Ask HN: Why are phone numbers considered a secure personal identifier?
This often causes problems with services (Paypal, banking apps, messangers, etc.) due to my inability use two factor auth and text-message based confirmation messages.
It seems to me that phone numbers are a horrible identifier due to the way they can be transferred between users of a carrier. Services like Ting have made short term numbers easy to use, and I often get two-factor auth messages from previous users of a number.
Is this purely a business case for data mining, or is there a legitimate security reason for relying on something as ephemeral as a phone number for critical identification mechanisms?
I have debated using Twilio to create my own number pool of international numbers and a way to check my messages via a web portal instead of relying on messaging. Are there any current apps / services that already do this effectively?
45 comments
[ 4.0 ms ] story [ 102 ms ] threadFirst is traveling quite a bit with poor cell signal. This one is unfortunate especially with banks that have no alternative 2fa other than a phone based OTP.
Why phone? I would believe it's the one thing that near ubiquitous that has a very low barrier to entry. I never had to train my mother how to use OTP when it's an SMS. If she was required to use google authenticator, I'd probably get a phone call every time she had to login.
As for "phone numbers are a horrible identifier" I would say it is "secure enough" for many scenarios.
Typically 2fa systems require a bad actor to have both a password and a physical device.
To be pedantic, the OTP is not considered an identifier, but a password that requires a physical device.
The barrier of a bad actor having both my PW and my device (as a PW) is supposed to raise it high enough that it's unrealistic. Obviously this doesn't work 100% of the time, because phishing and social engineering.
So, sure my device can change hands, but it is unlikely to have changed hands AND that same person has my password AND they are a bad actor.
I live overseas (US expat). To get around many OTPs from US based services I use: https://anveo.com/. Google Voice cannot do shortcode SMS for places like Bank of America. The website looks like it was built in 1995, but it's effective.
This is an important point for OP to consider. Twilio definitely can't receive SMS from US short codes[1]. When my number was at Google Voice I thought it could receive messages from short codes, at least in the recent past, but I ported it out so I can't test.
[1] -- https://support.twilio.com/hc/en-us/articles/223181668-Can-T...
It works well enough, the vast majority of the time, for the vast majority of people. You’re an extreme edge case.
Do you use PayPal? It’s impossible to even login while you are abroad.
Are you sure? I'm in Eastern Europe right now and just logged in and sent money.
1. I’ve also had a single phone number for over 20 years and quite frankly stopped counting the number of times I’ve been locked out of my accounts due to bad reception.
2. SMS is an insecure communication channel.
It's insanely easy to "steal" a cell number for a few minutes by advertising that number to a small carrier. Phone numbers are not at all secure.
But since most people aren't targeted and there is no easy replacement, phone based 2fa lives on.
According to Australian laws, someone can port your mobile number to his/her sim card by filing an online form, as long as they know your date of birth and account number, that person can take your phone number away in minutes. Nothing need to be done in person, no ID will be asked. In fact, the laws are made to explicitly forbid such checks under the name of giving consumers easy way to transfer to a different provider. You will get a SMS on your phone notifying you that someone has ported your number away and the next thing that is going to happen is that the offender is going to recover your paypal/gmail/online banking password using your phone number - time to say goodbye to your money in your account.
The story here is simple - phone numbers are misued by many as some kind of personal identifier, it is a feature with close to zero security protection in many countries. Mobile providers don't have any motivation to further secure it as they never claimed it to be secure and they didn't make $ out of it.
AFAIK it's even "illegal" to give a SIM card to a 3rd person with updating this information.
I just got a new number last week with cash. I bought a pre-paid SIM in Amsterdam. They gave me bonus credit for giving my name and address, but if I didn't want the credit, I wouldn't have had to give them any identifying info at all.
Systems which actually need to secure a large amount of digital valuables or face customer complaints (i.e. games) get their customers to use hardware tokens or mobile-based 2FA.
That's how secure I see phones.
I had the same idea and have been using Twillio to forward SMS / Voice to my phone. The idea being that a Twillio number should be harder for an attacker to port.
