A recent story illustrates how unsafe SMS text messages, and phone numbers in general, are when used as forms of identification.
Vice News reporter Joseph Cox worked with a white-hat hacker to demonstrate how easy it was to reroute SMS text messages intended for Cox's T-Mobile phone to a different phone number controlled by the hacker. Cox never got the texts at all, nor did he get any notifications on his phone that the texts were being redirected.
- FaceTime users getting bombarded with spam group calls — what to do
- You're probably doing 2FA wrong: Here's the right way
- Plus: Zoom security flaw lets other people see way too much
The hacker did this by forging an authorization form (with Cox's permission) to get a company that reroutes SMS messages for businesses to send the text messages to his phone instead.
Many businesses use such services so that support staffers can use computers to communicate with customers via text message — here's an example from another company of how it works.
The company exploited in the Vice News piece says the hack is no longer possible, at least with its own service. But it might still be possible with other companies that provide similar services.
Your phone number should not be your ID
This story underscores a point made by independent security reporter Brian Krebs a few years ago, and reiterated in a blog post Krebs wrote yesterday (March 16): Mobile phone numbers should not be used as identification.
It's too easy to "port" numbers to other phones, such as by sweet-talking or bribing a customer-support representative. It's too easy for crooks to gain access to the inner workings of the global telephone network by bribing or hacking telecom operators in small countries, thus being able to forward text messages to any number. And, unlike most mobile phone calls, text messages are not encrypted.
Many online services ranging from WhatsApp and Signal to, as Cox noted, Bumble and Postmates treat your mobile phone number as your primary user ID.
Thousands more online services use SMS text messages as the default form of two-factor authentication. Almost all online services use SMS text messages as the primary way to confirm a user's identity during lost-password reset procedures.
As a result, often the easiest way to hijack your online email, banking or financial account isn't by stealing your password — it's by stealing your phone number.
In the past few years, cryptocurrency investors have lost millions of dollars to scammers who stole their phone numbers and hijacked their accounts.
We've heard anecdotes of people having fraudulent charges racked up on their Apple Pay accounts because someone ported their numbers to other phones — even though that's supposed to be impossible.
The problem won't be solved soon
The ideal solution would be to use your phone number as your ID as seldom as possible. You wouldn't trust a driver's license that could be easily cloned or stolen without your knowledge, or transferred to another person when you get a different car. You shouldn't trust your phone number either.
Unfortunately, we can't force companies to stop assuming that phone numbers are inextricably tied to any one person.
Ideally, companies would always send verification codes to email addresses or mobile apps rather than to phone numbers during password resets. But not all companies understand security as well as Google or Microsoft.
For many companies that aren't normally in the tech sector, a mobile phone number is a quick, easy and universally supported way for them to communicate with customers.
That's why most companies with an online presence still offer only SMS text messages as the "second factor" in two-factor authentication (2FA). It's still a lot better than having no form of 2FA at all.
How to stop being so reliant on your phone number
There are a couple of ways to minimize the damage, should your mobile number be stolen or your text messages redirected or spied on.
The first thing to do is to check how many online services you use that offer something other than SMS text messages as the second factor. Ideally, we're looking for authenticator app support.
Authenticator apps are free code generators that you install on your Android or iOS device. Authy and Google Authenticator are two of the most widely used, but we also recommend LastPass, Duo, Microsoft and FreeOTP authenticator apps.
All of these apps are compatible with each other, and they're easy to set up when enrolling in 2FA on the website of a particular service. You just open the app, point your phone's camera at a QR code displayed on the website, and then type in the code that appears.
Online services that support authenticator apps include Amazon, Dashlane, Discord, Dropbox, Facebook, Github, Google, Instagram, Keeper, LastPass, LinkedIn, Microsoft, Newegg, Paypal, Reddit, Slack, Snapchat, TurboTax, Twitter and Zoom. There is no reason you should be using SMS text messages for 2FA with any of those services.
Two big tech services are missing from this list, however.
Apple assumes everyone who has an Apple ID also has an Apple device (not true), and "pushes" a temporary login code to every device registered to that Apple ID. The only alternative is to send that code via SMS text message. We think Apple should support third-party authenticator apps as a 2FA option.
Yahoo "pushes" codes to your phone through its Yahoo mobile app, which you can install on any Android or iOS device. Otherwise, like Apple, it texts you the code.
Push notifications are quite safe — Google and Microsoft support them as well — but you'll have to install a new app for each service that uses them. On the other hand, you need only one authenticator app.
Authenticator apps and push notifications aren't available for most online services, however — especially for companies that aren't traditionally in the tech sector. This is sadly true of many banks, even the big ones.
But in many cases, you can go into your account profile and make password-reset and 2FA codes go to an email address instead of a phone number.
Should you use your phone number at all?
In his blog post yesterday, Krebs recommended that you go one step further. He argues that you should delete your phone numbers from your online account profiles so that services won't be able to call or text you.
We don't think that's realistic. Without knowing your mobile number, services that don't support authenticator apps won't be able to offer you 2FA at all.
Even services that do support other forms of 2FA may have a hard time reaching you in case of an emergency, such as if someone tries to break into your account using a stolen password, or tries to access your online bank account.
Until corporate America beyond the tech sector wises up and realizes that phone numbers aren't equivalent to ID, this problem will stay with us. As a user, though, you can minimize your risk by letting them use your phone number as seldom as possible.
