebsOnSecurity broke the story that LocationSmart — a wireless data aggregator — hosted a public demo page on its Web site that would let anyone look up the real-time location data on virtually any U.S. mobile subscriber.
In response, all of the major mobile companies said they had terminated location data sharing agreements with LocationSmart and several other companies that were buying the information. The carriers each insisted that they only shared this data with customer consent, although it soon emerged that the mobile giants were instead counting on these data aggregators to obtain customer consent before sharing this location data with third parties, a sort of transitive trust relationship that appears to have been completely flawed from the get-go.
AT&T’s Jaskolski said the mobile giants are planning to use their new solution to further protect customers against SIM swaps.
“We are planning to use this as an additional preventative control,” Jaskolski said. “For example, just because you swap in a new SIM, that doesn’t mean the mobile authentication profile we’ve created is ported as well. In this case, porting your sim won’t necessarily port your mobile authentication profile.”
Jaskolski emphasized that Project Verify would not seek to centralize subscriber data into some new giant cross-carrier database.
“We’re not going to be aggregating and centralizing this subscriber data, which will remain with each carrier separately,” he said. “And this is very much a pro-competition solution, because it will be portable by design and is not designed to keep a subscriber stuck to one specific carrier. More importantly, the user will be in control of whatever gets shared with third parties.”
My take? The carriers can make whatever claims they wish about the security and trustworthiness of this new offering, but it’s difficult to gauge the sincerity and accuracy of those claims until the program is broadly available for beta testing and use — which is currently slated for sometime in 2019.
I am not likely to ever take the carriers up on this offer. In fact, I’ve been working hard of late to disconnect my digital life from these mobile providers. And I’m not about to volunteer more information than necessary beyond the bare minimum needed to have wireless service.
As with most things related to cybersecurity and identity online, much will depend on the default settings the carriers decide to stitch into their apps, and more importantly the default settings of third-party Web site apps designed to interact with Project Verify.
Jaskolski said the coalition is hoping to kick off the program next year in collaboration with some major online e-commerce platforms that have expressed interest in the initiative, although he declined to talk specifics on that front. He added that the mobile providers are currently working through exactly what those defaults might look like, but also acknowledged that some of those platforms have expressed an interest in forcing users to opt-out of sharing specific subscriber data elements.
“Users will be able to see exactly what attributes will be shared, and they can say yes or no to those,” he said. “In some cases, the [third-party site] can say here are some things I absolutely need, and here are some things we’d like to have. Those are some of the things we’re working through now.”
For those intrigued by related concepts, see EFF from 2010:
https://www.eff.org/deeplinks/2010/05/every-browser-unique-results-fom-panopticlick
Find out more about your own fingerprint:
https://panopticlick.eff.org/
Roots, baby… roots.
I read about the fingerprint which is interesting stuff. Most of my info is in good shape but I still cannot stop 3rd parties who claim to be safe and my fingerprint is not unique. How does one get a unique fingerprint on a cell phone or a PC?
Gary, My response was rather dumb as I forgot to add that I installed NoScript but is that all I need to do? I’ve had some interesting experiences on Facebook and I have NO trust in any of the cell phone providers.
My cell phone is a Blackberry Key2 which is encrypted and I use Firefox Focus for a browser. Do I need anything more for my cell phone? It is now for personal use. Thanks for any info you may provide. 🙂
Oh let me be the first to volunteer for this…said no one ever. What is wrong with 2FA?
The phone companies aren’t making money off it.
“Users will be able to see exactly what attributes will be shared, and they can say yes or no to those,” yeah, right. And it will be so couched in terms that reading all the caveats and such will result in eyes-roll-back-in-head syndrome. I can just see the additional “and other such information”, “other such services”, and whatever they dream to still render us vulnerable.
No.
Don’t forget that you have to send them 4 snail-mails annually (@ $.50/ea) in order to use the “safeguards” they allow.
Oh, let me be the first to volunteer for this… said no one ever.
They had me at Track your approximate real-time location.
