March 17, 2019

Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities. At the same time, when you lose control over a phone number — maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments — whoever inherits that number can then be you in a lot of places online.

How exactly did we get to the point where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience? KrebsOnSecurity spoke about this at length with Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint.

Nixon said much of her perspective on mobile identity is colored by the lens of her work, which has her identifying some of the biggest criminals involved in hijacking phone numbers via SIM swapping attacks. Illegal SIM swaps allow fraudsters to hijack a target’s phone’s number and use it to steal financial data, passwords, cryptocurrencies and other items of value from victims.

Nixon said countless companies have essentially built their customer authentication around the phone number, and that a great many sites still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. In this attack, the fraudster doesn’t need to know the victim’s password to hijack the account: He just needs to have access to the target’s mobile phone number.

“As a consumer, I’m forced to use my phone number as an identity document, because sometimes that’s the only way to do business with a site online,” Nixon said. “But from that site’s side, when they see a password reset come in via that phone number, they have no way to know if that’s me. And there’s nothing anyone can do to stop it except to stop using phone numbers as identity documents.”

Beyond SIM-swapping attacks, there are a number of ways that phone numbers can get transferred to new owners, Nixon said. The biggest reason is lack of payment for past phone bills. But maybe someone goes through a nasty divorce or separation, and can no longer access their phone or phone accounts. The account is sent to collections and closed, and the phone number gets released back into the general pool for reassignment after a period of time.

Many major providers still let people reset their passwords with just a text message. Last week I went to regain access to a Yahoo account I hadn’t used in almost five years. Yahoo’s forgot password feature let me enter a phone number, and after entering a code sent to my phone I was able to read my email.

So, if that Yahoo account is tied to a mobile number that you can receive text messages at, then you can assume control over the account. And every other account associated with that Yahoo account. Even if that phone number no longer belongs to the person who originally established the email account.

This is exactly what happened recently to a reader who shared this account:

A while ago I bought a new phone number. I went on Yahoo! mail and typed in the phone number in the login. It asked me if I wanted to receive an SMS to gain access. I said yes, and it sent me a verification key or access code via SMS. I typed the code I received. I was surprised that I didn’t access my own email, but the email I accessed was actually the email of the previous owner of my new number.

Yahoo! didn’t even ask me to type the email address, or the first and last name. It simply sent me the SMS, I typed the code I received, and without asking me to type an email or first and last name, it gave me access to the email of my number’s PREVIOUS OWNER. Didn’t ask for credentials or email address. This seriously needs to be revised. At minimum Yahoo! should ask me to type the email address or the first and last name before sending me an SMS which contains an access code.

Brian Krebs (BK): You have your own experiences like this. Or sort of. You tell.

Allison Nixon (AN): Any threat intelligence company will have some kind of business function that requires purchasing burner phones fairly frequently, which involves getting new phone numbers. When you get new numbers, they are recycled from previous owners because there probably aren’t any new ones anymore. I get a lot of various text messages for password resets. One I kept getting was texts from this guy’s bank. Every time he got a deposit, I would get a text saying how much was deposited and some basic information about the account.

I approached the bank because I was concerned that maybe this random person would be endangered by the security research we were going to be doing with this new number. I asked them to take him off the number, but they said there wasn’t anything they could do about it.

One time I accidentally hijacked a random person’s account. I was trying to get my own account back at an online service provider, and I put a burner phone number into the site, went through the SMS password reset process, got the link and it said ‘Welcome Back’ to some username I didn’t know. Then I clicked okay and was suddenly reading the private messages of the account.

I realized I’d hijacked the account of the previous owner of the phone. It was unintentional, but also very clear that there was no technical reason I couldn’t hijack even more accounts associated with this number. This is a problem affecting a ton of service providers. This could have happened at many, many other web sites.

BK: We weren’t always so tied to our phone numbers, right? What happened?

