Your smart phone does double and triple duty: letting you do banking, buy a cup of coffee, board a plane or access a sensitive online account. But that doesn’t mean that your phone number is equally as trustworthy. In this Spotlight Podcast, we speak with Flashpoint* head of research Allison Nixon about how a recent rash of SIM swapping attacks highlights a looming crisis in online identity.
The risks of using phone numbers as a form of identity are on vivid display, amid reports of so-called “SIM swapping” attacks in which phone numbers are hijacked and transferred to devices controlled by a malicious actor. In August, for example, authorities in Santa Clara, California charged a 19-year-old area man in connection with SIM swapping schemes to steal large sums of bitcoin and other cryptocurrencies.
Phone numbers were never intended to be unique identifiers, Nixon told me. As a result, there’s very little inherent security in a phone number. For one thing, your number is either public or nearly so. Second, the protections for your phone number are baked into access control for web applications or rest with workers at cellular providers. The success of SIM swapping attacks has revealed that both mechanisms are vulnerable. Phone company workers might shrink from an irate customer and just decide to do what they say. Alternatively, the phone employee may be unreliable: working in cahoots with the attacker.
“Any time you’re relying on humans to execute a security protocol, you’re going to get inconsistency and those inconsistencies can be exploited,” Nixon told me.
An Identity Hack
In this conversation, Nixon says that are habit of using phone numbers as a form of identity is really a shortcut or, as she calls it: “a hack” that only works if you take a lot of things for granted, without bothering to verify any of those assumptions. “It assumes that that you’ve paid your phone bill every month; that you never change your phone number; that you have the same phone number for a long time and you are never going to get rid of it. It assumes that the phone number only serves one person.”
Any of those assumptions – or all of them – could be proven false. And, when you broaden the scope of the inquiry beyond wealthy, Western nations to include developing countries, the problems grow, Nixon said.
That isn’t to say that smart phones themselves aren’t useful forms of ID. Still, Nixon foresees big challenges with identity as Internet access extends to billions of people in developing nations.
Check out our entire conversation, where Allison talks about the ways that mobile phones are valuable as a means of identity and, also, what you should use as an alternative to phone number based security – such as SMS two-factor.
This post is sponsored by Flashpoint, which is a supporter of The Security Ledger. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.