Too many services use phone numbers as the keys to the kingdom. It's a convenient and stable identifier, but holy shit it's not designed for security at all.
It's neither convenient nor stable for anyone moving between countries either. When given the choice between a service that uses my phone number as my permanent user identifier and one that uses my email, I'll always go for the latter.
Unfortunately, big parts of the industry seem to be headed the other direction.
I've been using voip.ms and it is fairly good. I wish the SMS support was a bit better but it does reliable deliver messages to email or SIP. (Large messages are not re-joined though and sending is based off of a code in the subject instead of an email address per-number which could be easily be added to an address book)
This is about complete takeover of SMS for a phone number.
The threat model is beyond 2FA, imagine being able to impersonate anyone over text.
Social engineering gone to the next level. This isn't about just taking over accounts, it is about taking over a huge chunk of someone's social existence.
I realise TFA is about the US, but it’s worth noting that in most of the world, SMS is pretty much just used for receiving messages from your bank and other automated stuff these days.
Sure, and instead, people use apps like Signal or WhatsApp, which are tied to phone numbers, on which the attacker can now register to your phone number thanks to his receiving your SMS...
If you tell Signal not to allow anybody else to re-register from your phone number without your PIN it will enforce this until at least seven days passes without you using Signal.
If you've uninstalled Signal or just never use your phone then yeah, after a week or so this proposed attack "works" and the safety numbers for any ongoing conversations with anybody reset (the attacker doesn't know the long term identity key for your phone so they'll get a new one, thus generating a different safety number), which will be notified to the other participants although since you presumably never use Signal there may not be any such conversations.
It is not stable in the least for millions of Americans, especially those who live in poverty (I'm not sure about the rest of the world). Phones are lost or stolen, phone numbers changed because of being harassed by debt collectors, ex-partners, current partners, etc. And if it isn't stable, it isn't convenient.
My phone number changes every 2-3 years whenever I switch to a new carrier for their acquisition offer. Why would I port my old number when 9/10 people who call me, I don't want to be calling me? And heck, I don't exactly live in poverty, even if my (student and scum landlord) debt is significantly more than my assets.
It is better in the US as generally all plays are country-wide but as a Canadian my number has changed many times.
- First number.
- Moved to a different city for Uni. Switched number so that people didn't have to pay long-distance to call.
- Moved back.
- Move to Europe for a job.
- Moved back.
I would never consider an identifier that is (loosely) tied to your location stable.
Yep, I hate this with a passion. I deprecated text messaging a decade ago, too. Anyone who thinks they can reach me by some ancient 140-character mobile-operator-controlled service, it's their fault for not getting with the beat in 2021.
But we often don't. I just got my covid shot and with it a request to sign up for vsafe, which needs a phone number. (Which means i can't sign up since I have anti spam protection on and so their texts don't get through )
Tell them you have no phone. It seems to disarm people. You're not telling that you refuse their request, and getting into a power struggle. Then ask them if that means you can't get a vaccination or whatever. This has worked every time so far for me.
It doesn't get easier. It probably would if more of us did it, though.
I got the vaccine not problem. With the vaccine came a sheet of paper requesting I sign up for vsafe which is a program unrelated to those giving the vaccine. It is probably useful to sign up, so I tried, but there wasn't an option of no phone, or at least not until it was too late.
I hear you, this comes up more and more often. I remember reading that Singapore had something like this (for contact tracing, I think), but they'd give you a dedicated device if you didn't have a phone. Ugh.
I like telling companies who want my number: No, my phone is for people I know to call me, not corporations. Other times I tell them that I don't have a phone and ask them if they are refusing me service. Not saying I have a perfect record, sometimes it is convenient to have the mechanic call when the car is done, etc. But the more I see companies who don't need a dossier on me asking for my personal info the harder I want to push back. I seek out and appreciate organizations that don't do this. I joke that I might end up living in a commune one day!