AN: The whole concept of a phone number goes back over a hundred years. The operator would punch in a number you know was associated with your friend and you could call that person and talk to them. Back then, a phone wasn’t tied any one person’s identity, and possession of that phone number never proved that person’s identity.

But these days, phone numbers are tied to peoples’ identities, even though we’re recycling them and this recycling is a fundamental part of how the phone system works. Despite the fact that phone number recycling has always existed, we still have all these Internet companies who’ve decided they’re going to accept the phone number as an identity document and that’s terrible.

BK: How does the phone number compare to more traditional, physical identity documents?

AN: Take the traditional concept of identity documents — where you have to physically show up and present ID at some type of business or office, and then from there they would look up your account and you can conduct a transaction. Online, it’s totally different and you can’t physically show your ID and can’t show your face.

In the Internet ecosystem, there are different companies and services that sell things online who have settled on various factors that are considered a good enough proxy for an identity document. You supply a username, password, and sometimes you provide your email address or phone number. Often times when you set up your account you have some kind of agreed-upon way of proofing that over time. Based on that pre-established protocol, the user can log in and do transactions.

It’s not a good system and the way the whole thing works just enables fraud. When you’re bottlenecked into physically showing up in a place, there’s only so much fraud you can do. A lot of attacks against phone companies are not attacking the inherent value of a phone number, but its use as an identity document.

BK: You said phone number recycling is a fundamental part of how the phone system works. Talk more about that, how common that is.

AN: You could be divorced, or thrown into sudden poverty after losing a job. But that number can be given away, and if it goes to someone else you don’t get it back. There all kinds of life situations where a phone number is not a good identifier.

Maybe part of the reason the whole phone number recycling issue doesn’t get much attention is people who can’t pay their bills probably don’t have a lot of money to steal anyways, but it’s pretty terrible that this situation can be abused to kick people when they’re down. I don’t think a lot of money can be stolen in this way, but I do think the fact that this happens really can undermine the entire system.

BK: It seems to me that it would be a good thing if more online merchants made it easier to log in to their sites without using passwords, but instead with an app that just asks hey was that you just now trying to log in? Yes? Okay. Boom, you’re logged in. Seems like this kind of “push” login can leverage the user’s smart phone while not relying on the number — or passwords, for that matter.

If phone numbers are bad, what should we look to as more reliable and resilient identifiers?

AN: That’s something I’ve been thinking a lot about lately. It seems like all of the other options are either bad or really controversial. On the one hand, I want my bank to know who I am, and I want to expose my email and phone number to them so they can verify it’s me and know how to get in touch with me if needed. But if I’m setting up an email account, I don’t want to have to give them all of my information. I’m not attached to any one alternative idea, I just don’t like what we’re doing now.

For more on what you can do to reduce your dependence on mobile phone numbers, check out the “What Can You Do?” section of Hanging Up on Mobile in the Name of Security.

Update, March 18, 1:25 p.m. ET: On March 14, Google published instructions describing how to disable SMS or voice in 2-step verification on G Suite accounts.

86 thoughts on “Why Phone Numbers Stink As Identity Proof

  1. Jocke Segerlund

    As mentioned above; Scandinavia (or at least Sweden) have a system that is harder to crack. On the other hand, we have a much smaller economy with far fewer banks to trust…

    To open a bank account (and e-banking) you have to show up in person and verify identity with physical ID-card. Most banks use some type of 2FA for login, either one-time use codes from scratch cards, code generating hardware, card readers that read chip based ID-cards or similar.

    Once on the inside, the bank can issue a Bank-ID for use on your device together with a code.

    If you change device you need to re-issue a Bank-ID via your bank. And, they have a limited lifetime before they are rendered invalid.

    The system is in wide spread use by business, finance and government. You can even do your tax returns with Bank-ID as ID-verification.

    The system is not totally secure of course, in fact there are quite a lot of social engineering attacks going on, but it seems a better system than the totally unsecure way of using phone numbers as validation of identity.

