12
Sep 18

U.S. Mobile Giants Want to be Your Online Identity

The four major U.S. wireless carriers today detailed a new initiative that may soon let Web sites eschew passwords and instead authenticate visitors by leveraging data elements unique to each customer’s phone and mobile subscriber account, such as location, customer reputation, and physical attributes of the device. Here’s a look at what’s coming, and the potential security and privacy trade-offs of trusting the carriers to handle online authentication on your behalf.

Tentatively dubbed “Project Verify” and still in the private beta testing phase, the new authentication initiative is being pitched as a way to give consumers both a more streamlined method of proving one’s identity when creating a new account at a given Web site, as well as replacing passwords and one-time codes for logging in to existing accounts at participating sites.

Here’s a promotional and explanatory video about Project Verify produced by the Mobile Authentication Task Force, whose members include AT&T, Sprint, T-Mobile and Verizon:

The mobile companies say Project Verify can improve online authentication because they alone have access to several unique signals and capabilities that can be used to validate each customer and their mobile device(s). This includes knowing the approximate real-time location of the customer; how long they have been a customer and used the device in question; and information about components inside the customer’s phone that are only accessible to the carriers themselves, such as cryptographic signatures tied to the device’s SIM card.

The Task Force currently is working on building its Project Verify app into the software that gets pre-loaded onto mobile devices sold by the four major carriers. The basic idea is that third-party Web sites could let the app (and, by extension, the user’s mobile provider) handle the process of authenticating the user’s identity, at which point the app would interactively log the user in without the need of a username and password.

In another example, participating sites could use Project Verify to supplement or replace existing authentication processes, such as two-factor methods that currently rely on sending the user a one-time passcode via SMS/text messages, which can be intercepted by cybercrooks.

The carriers also are pitching their offering as a way for consumers to pre-populate data fields on a Web site — such as name, address, credit card number and other information typically entered when someone wants to sign up for a new user account at a Web site or make purchases online.

Johannes Jaskolski, general manager for Mobile Authentication Task Force and assistant vice president of identity security at AT&T, said the group is betting that Project Verify will be attractive to online retailers partly because it can help them capture more sign-ups and sales from users who might otherwise balk at having to manually provide lots of data via a mobile device.

“We can be a primary authenticator where, just by authenticating to our app, you can then use that service,” Jaskolski said. “That can be on your mobile, but it could also be on another device. With subscriber consent, we can populate that information and make it much more effortless to sign up for or sign into services online. In other markets, we have found this type of approach reduced [customer] fall-out rates, so it can make third-party businesses more successful in capturing that.”

Jaskolski said customers who take advantage of Project Verify will be able to choose what types of data get shared between their wireless provider and a Web site on a per-site basis, or opt to share certain data elements across the board with sites that leverage the app for authentication and e-commerce.

“Many companies already rely on the mobile device today in their customer authentication flows, but what we’re saying is there’s going to be a better way to do this in a method that is intended from the start to serve authentication use cases,” Jaskolski said. “This is what everyone has been seeking from us already in co-opting other mobile features that were simply never designed for authentication.”

‘A DISMAL TRACK RECORD’

A key question about adoption of this fledgling initiative will be how much trust consumers place with the wireless companies, which have struggled mightily over the past several years to validate that their own customers are who they say they are.

All four major mobile providers currently are struggling to protect customers against scams designed to seize control over a target’s mobile phone number. In an increasingly common scenario, attackers impersonate the customer over the phone or in mobile retail stores in a bid to get the target’s number transferred to a device they control. When successful, these attacks — known as SIM swaps and mobile number port-out scams —  allow thieves to intercept one-time authentication codes sent to a customer’s mobile device via text message or automated phone-call.

Nicholas Weaver, a researcher at the International Computer Science Institute and lecturer at UC Berkeley, said this new solution could make mobile phones and their associated numbers even more of an attractive target for cyber thieves.

Weaver said after he became a victim of a SIM swapping attack a few years back, he was blown away when he learned how simple it was for thieves to impersonate him to his mobile provider.

“SIM swapping is very much in the news now, but it’s been a big problem for at least the last half-decade,” he said. “In my case, someone went into a Verizon store, took over the account, and added themselves as an authorized user under their name — not even under my name — and told the store he needed a replacement phone because his broke. It took me three days to regain control of the account in a way that the person wasn’t able to take it back away from me.”

Weaver said Project Verify could become an extremely useful way for Web sites to onboard new users. But he said he’s skeptical of the idea that the solution would be much of an improvement for multi-factor authentication on third-party Web sites.

“The carriers have a dismal track record of authenticating the user,” he said. “If the carriers were trustworthy, I think this would be unequivocally a good idea. The problem is I don’t trust the carriers.”