It’s an unavoidable feature of any cellular networked device, that the providers will always know your ‘approximate real-time location’. A device can only be registered on one cell tower at a time, across all the carriers networks. In order for anybody to be able to have a call placed to your phone, your phones current cell tower location must be constantly updated to a accessible directory that any carrier can tap into. Whenever your device is powered up, it will always perform tower checks in the background every few seconds no matter if you are actually using the device or not. Putting the device into ‘airplane mode’ is supposed to disable this realtime tower tracking feature. I’ve noticed how this works by holding a cheap tape-based dictating recorder near my phone. The microphone was picking up the background data packets every 7 seconds. Took me a while to figure out where that ticking sound was coming from on playing back my recordings
This sounds similar to what Microsoft is using to identify Windows 10 license verification. I’ve not heard that didn’t go well, so I assume it works for MS. However, what is stopping a poser from replaying this unique ID data set? Also, I would think you would want that information encrypted at the very least; perhaps that would help prevent copying the ID as well. Of course I’m not sure the public trusts the carriers to protect their unique information at all.
Thanks for reporting this, Brian.
TBH this sounds more like a data mining initiative than the security one.
Additionally, how would the carriers impose this authentication on people like me that always buy an unlocked phone from the manufacturer (Apple in my case) and then get just a SIM card from the carrier? I will in no circumstances install any AT&T or Verizon app on my phone.
Ps. Android phone people are at disadvantage here, though.
Actually, the plan is to build this into the images that get factory-installed on various mobile device sold by the carriers. So the app will already be installed. Whether you give it any data, rights or permission will be up to you.
Reread what he said, he isn’t buying it from the carrier.
They’ll probably snipe some bs in that you must have this app to use our service cause they’re trolls, the consumer choice factor will be zero because the thing will always be on and once its spoofed it will be worthless as a sec tool.
But there is good news here: I know why my bill is so high… they piss away money on garbage R&D. Hint: Provide us FASTER, RELIABLE, UNFETTERED ACCESS at reasonable costs… my consultation fee is $10,000,000.. that is a joke compared to what you stand to make when you pull it off. GOOGLE MAKE A WIRELESS COMPANY I KNOW YOU READ ALL MY STUFF ALL READY, I DON’T CARE! AT LEAST YOU KNOW HOW TO PROVIDE FASTER, RELIABLE, UNFETTERED ACCESS AT REASONABLE COSTS. SO GO GO, PUT THAT SELF DRIVING CAR ON HOLD, SHOW THE WORLD HOW TO DO WIRELESS.
But that’s why he gets the unlocked phones, so the carriers never have the opportunity to preload such bloatware.
Unlocked doesn’t always mean ‘free of bloatware’. I’m still curious if there’s any way to un-install Google’s: Cloud Print, Drive, Fit, Gmail, Play Books, Play Games, Play Movies & TV, Play Music, Play Newsstand, Google+, Hangouts, Keep, News & Weather, Photos, Sheets, Slides & Youtube. And I bought an unlocked Nexus 6 off of Ebay specifically because it was supposed to be free of these things…
Maybe not uninstall, but block. Install a local firewall app and block google’s IP ranges. I do this at home on one system.
If you root the phone you can of course delete all the Google apps. They are installed on the /system partition on Android phones.
My phones are all bought from the manufacturer and are all rooted. No bloatware for me.
Android users are always at a disadvantage because Android is an advertising platform masquerading as a phone OS.
This!! (and also windows 10 is the same)
are you reading my brain? 🙂
btw i have android phone.
apple is secure, yes, but to me freedom is more important than security, i’m happy with the risk of freedom.
Thanks for the heads-up, Brian!
Seems like keeping track of the [nefarious/dubious] schemes of these carriers is a full-time job!
Ithink you have the right idea. I’ll wait to see how they respond to their first big breach or disclosure before I decide how little to trust them.
Don’t lose your phone!
That’s a pure “wonk” advertisement with flashy images , corny music and pushing F.U.D.
Oh hell no. How do I pre-beta opt-the f*ck out
Me too!
So what happens if I don’t pay my Sprint bill on time? Do I get locked out of the internet?
Once released, the program could be called “dollar authentication”.
Your life tied to a piece of electronics. It/we know all that you do, where you go, what you buy and when the “new feature” brain implant is in place, we know what you think (sarcasm here should be obvious).
I’ll pass on such phones.
Hell no!
As an aside, I wonder if facebook will be on of their “partners”?
So they built Payfone?
https://www.grc.com/sqrl/sqrl.htm
Yes, but how many more years must we wait for it?
Steve has been working on this for a loong time.
I like Gibson!
So you effectively give all your passwords to a firm, tell this firm to automatically uniquely identify you to every web site you will ever exchange data with (even if all you do is download an add banner or an transparent 1×1 pixel bitmap), maybe to automatically give them half of the information they would need in order to ask for a credit in behalf of you. And hope this to be secure in some way.
