Site icon Celsus Advisory Group

Phone numbers are the new social security numbers

Following the Equifax breach people have been calling for a replacement to social security numbers.

The successor to social security numbers is already here: it’s mobile phone numbers. This is especially bad if you are a person of interest or a public facing persona.

TL;DR: Most systems aren’t designed to deal with attackers taking over phone numbers. This is very, very bad. Phone numbers have become magic/master keys.

For much of our digital and offline presence, our phone number functions as our personal identifier. Some of our colleagues have had dedicated mobile numbers for nearly 20 years .. that’s one heck of a digital history that makes for a very rich target.

Phone numbers play a major role in authentication and verification:

In other words: Our phone number has become an almost irrevocable credential. It was never intended as such, just like social security numbers were never meant as credentials. A phone number provides the key to the kingdom for most services and accounts today.

While we’ve been educated to guard our social security number, the exact opposite is true for our phone number. It’s 2017. At this point, what company or person you interface with doesn’t have your mobile number? See the problem? Take over someone’s phone number, take over their identity.

To make matters worse, people have been conditioned to think that adding a phone number to accounts adds a layer of security. While that may be true for non-targeted attacks, the inclusion of phone numbers gives persistent adversaries another avenue of attack. Phone numbers have become a single point of failure.

Case in point: Google’s announcement of their advanced protection program. Google is acknowledging their regular procedures aren’t effective against persistent adversaries.

An attacker with access to a target’s phone number can take over accounts. How do attackers take over phone numbers?

Those dealing with targeted attacks will have to find a different approach to fend off adversaries. Relying on a strong password over 2FA goes firmly against the two-factor authentication doctrine that has been promoted heavily, but 2FA isn’t all its hyped up to be. Between the phone number exposure, malware and sessions that rarely expire, two-factor authentication still provides plenty of opportunity for dedicated adversaries.

With this knowledge in mind, (re-)consider the security of any application that strictly relies on having access to a phone number for authentication. Since you can’t rely on your telecom provider to protect your phone number, what’s your next move?

Exit mobile version