It probably doesn’t help that all of the carriers participating in this effort were recently caught selling the real-time location data of their customers’ mobile devices to a host of third-party companies that utterly failed to secure online access to that sensitive data.

On May 10, The New York Times broke the news that a cell phone location tracking company called Securus Technologies had been selling or giving away location data on customers of virtually any major mobile network provider to local police forces across the United States.

A few weeks after the NYT scoop, KrebsOnSecurity broke the story that LocationSmart — a wireless data aggregator — hosted a public demo page on its Web site that would let anyone look up the real-time location data on virtually any U.S. mobile subscriber.

In response, all of the major mobile companies said they had terminated location data sharing agreements with LocationSmart and several other companies that were buying the information. The carriers each insisted that they only shared this data with customer consent, although it soon emerged that the mobile giants were instead counting on these data aggregators to obtain customer consent before sharing this location data with third parties, a sort of transitive trust relationship that appears to have been completely flawed from the get-go.

AT&T’s Jaskolski said the mobile giants are planning to use their new solution to further protect customers against SIM swaps.

“We are planning to use this as an additional preventative control,” Jaskolski said. “For example, just because you swap in a new SIM, that doesn’t mean the mobile authentication profile we’ve created is ported as well. In this case, porting your sim won’t necessarily port your mobile authentication profile.”

Jaskolski emphasized that Project Verify would not seek to centralize subscriber data into some new giant cross-carrier database.

“We’re not going to be aggregating and centralizing this subscriber data, which will remain with each carrier separately,” he said. “And this is very much a pro-competition solution, because it will be portable by design and is not designed to keep a subscriber stuck to one specific carrier. More importantly, the user will be in control of whatever gets shared with third parties.”

My take? The carriers can make whatever claims they wish about the security and trustworthiness of this new offering, but it’s difficult to gauge the sincerity and accuracy of those claims until the program is broadly available for beta testing and use — which is currently slated for sometime in 2019.

I am not likely to ever take the carriers up on this offer. In fact, I’ve been working hard of late to disconnect my digital life from these mobile providers. And I’m not about to volunteer more information than necessary beyond the bare minimum needed to have wireless service.

As with most things related to cybersecurity and identity online, much will depend on the default settings the carriers decide to stitch into their apps, and more importantly the default settings of third-party Web site apps designed to interact with Project Verify.

Jaskolski said the coalition is hoping to kick off the program next year in collaboration with some major online e-commerce platforms that have expressed interest in the initiative, although he declined to talk specifics on that front. He added that the mobile providers are currently working through exactly what those defaults might look like, but also acknowledged that some of those platforms have expressed an interest in forcing users to opt-out of sharing specific subscriber data elements.

“Users will be able to see exactly what attributes will be shared, and they can say yes or no to those,” he said. “In some cases, the [third-party site] can say here are some things I absolutely need, and here are some things we’d like to have. Those are some of the things we’re working through now.”

Tags: , , , , , , , , , , , ,

101 comments

  1. Good idea i support i love this is secure idea

    • This is not secure at all. It is dystopian. This is what China is instituting, a national system that allows the government to track everyone and punish them for anything that the government does not like.

      Forcing you to use an insecure device that can be easily compromised as your primary authentication/authorization for everything you do is asking to be tracked by a central authority. The phone companies already send all their data to thew government, now they will be able to send them a list of everything you do and everywhere you go. This is unacceptable to me.

      • I agree. I’m shocked you and I don’t cancel our tracking devices “phone”. Its such a convenient thing to let go though.

      • I attended a recent RSA show, and there were several booths where the stated intent was to capture the entire identity with minimal touch. Things like, “know which credit cards are authorized as soon as they land on your website.” I thought it was very, very creepy.

        Fortunately, it was only several booths instead of half the show floor. Unfortunately, there were no attempts to hide or downplay their schemes.

  2. All your base … base, is now belong to us.

  3. It used to be a person’s wallet or purse, but today the average person’s entire identity is held within their mobile device these days. If your wallet/purse gets stolen you can disable all the bank cards with about 30 minutes over the phone. If your phone gets stolen, you’re totally lost because any all contact information for your financial institutions were in it, so now your a day or three away from disabling bank cards. It’s a real problem for the average person.

    If this Project Verify app lets users decide what information they share with each website, and we know that the average person will make minimal, if any, changes from the default settings, then we have to assume that all information being shared is at a maximum all the time. That may or may not be ideal.

    I know it’s early, but Project Verify would really need to be “LastPass In The Middle” to work, and we’d still have to trust the providers to store that info. I’m not sure that Project Verify is any better than what we’re doing right now, and it doesn’t sound like it would stop carrier employees from swapping SIMs.

    But then I haven’t finished my morning coffee yet either.