  2. Jean ponzi

    I think its best to get a pager cause it can be
    Paid for a long time and will never disconnect

  3. Andrew Rolfe

    Telephony technology has changed significantly over the last 30 years. However legacy assumptions have not fully caught-up. The North American PSTN (public switched telephone network) was traditionally a centrally controlled, limited access network. Being a hardwired network, the phone number was tightly controlled and was the actual address of a physical location which could could be step-wise “walked” to the destination. Now, the network is (for the most part) a digital packet switched network, with phone numbers being a virtually routed address at best, and phone number ownership a matrix of relationships. In this current environment phone numbers should be carefully used and verified, and treated more like IP addresses. I blame some of the issues discussed in your article on the telephone companies that provision these phone numbers. They are the owners of these “addresses” and the only entities that know the end-point being addressed. They should take some responsibility for how accurate phone numbers are. Without some rudimentary real-time method to verify a phone number is active and has not recently changed “hands”, those that rely on the phone number have no way to trust it. Laws like the Telephone Consumer Protection Act (TCPA) attempt to help the consumer but put much of the burden on the caller. The owners of the numbers should be required to provide tools to allow those who rely on the phone number to abide by the law.

  4. Rick

    Only idiots use ‘free’ email services like gmail, yahoo, etc. One needs to pay a fee (or operate one’s own email server) and ideally register your own email domain – to make it portable to other platforms. (And the domain registration needs to be well locked down).

    1. hb

      So, Rick, if one starts paying to Google fee (for e.g. G-Suite), would that resolve your concern? If so, could you elaborate, please?

    2. Not So Slick Rick

      Just to clarify, are you suggesting the normal average Joe user does this? If so, I have some follow questions:

      1.) Who do you think you are?
      2.) What gives you the right?

      I hate so much of what you choose to be, Rick.

  5. Yet another Dongle

    I note that the old ‘ask some questions’ routine has popped up. In its defence, I keep a register of unusual answers. For example a person that has been through an unpleasant marriage breakup might list where they had their honeymoon as ‘Hades’, or their first car might be a roller skate.

    Of course, most people answer honestly which means their answers are probably obtainable on line. What’s my Mother’s Maiden name? The correct answer is easily found. My Answer, ahem, not so much. My first pet? probably discoverable, but not the answer I record.

    Nevertheless, that requires a register (that is encrypted) because I can’t remember all the wild responses. Not many are prepared to do that. It’s not a satisfactory situation.

    1. vb

      “One of the problems of successful lying is that it’s hard work.”

    2. Chuck van der Linden

      The trick is to use the ‘real’ answer as a mental trigger to your answer..

      For example if the model of your first car was a Mustang, your answer might be “For Pony!”

      Not perfect, as it does run a risk if security answers are breached on a site.

      To be safer you’d need different answers at every site, and that does require some kind of register such as an encrypted doc in a password store.. Still a risk but at least you’ve reduced it to how you maintain that document.

      (note: potentially a good idea to have one or two trusted family members know about that doc, in the event you are incapacitated or killed and someone else needs to gain access to those accounts. )

  6. Frank

    This is why I have 1-time codes printed out on paper stashed away in a safe place. If I ever lose my phone, I can get back into the account without access to SMS or an authenticator app.

  7. Marc

    My adult son “lost” his phone number and phone because his separated wife “bricked his iPhone by reporting it “stolen” or lost. She had control of the family’s Verizon account and my son could not gain access without a court order. The marital judge heard the complaint but would not deal with the issue.
    My son lost both his phone number and his phone and access to his 2Fa texts, etc. It was terrible and avoidable if any good will was involved.

  8. Raphael Tsavkko Garcia

    Not only a matter of privacy, but also of being practical. Paypal only accepts numbers from the country your account is from. I had a lot of headache when I moved from Spain to Italy…

    I cancelled my Spanish number and, surprise, wasn’t able to access my Spanish paypal account anymore. And good luck trying to reach customer service, they were not able to help me. I almost lost a few hundred euros. Now, I’m spending some time in another country, but had to keep my Italian number just so Paypal won’t screw me again.