I can see this becoming a bigger problem. I've been following the idea of covid-vaccination-tracking applications, and don't have a good feeling about any of that. I'm expecting that the vaccination campaign will work well enough for that idea to be a moot point, but also expecting that companies and governments will want to do the extra tracking anyways, because their incentives are not aligned with the general population for stuff like this.
Its been a bigger and bigger problem where installing an app is just expected and almost impossible to avoid in some situations.
I also hate how its hard to explain to normal people. I don't have a problem with covid restrictions. I'm happy to wear a mask, social distance, etc. I just don't want to be sending the government with a horrible privacy/security history a log of everywhere I have been if I can avoid it. But you will be seen as some covid conspiracy theory nutcase if you object.
Its also awkward to keep telling stores I don't want to give them my address or phone number.
> I just don't want to be sending the government with a horrible privacy/security history a log of everywhere I have been if I can avoid it.
Are you sure this is what your local app does? Many COVID-19 government apps were built reflecting this desire for privacy, I've written about the New Zealand one previously but lots are like this.
When you scan a QR code with that Kiwi app your phone learns you went somewhere and when ("This code is for the Auckland central library, and it's 1430 on Tuesday 16 March") but it doesn't tell the government, they don't care and could only make things worse by losing the information. It just remembers where you were.
Then when the government finds out that an infected person was careful to stay home except, oh yeah, they did pop to that library to get a book to read while they stayed home, for about 15 minutes, around 2-3pm on Tuesday, they send all those apps a message (it also goes in a press release but who seriously reads those?) and the app goes "Auckland central library? 1400 to 1500 on 16 March? That's a bingo" - and you get a message telling you that you should get tested, or to watch out for symptoms or whatever the government advice is in that particular case.
So effectively your phone is just simplifying work you'd otherwise have to do, instead of you laboriously checking the list of locations in your local paper or on a web page any time there's a breach, the phone matches it correctly for you.
If you're infected, you do have the option to have your phone tell the tracing people everywhere it remembers you going recently, but that's up to you whether you feel morally obligated to help them. Contact tracers in countries with low incidence are mostly from STI clinic backgrounds (which of course also need tracing), so "I went to the restaurant even though I had virus symptoms" is at least easier to confess than "I fucked some random stranger I met in a bar last Tuesday even though I'm married"
Nope, I know 100% it sends the record off to the government server and then when a location has a reported case, they call you using the info they have. Know the guy who built the system and he says while the data is encrypted in the db, the government also has the key to access everything.
Its also partly about the precedent it sets. Its now becoming required to carry a phone around with you and hand over more of your data without any opt out.
More and more services are supporting - or worse, requiring - SMS-based or phone-based 2FA. Moreover, people frequently do not "have it in their power" not to use a particular service. For example, I decided to log in to Fidelity the other day, since I still have a 401(k) with them from an old employer who did matching. They require call or SMS 2FA. And you could draw even stronger requirements to various government services in various countries.
Most places offer an alternative. Especially institutions that are not FAANG-types, like government services and heavily regulated ones like banks. I am a U.S. citizen and have never encountered a service that didn't have alternatives to using a smart phone. Are you saying that Fidelity would not have mailed you a statement?
A complaint can be registered with the company, regulators, and/or politicians. Switch to another provider if possible. I know it's not always easy, I'm not perfect in this regard. But if nobody does anything, nothing will change. Are you telling those of us who feel this way to give up?
When did I say they required a smartphone? A landline will work perfectly fine for "voice" 2FA, and just about anything but a landline will work for SMS 2FA.
They probably would mail me a statement, but that means I'm limited to much less convenient (and less secure!) forms of communication with them, like calling them... or receiving a letter.
How can I switch to another company when my employer is the one who decides to whom they will match contributions? Or, to borrow from the people in other countries who have posted elsewhere here, when the account is related to taxes or government benefits? Or maybe all the major banks in their country require it?