  4. Until they prove they’ve solved the SIM swap issue, not going to touch this with a 10′ pole

    • Exactly. The SIM theft run rampant along with weaknesses in SMS have made phone based 2FA practically useless if not a vulnerability in itself. The carriers have a HUGE burden of proof to give to clean up their own house (meaning fix all these things that make it impossible to rely on a phone for authentication) before I’m going to expand their ability to authorize transactions.

  5. I’m seeing only negative comments about this;
    do you think that it’s only because the “userbase” of this website is “security oriented” people?
    or do you think that also a normal user see the problem and don’t trust the mobile phone provider?

    check also this paper:
    Obstacles to the Adoption of Secure Communication Tools:
    https://www.ieee-security.org/TC/SP2017/papers/84.pdf
    to me it was illuminating! i couldn’t imagine how wrong was the vision of normal people about security things:
    -sms is the most secure because is paid
    -this app is more secure because of better graphics (better graphics=more skilled=more skilled also in security)

    To answer my own question, i don’t think that normal people see this as a problem because they can’t see the risks associated with it (according to what i have read in the paper).
    Let me know what do you think
    (hope i’m not going too much off topic)

    • Agree with the comments I have read so far. This definitely doesn’t wow me. Why do I need yet another app to authenticate my identity? I don’t. An interesting new [to me] idea of using our mobile phones for authentication purposes, comes from Boloro Global Limited, boloro[dot]com. They use the same communication channel as Amber Alerts so it doesn’t require internet, smart phone or an app. It does require the user to remember a PIN. Curious if anyone else has investigated this channel / company…

  6. Haha! Trust my security to folks that can’t even keep my sim card secure? Hard pass.

  7. What about those of us who don’t have a mobile device?

    A) I don’t care to have a portable phone.
    B) I don’t even wear a watch. Why would I want to carry a device that only facilitates data collection and tracking for people trying to sell data about me?
    C) I happen to live in a cell dead zone, home. Devices work on our porch and a single step inside the house. At two steps inside the house, the signal cuts out.

  8. BigDataMobilePhoneCo sez: “We will put the huge amount of data–real time and otherwise–that we are already collecting (and, ahem, ahem, selling) about each and every one of you to work keeping your online accounts secure.”

    Orph sez: “Hmmm…”

  9. I’m a little nervous about this being the sole way to verify users. As an additional factor in the multi-factor toolkit, it sounds good.

  10. The biggest problem I see: How do you sign in to the same account on a laptop, or a different phone? Project Verify anywhere?

    That, and how much _stronger_ is Project Verify? Why Project Verify instead of “Sign in with Google”?

  11. “Johannes Jaskolski, general manager for Mobile Authentication Task Force and assistant vice president of identity security at AT&T, said the group is betting that Project Verify will be attractive to online retailers”

    Sure online retailers might like it, but what about the secondary bet, that consumers are going to jump on the bandwagon and allow all their data, CC info, address, SSN, location, etc etc, to be held in one spot? No thanks. I hope Google moves to kill this. Basically what the carriers want, is to combine what Google et al has with what they have. Any company that does data mining for the purposes of marketing should feel very threatened by this. You think Cambridge Analytica having access to 80million Facebook users data was bad? Imagine if they had all that data and then some from just a single carrier. Hundreds of millions of people, all being profiled and manipulated to a degree we havent even imagined yet. Again, no thanks.

  12. Who can trust their carrier?? If the app/software is pre-loaded by the carrier if you buy the phone from them, can’t you just buy the phone directly from Apple, for example, and bypass that?

  13. This sounds a little like the SDP concept.

  14. What if I turned off every tracking feature on my android device? I mean, EVERYTHING. I went through every app that has tracking features and turned them off. How will they know my location??????

    • Your location can be determined on the network side by “triangulation” from your phone’s signal on two or more cell towers by simply leaving your phone connection active even without data connectivity.

      In order to turn off all location tracking you need to turn off; bluetooth, WiFi, and cell voice/data. Pure airplane mode is the way to go. But, then what is the point of carrying a cellphone? Airplane mode or all wireless turned off pretty much negates the reason for having a cellphone.

      Google has recently been called out on continued location tracking when the user has selected to turn off the obvious location tracking. But, there was another setting to turn off, which is not so obvious.

      The question becomes, are you sure you have turned off all tracking? Have you found all the “hidden” settings to accomplish your goal?

      • Apple and Android phones continue to collect passive movement data based on barometric readings, temperature, sound levels, and gyroscopic measurements, even with GPS turned off. They can tell if you’re in a car, walking, open a car door, elevation, and more.

        For a bit on that, see this:
        https://www.schneier.com/blog/archives/2017/12/tracking_people_5.html

        If you’re using airplane mode, the phones continue recording that data until you connect to any network via USB, wifi, or cellular, then send it home in bulk.

        The local news did a story using a man-in-the-middle packet sniffer to measure how much data is collected. The result: twice as much data leaves such phones with GPS turned off than on.

