Phone numbers – not that unique and not that secure!
A spate of recent disclosures calls into question once again the wisdom of using phone numbers for authentication. As we’ve discussed elsewhere on this blog, mobile phones are relatively easy to spoof, hijacking of phone accounts is becoming worryingly commonplace, and what happens if you lose your phone or have to change your mobile phone number? This hair raising account from Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint https://krebsonsecurity.com/2019/03/why-phone-numbers-stink-as-identity-proof/, highlights many of the issues, for example, when phone numbers are used for authentication within apps, or when banks send out sensitive updates via SMS.
Another issue regarding the use of personal numbers is where employees use their own mobile phones for business. If numbers are published in a corporate directory, that means anyone who works for the organisation has access to those personal numbers. Industry contacts related an incident where this led to female employees receiving unwanted calls at weekends, which as well as being a nuisance and potentially intimidating for the victim, also raises concerns as to their employer’s management of their personal data!
So while using our mobile numbers for authentication is very convenient, it is now becoming frighteningly insecure.
What else is at risk if your social media account is hacked?
If that isn’t enough horror to contemplate for one day, we have recently heard how ‘9 million data items containing passwords in plain text’ have been exposed at our perennial favourite, Facebook… for years! And their response? “We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data”. We’re guessing that any malfeasance is unlikely to be admitted! More details here:
How many websites now invite us to login using our Facebook credentials? If your Facebook identity is hacked, what else does the hacker gain access to?
Security by design – or just an after-thought?
This brings us to the salient point that when large companies talk about security and encryption, it often doesn’t seem to apply to their own staff. Indeed, one of the points made by Allison Nixon, is that banks often don’t know how to remove a mobile phone number associated with an account once the account holder has lost the phone number.
When it comes to keeping your private data secure, this all makes the case for using apps that are designed specifically with security in mind, not consumer-grade apps where security is an after-thought and a begrudging add-on at that!
Armour Mobile can be used with abstract numbers or random strings as identifiers, you don’t need to expose your own mobile number. These identifiers are then tied back to real-world identities within the Armour system, which is controlled in our secure cloud, or by your own, on-premises administrators. Providing the users are known in some manner, and the identities are centrally controlled, this approach provides better security than relying on phone numbers to prove someone’s identity.