Following the Equifax breach people have been calling for a replacement to social security numbers.
The successor to social security numbers is already here: it’s mobile phone numbers. This is especially bad if you are a person of interest or a public facing persona.
TL;DR: Most systems aren’t designed to deal with attackers taking over phone numbers. This is very, very bad. Phone numbers have become magic/master keys.
For much of our digital and offline presence, our phone number functions as our personal identifier. Some of our colleagues have had dedicated mobile numbers for nearly 20 years .. that’s one heck of a digital history that makes for a very rich target.
Phone numbers play a major role in authentication and verification:
- They’re often used in two-factor authentication.
- Perhaps more importantly, they’re used to recover both online and offline accounts and services. Examples include Signal, Google, Twitter, Facebook, Office365, (online) banking and your favorite (crypto currency) trading platform. You name it.
- Most of the account recovery implementations are not well thought-out. System architects are relying on attackers being unable to take over a phone number. This is a false assumption.
- Some services refuse to enable 2FA if they don’t have a phone number on file that allows for account recovery.
- Often, phone numbers are required to activate or use a service.
- Phone numbers may be used as verification in offline settings as well.
In other words: Our phone number has become an almost irrevocable credential. It was never intended as such, just like social security numbers were never meant as credentials. A phone number provides the key to the kingdom for most services and accounts today.
While we’ve been educated to guard our social security number, the exact opposite is true for our phone number. It’s 2017. At this point, what company or person you interface with doesn’t have your mobile number? See the problem? Take over someone’s phone number, take over their identity.
To make matters worse, people have been conditioned to think that adding a phone number to accounts adds a layer of security. While that may be true for non-targeted attacks, the inclusion of phone numbers gives persistent adversaries another avenue of attack. Phone numbers have become a single point of failure.
Case in point: Google’s announcement of their advanced protection program. Google is acknowledging their regular procedures aren’t effective against persistent adversaries.
An attacker with access to a target’s phone number can take over accounts. How do attackers take over phone numbers?
- SS7 and Diameter attacks function by attacking the underlying telecom network/protocol and allow a more sophisticated attacker to take over any phone number. This enables an attacker to intercept SMS-based tokens and account recovery codes or calls.
- IMSI catchers are RF devices that also facilitate this approach by intercepting and injecting cell traffic, but they require physical proximity to the target.
- Attackers can target the telephone company by conventional hacking or social engineering support staff to transfer control of a phone number to the attacker. This is called porting and it has become increasingly popular with attackers. Some examples here, here, here and here.
Those dealing with targeted attacks will have to find a different approach to fend off adversaries. Relying on a strong password over 2FA goes firmly against the two-factor authentication doctrine that has been promoted heavily, but 2FA isn’t all its hyped up to be. Between the phone number exposure, malware and sessions that rarely expire, two-factor authentication still provides plenty of opportunity for dedicated adversaries.
With this knowledge in mind, (re-)consider the security of any application that strictly relies on having access to a phone number for authentication. Since you can’t rely on your telecom provider to protect your phone number, what’s your next move?