        All mobile phones, including “dumb phones” are tracked by cell towers and signal strength. That info goes back to law enforcement and cellular carriers.

        You can’t use a mobile phone and not be tracked. Period.

        Hell, they know who you are by how you hold your phone, usage patterns, and your gait.

        So save the airplane mode nonsense. If you have a mobile phone, you’re tracked.

  15. Assuming this all works… HOW MUCH WILL IT COST ME?
    Monthly? Annually?
    And what if I want to change service providers? Will the old service provider just transfer over my information and then what will it do with my data?

  16. Gee, what could possibly go wrong by giving all my login info to companies that have no practical software security experience and want to use every opportunity to sell your data and location to undisclosed third parties and government?

  17. Location can be determined on the network through triangulation of phone signal strength from two or more cell towers. This even works with basic flip phones.

    There may even be enough unique identifiers with a non-smartphone for this identity system to work.

    I feel this is more about data collection and monetization than secure authentication. I plan to continue using my selected password manager and TOTP apps. With consideration of this proposed system, I keep having the question “What could go wrong?” pop into my head. The simple quick answer is: “A lot.”

  18. T-Mobile is using http://www.SOVRIN.com blockchain nodes on the open source Hyper ledger. The advantage here is you own and control all of your data in your own digital wallet NOT the phone company or anyone else. Tmobile

  19. The important thing is for people to have the option NOT to do this.

    Then those who think it’s a good idea, can opt in. (Not an area for an opt-out system.)

    If a person volunteers the choice they made, that would help decide whether you want to do business with them, in some cases.

  20. Sure, give a thief greater incentive to steal my phone! And my fingers. And my face!

    The idea of putting access to websites in the unworthy hands of a mobile carrier is revolting. They haven’t earned that privilege.

    And I wouldn’t want access to websites to be as easy as taking my phone from my pocket.

  21. The idea sounds good but will this be safe?

  22. This is convenient secure way to manage identity access across 3rd party sites by the carriers. This will examplify e-commerce and provide seamless authentication where one does not have to continue to remember their credentials. Thanks VERIFY !!!!!!!

  23. I think that this would allow hackers to get all your data much easier. Set up a phishing page that tricks the app into giving them all your information that you have presaved? Android has packages that allow you to spoof all the phone identifiers, if the app pushes this information to a hacker controlled website all you would need is for the user to click on the website. Seems like this would actually be a step backwards.

  24. It is out of the question the mobiled industgry will be developing. The only question is what trends in mobile industry/app development will follow? BTW, our team is also developing its blon about apps, software and other IT-relared issues: https://codeinspiration.pro/blog/ Thanks for visiting us

  25. Mark of the beast, first they roll this out and then it’s ‘well biometrics is more reliable, here’s a handy little chip…’

  26. What could possibly go wrong?

  27. So they say that a SIM swap won’t give complete control because the profile may not be ported as well. Hmm … with the recent SIM swap cases we’ve seen, I’d have to say that’s wishful thinking at best. When the SIM swaps are conducted by complicit carrier employees, what’s to stop them from performing the profile port along with it? Oh yeah, not a damn thing.

    I feel like my exposure level is way too high from just having a phone because of how easy it is for criminals to SIM swap. There’s no way in hell I’m ready to add more keys to my mobile phone key ring. They’d already get too much as it is.

  28. I’ll keep it simple: Room 362 AT&T, NSA the Swamp corrupt politicians. Giving these outfits access to your bank accounts via their software, no. They can’t keep the, or won’t keep the scammers off their networks. Been having a running battle with __&_ over phone spam from bogus #s. Anyone in favor of this should move to China.

    • The better carrier against phone spam, according to a recent report, is T-Mobile. My personal experience is with two providers of Sprint–seemingly no or next to no phone spam blocking.
      Google “which providers are blocking spam calls at the carrier level”. To summarize spam call blocking by carriers: T-Mobile 91%, free blocking & $4/mo caller ID. Verizon 65%, $3/mo caller ID. Sprint 51%, $3/mo caller ID. AT&T 25%, free.

      A carrier of Verizon seems perform well in my experience; which is in contrast with the report.

      What I use: A no-ring call blocker–any phone number not in my contacts or whitelist doesn’t ring, and a second app for callerID. I’ve tested or checked features of perhaps forty blocker apps, and Google Voice.

  29. If you’ve ever had to deal with the technical support (business side) of AT&T, you know what a terrible idea this is. I would rather juggle glass vials full of the AIDS virus, barefoot, than have to deal with AT&T OR have AT&T be my ‘one-stop-shop’ for security. This very well may be the WORST idea in the history of the internet since Tubgirl.

  30. Saying this system is secure without putting skin in the game is meaningless. Which of these providers will guarantee that they will be financially responsible against financial or personal loss due to breeches?