  9. ChadF

    It also doesn’t help when many major online social/media sites ASSUME a 1-to-1 of phone numbers and individuals when registering (or “verifying”) your account. So if you want to use a shared phone for two (or more) legitimate separate accounts in a short period, you’re out of luck. Just 20 years ago, it probably wasn’t uncommon for single [land line] phone to be used by 2-4 people, and some still do.

    What’s worse is when online account verification allow you to use voice instead of SMS, which I expect is for non-mobile users (i.e. land lines or other common household phone, like VoIP service). So they simultaneously support such phones while assuming they are 1-to-1, despite knowing such phones are typically multi-user.

  10. leslie

    I’ve got a new phone number, downloaded Whatsapp and got all private communications from a previous user in it!
    I deleted whatsapp from my phone and never wish to use it.

  11. Mare

    I wonder why nobody has mentioned the W3C WebauthN yet. With it finalized, there is an alternate way of authenticating people without passwords or phonenumbers.

    Provided a site implements the necessary WebAuthN Steps, you can register a Mobile or Hardware Token with which you are able to (even pseudonymly) authenticate at a site.

    Registering more than one token then allows authentication backups that are much much more secure than Security Questions or SMS Communication.

    And Joe Doe Users will probably grasp the concept quite fast, because the metaphor of a simple doorlock key is working quite well on this.

  12. Mare

    Oh, now I see it actually has been mentioned several times. Direct and indirectly (FIDO, Fingerprint,…).

    Yes it is a technical solution (like using mobile for 2FA is) and does cost the User a bit.

    But the costs also mean that creating fake accounts does have an upper limit.

  13. RC

    Similar things happen with email addresses. There are many airlines, banks, credit card companies, insurance companies, financial companies and many other companies that do not verify email addresses. And email addresses can be reused in many places.

    I have a simple email address: first initial, last name at gmail. I get at least 3 or 4 emails PER DAY for someone else because these companies haven’t confirmed the email address and someone, somewhere typed it incorrectly (or didn’t know that their own email address is first initial, last name plus some number). I’ve had email from American Express, Intuit (about someone else’s tax return being accepted), Walmart, airlines, car rental places, wifi hotspots at many airports, doctors to their patients, a half dozen banks etc. who are meant to be going somewhere else. Stores in the US, UK, and many other countries around the world.

    Most have:
    1. No way to report this.
    2. No way to unsubscribe.

    I treat them as spam or phishing when there is no easy way to report them and then let their phishing and spam people deal with them.

    For the doctors that might have HIPAA violations, I try to cc the office on the spam reports.

    The people involved in these entities’ security departments are way behind the curve.

  14. Beeker

    One of the biggest problem with the phone number is that people forget to change it immediately upon changing it to prevent unauthorized access to their account.

  15. Tony Pelliccio

    Interesting post. The phone system is full of holes like this. It’s all due to inherent trust that the old Ma Bell had for her children. It’s why numbers can be spoofed with ease too. I recall I had a MagicJack at one point, a little script you could set your outgoing number to anything you wished. This was years ago.

  16. cheapskate

    The reason banks are so lax with customers’ security is that, despite federal banking laws, customers no longer have real legal recourse if the bank is negligent. Whereas we once had the right to sue, we are now relegated to binding arbitration. And, individuals fare very poorly against corporations in arbitration : .

    Also, most people should know by now that SMS text messages should not be used for the second factor in 2-factor authentication. U2F keys are much better (assuming you’re logging in from a computer, not a phone).

  17. Lorenzo

    Interesting article, just goes to show that nothing is totally fool proof but I think the use of U2F keys as suggested by the above commenter seem much better.

Comments are closed.