I want an opt-out for that.
Tails Linux OS bypasses all of the ISP/Corporate crap:
https://tails.boum.org
“I am not going to play by their rules any longer” – Groundhog Day
We need a “Tails-phone”. Does phone calls as needed and handles calendar alerts sync’ed to your personal VPN’d server. Doesn’t report anything else to anyone.
Oh great. And with the super validation provided by the “last four digits of your social” I’m certain that this will be the ultimate in security.
the European Payment Service Directive (PSD2) is regulating the way “Trusted Third Parties” (TPP) can handle “Strong Customer Authentication” (SCA – which may be a simple 2FA).
In Europe this thing is conceptually balanced by GDPR, so the carriers have strong restrictions and liabilities on the use of customer data.
ATT is among the worst for giving the government access to all our data quickly and easily, they don’t have our backs or our privacy in mind.
https://www.eff.org/who-has-your-back-government-data-requests-2015
Oh my…
Similar approaches have been working for years in other countries. And it makes life so much more secure and convenient. I just have to remember my phone number to login to a website (and have a mobile phone). Even better, this can be a very strong method if needed be: Phone number + password to start the process (knowledge). Receiving the authentication request to your phone (possession) and using your e.g. fingerprint to open the access to the private key stored in a tamper resistant environment (Inherence + PKI) to sign the authn request. 3 factors, 2 channels, asymmetric and symmetric cyrpto…
Done correctly, the risk of losing your identity through a SIM swap can be minimized. The App+SIM approach is for this purpose. SIM only stuff is always suspect for a port out / swap scams that are apparently too easy to conduct in the US.
As for the recording of your location? You don’t think they do that no matter what? They need to… So why not put that into good use protecting your assets. And for identity attribute data: consent is collected making you the control point, not someone else.
Too bad the big 4 have spoiled their reputation and ruined trust of their US customers. The knee jerk reaction “hell no” is understandable. This works brilliantly elsewhere. So maybe… think again?
I’m not surprised to see the thoughtful, measured and insightful analysis here. My analysis is simpler — no fscking way am I having anything to do with this.
Things like this make me feel right about working to reduce my digital footprint. No credit reporting, my banking accounts have no internet access, no healthscam portal, no billpay account. When I retire, I will have a nonwork phone that is only a phone, no email. Retirement will be
Connecting a cell phone to any accounts seems foolish based on all the data we have today.
I’ve gone out of my way NEVER to connect a cellular device to my name, but everyone needs to figure out what their level of trust in these devices and companies should be.
Having worked in telecom for a decade, both cellular and POTS, I don’t trust those companies any farther than I can throw one of their pole trucks.
I know jalskolski good men.
Good business men when you visit ukraine lets drink !!
Well said, sir:
“And I’m not about to volunteer more information than necessary beyond the bare minimum needed to have wireless service.”
And so now I can’t log into my bank account unless I pay my wireless carrier first for a service I didn’t ask for?
No.
I contracted with a wireless company for phone service. That’s it. I don’t need a gateway service with the ability to cut me off from the rest of my digital life if I’m forced to dispute a bill with them.
I was missing this, the more i think about it the worse it looks…
Also, as someone pointed out, seems more a data mining project.
Or perhaps a government backed initiative as a means to unlock any phone at will …. Yes, I know, it sounds conspiracy theory but, who knows. Based on the past couple of years, we’ve seen a lot of firsts when it comes to government and law enforcement
Oh, and as far as this being a pro-competition move? Puhleeze. Do you honestly think that when I choose to change carriers a transfer of “identity” is going to go smoothly? Imagine the barrier to changing carriers if you had to contact every entity you do digital business with and re-verify who you are.
No.
This looks the worst idea ever!
i mean… the idea is good, but they proved too many times, that they can’t do security well, as krebs wrote so many times they made every possible mistake.
See also t-mobile austria case with their “amazing good security”
i see good points like:
if you change sim the auth profile isn’t ported.
but there is a problem: what if the phone breaks? they need to have a way to port the authentication to new phone/sim in case it’s lost/stolen.
this means backup/backdoor.
also i’m sure that they will sell every possible information about you.
i think that the best thing is to avoid using phones for logins.
but i’m just repeating what he said…
I think of single sign-on systems (of any kind) as single exploit systems. No thanks. I’ll take a different userid/password/email address for every site please. And I would rather not walk around the world with my sign-on token in my pocket at all times. Thanks.