Page 1 of 1

Why Phone Numbers Stink As Identity Proof

Posted: Tue Mar 19, 2019 7:59 am
by burger2227
Why Phone Numbers Stink As Identity Proof
How exactly did we get to the point where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience? KrebsOnSecurity spoke about this at length with Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint.

Nixon said much of her perspective on mobile identity is colored by the lens of her work, which has her identifying some of the biggest criminals involved in hijacking phone numbers via SIM swapping attacks. Illegal SIM swaps allow fraudsters to hijack a target’s phone’s number and use it to steal financial data, passwords, cryptocurrencies and other items of value from victims.

Nixon said countless companies have essentially built their customer authentication around the phone number, and that a great many sites still let users reset their passwords with nothing more than a one-time code texted to a phone number on the account. In this attack, the fraudster doesn’t need to know the victim’s password to hijack the account: He just needs to have access to the target’s mobile phone number.

“As a consumer, I’m forced to use my phone number as an identity document, because sometimes that’s the only way to do business with a site online,” Nixon said. “But from that site’s side, when they see a password reset come in via that phone number, they have no way to know if that’s me. And there’s nothing anyone can do to stop it except to stop using phone numbers as identity documents.

Re: Why Phone Numbers Stink As Identity Proof

Posted: Thu Apr 11, 2019 6:54 am
by burger2227
Google will now let you use your Android phone as a physical security key
To make your Android phone your security key, you’ll just need to connect your phone through Bluetooth to a Chrome browser to verify logins. (Some older desktop PCs don’t have Bluetooth, but it’s pretty universal on laptops.) The new authentication scheme works on Gmail, G Suite, Google Cloud, and any other Google account service, and uses the FIDO authentication standard. Google says other websites might join in later on, but it’s still in the process of certifying its authentication service.

Two-factor authentication can help prevent unauthorized logins in the event that someone gets your password, which is important when leaks and phishing attacks can put accounts at risk. Google recommends that everyone use their phone as a security key, but, in particular, it recommends it for “journalists, activists, business leaders, and political campaign teams who are at risk of targeted online attacks.”

The new physical security key option works very similarly to Google Prompt, but now it requires your phone to be physically near your computer, thwarting those who might attempt to spoof your account from halfway around the world.
Desktops can add Bluetooth with a USB adapter.