TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | When did our phone numbers become the new identifier du jour? Related reading: Doing business across borders — A global future or a splintered internet?

rss_feed

""

""

""

While celebrating the U.S.'s 4th of July weekend at a Bob Moses DJ set, my iPhone was stolen out of my bag; fortunately, I still had my wallet and keys. Even though I could observe the thief through "Find My iPhone" going to another music venue the same night for more petit larceny attempts, I knew there was little I could do. 

In addition to the normal feeling of being taken advantage of, I was also starting to feel increasingly frustrated. No phone meant no contact with the greater world. Social media was out of the picture, as well as constant contact with friends and family through the various chat apps I use — only those I communicate with via iMessage, thanks to having the program on my MacBook. And while it was nice to take a break from my mild phone addiction and its many wonders, it presented greater life challenges. 

Without a phone, I was locked out of personal, financial, social and professional accounts. Many services require a secondary authentication service, which is commonly done through SMS associated with a mobile phone number. "SMS," or short messaging service, is a standard text message sent using a cellular signal instead of an internet connection, unlike iMessage, WhatsApp, Signal or other web-based messaging services.

SMS 2FA is an authentication protocol that is used following the standard password input for a service — it sends a short one-time password to the user via a text message. It came as an unpleasant surprise when I discovered that SMS 2FA does not include iMessage.

New day, new identifier

When did our phone numbers become the new identifier du jour? The U.S. does not have one specific identifier that is relied upon to manage its population; instead, several identity documents like Social Security numbers, passports or state IDs have traditionally been used to verify someone's identity. But with the explosive surge in data breaches and identity takeover fraud, it has become challenging for companies and consumers alike to solely rely on these very sensitive data elements. 

Phone numbers are connected to most parts of our lives. Thanks to the mass adoption of personal mobile phones, the evolution of digital ecosystems, and public awareness around how sensitive identifiers can be used — verification services have had to look for alternative identifiers. And even if this number is not truly static like an SSN—it rarely changes. Just ask anyone who has moved to a different country about the challenges here. It's logical then that more and more services would adopt phone numbers as the main identity compared to traditional identity verification services. "Phone Centric Identity," using your mobile phone number along with a password, is now being touted as the new modern way to identify consumers. 

All this to say, phone numbers and SMS 2FA have been proven to be insecure and ineffective identifiers. SpoofingSIM SwappingRemote Desk ProtocolMan-In-The-Middle Attacks and Social Engineering are all common methods that criminals can use to effectively gain access to people's phones and take over their digital lives. Furthermore, unlike messaging apps with end-to-end encryption, SMS is built into the architecture of the mobile networks themselves. So, the security of the SMS messages we send inherently depends upon the security framework that our mobile carriers have, hopefully, and sometimes not successfully built in. And while this insecure authentication method is widely used, Forrester Research estimates that SMS 2FA stops only 76% of attacks

Alternative authentication methods?

Following my Kafkaesque nightmare, peers in the privacy community proposed looking into some sort of authentication app, in lieu of SMS 2FA, as a more secure and effective authentication method. This version of 2FA or multifactor authentication works similarly in that it generates an OTP that users need to enter to gain access to a service. Authenticator apps typically refresh every 30 seconds, so even if a criminal somehow gained access to the OTP, the likelihood of it working for them is minimized. 

Unfortunately, this is not common knowledge or easy to configure for the average consumer. Not all services offer alternatives to the 2FA SMS code option, and even when they do, setting up authenticator app support involves scanning a QR Code, inputting various keys, which I really couldn't figure out, or only works with specific authentication services.

Authenticator apps are more commonly used in a corporate context for Single Sign On (SSO) purposes than they are by sole individuals. One tech-savvy friend showed me three different authenticator apps on his smartphone, which still didn't cover all of the services for which a secondary form of authentication is required. And to add insult to injury, I could not even use these authenticator apps during the several-day period of having no phone.

The future of phones and identifiers

Despite the relief I felt upon having a mobile phone again, the whole situation left me feeling uncomfortable about our overreliance on these numbers. Perhaps it is a paternalistic thought, but I can't see how a "reasonable user" could easily take preventive measures to secure their number and manage their digital livelihood in the event that a criminal steals more than just their physical device.

Ideally, there would be a multi-stakeholder effort amongst mobile networks, device manufacturers, operating systems and major digital service providers to create a more simplified, secure and seamless method that average users could enable to access services and keep their accounts and identities protected. 