There are a few issues with that approach:
* SMS are only received if they come from the same country as the phone number.
* SMS issued by my bank not arriving. Maybe related to the first issue.
* Voice calls take a few more rings before they are passed through, meaning that calls are more likely to get dropped by the caller.
Other than that it works beautifully.
With SMS login, if I lose my phone getting back into my account is an argument between me and my phone provider. And blame for any mistakes in that process lies squarely with my phone provider.
This avoids the "I lost the backup codes as it's 5 years since I printed them out" problem.
Anyone involved in designing a 2FA system knows SMS isn't secure - companies like Apple accept that insecurity, to avoid the support costs of the lost-backup-codes problem.
They are cheap way for companies and developers to add a second identity to your account.
Use Twilio or VOIP.ms, very cheap. You can do 2fa easily, just top up $20. I find that the biggest cost for me personally doing this is the $1/month phone number rental fee. I use maybe ~50c every month on 2fa. It's an already solved problem.
> I have debated using Twilio to create my own number pool of international numbers and a way to check my messages via a web portal instead of relying on messaging. Are there any current apps / services that already do this effectively?
VOIP.ms has a very nice SMS gateway, they will automatically relay SMS messages to your email address. You pay a bit of a premium for it (eg, of SMS cost 0.001c, you pay 0.0015c if I recall correctly) - but it's almost immediately delivered without issue.
My phone number came from an old alt.phreaking post and has run busy continuously since at least 1982. If banks try to SMS authenticate me then instead of their app or web banking, I just link the account to another bank that doesn't do SMS. These days I pay for everything with credit cards anyway and the bank is just there to insure and hold my funds until I pay the cards, so I don't need much from them besides an ATM card and the ACH numbers.
I've noticed that all of the synchrony branded credit card sites require SMS only for password changes, and when prompting you they pull a list of every phone you've ever owned from a Transunion skip-trace database. If they wanted to authenticate me again before entering an area of elevated security they could just ask for my password again - but they don't, and they don't ask for any credentials when changing the phone number, so that suggests to me that security isn't the reason they are prompting for SMS authentication.
SMS validation or not, don't try to access the web portal for a Synchrony issued credit card from outside the US, they typically block the account with SMS validation for 3-4 days. Several times I've forgotten to turn of my VPN and ended up sending them paper checks in order to pay my bill on time.
Plus I think we've sufficiently proven that phone numbers are susceptible to SS7 and social engineering attacks, anyone with my mother's maiden name, DOB, and social security number can take over my phone and all the information is easily acquired from Transunion or Experian. The best thing NIST ever did as depreciate SMS auth for all the reasons I just described. The worst thing NIST ever did was backtrack on the first thing.
There are financial services companies out there that give a damn about security. Shout out to Robinhood for enabling strong passwords (32 characters!) and standard TOTP. They are the only financial services company I've found that offers TOTP. As soon as they have a cash management account I think that is where I'm going to park my funds.
(E*Trade has 2FA also but you have to buy a hardware dongle from them. I appreciate the effort but paging Captain Marvel just the same.)
TL;DR Phone numbers are not unique ID keys for people. But it seems like many companies view it as an easy, cheap 2nd factor (generally, "something you have"), to be combined with a strong password ("something you know").
The problem of course being that SIM-bound number can be hacked or stolen, and non-SIM-bound numbers are not actually "something you have". If a Google Voice number is controlled by the same login as a gmail account, there goes your 2nd factor.
A lot of people do use Burner for this per the link above. (I'm a founder).
I had a phone number hijacked a few years ago, and it took a lot of perseverance to retake control of the number. The phone company (AT&T) didn't know how to handle it. What they did understand is how to close an account. So one of the times I regained control (only to be sure I'd lose it again, soon) I quickly got them to delete the account. That did it.
Ever since that happened and I see a system for 2FA that is based on a phone number, I think it's just security theater, they must know there's nothing secure about it.
Edit: as others mentioned this sort of defeat 2FA, but I read the OP message as not trying to have a good 2FA solution, but being forced to use SMS by banks & co.