More likely, we will see smaller efforts from passionate stakeholders who are looking to make a difference in this space. One exciting proposal is around decentralized identity: users would have a "wallet" that stores their credentials and personal information, which includes verified identity details that one would need to provide eligibility to complete a transaction. That information is "signed" by multiple trusted authorities to prove its accuracy. And instead of relying on passwords, unphisable cryptographic keys would authenticate users on the services they use.

The technology is still new and would result in a significantly lesser amount of data companies process about users — which is arguably good for users' privacy/security-wise and not so good for companies that monetize user data. But maybe there will come a day when digital services and the users that transact with them would widely adopt such a proposal.

Until then, I'm not letting my new phone out of my sight.


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

6 Comments

If you want to comment on this post, you need to login.

  • comment Jay Libove • Aug 1, 2022
    I'm not normal. I'm one of those security people. (I have been since .. 1984? .. when as a teenager my family had to request the police use a trace to identify another teenager who had set his modem - yes, dial-up modem, to ring our house every hour on the hour, in revenge for me kicking him off of a BBS - bulletin board system - which I operated and on which he had abused his privileges).
    I'm also a privacy person. I got my CIPP in 2007 or so.
    That SMS can be hacked, and that relying on a phone as the only practical means of 2nd factor security, are not news. They're not news to the security community, and forgive me for being direct, but they should not be news to anyone in the privacy community, either.
    Code generator apps have been around for decades. Google Authenticator, a broadly compatible, free such app, was released in 2010. Various such apps have existed for the past several years which are generally easier to use, and most importantly which (unlike Google Authentication, and, yes, there is always a trade-off..) have cloud synchronization.
    This article talks of losing nearly all connectivity for some number of days until a phone was replaced. How about keeping the previous phone around for very limited, emergency use? (I actually have two older phones, but, again, I'm not normal).
    The deep fault of all of this lies in the intersection of the big technology companies who primarily do things that are good for their short to medium term bottom lines, with shameful failures of regulation and of regulatory enforcement. That combination has created a fragility and a complexity which really are beyond the normal person. And we users also bear some amount of the blame for being sheep; doing better at this isn't quite as much harder as something that many of we sheep couldn't do for ourselves...
  • comment Brian Laws • Aug 3, 2022
    So interesting! So I consider myself highly tech inclined, but I don’t understand how a decentralized wallet app (As I understand it: an app that stores the information locally only, or in the cloud but in some way that’s inaccessible to anyone other than the owner?) can securely process a transaction without transmitting the data to another party. Doesn’t the seller have to see the buyer’s info? Or at the very least, transaction details are still being sent to the bank. That Forbes article is a little optimistic and light on details. Though, for KYC purposes, I can fully see the use case.
    
    My main worry is about inclusivity. Good luck convincing my parents to sign up for an identity wallet.
    —
    Another comment suggests keeping an older-generation phone around for emergency uses. This commenter must be an older-generation user to imagine that would be a solution. Even if you’ve got a fully backed up iCloud account, it’s never that easy and there are always a hundred little issues. Losing an iPhone absolutely requires a trip to the Apple store - and count yourself lucky if that is the case because at least you won’t be dealing with any Android nonsense.
  • comment Heather Federman • Aug 5, 2022
    Hi Jay - Thanks for the comment. My policy with my telecom provider is to trade in my phone for an upgraded one. However, I do agree that having a spare phone (with a separate SIM number) is a good idea and I have looked into "burner phone" options if you have any guidance on that front. 
    
    Cheers, Heather F. 
    
    P.S. No one who works in privacy/security is normal :)
  • comment Heather Federman • Aug 5, 2022
    Hi Brian - appreciate the comment. The details on a decentralized ID wallet do seem fuzzy and somewhat idealistic. Like many things in life, "the devil is in the details," so if there is a real effort to do something here, it will be interesting to see what stakeholders propose. Cheers, Heather
  • comment Brent Martin • Aug 9, 2022
    fwiw, redundancy comes in many forms - I run the same code apps on my Samsung tablet that I have on my S10, and I always input an email address and a phone number if both options are available for two factor authentication for services that don't use authenticator apps. 
    
    I also have an old phone (it's an S8, so not really that old) that runs the same apps as my current phone. The SIM is no longer active because it works just fine on wifi as a computing device but I could reactivate it online through my carrier's app in a pinch.
  • comment Emma Butler • Aug 15, 2022
    Just a comment on the identity wallet point: I used to work for Yoti, a UK digital ID company whose ID app goes some way towards what you are describing. Providing you have backed up your account to cloud storage, you can recover it and download it onto a new phone. The challenge is getting organisations to accept it as a valid form of ID.