On Thursday, T-Mobile confirmed that some of its customer data was breached in an attack the company discovered on Monday. It’s a snappy disclosure timeframe, and the carrier said that no financial data or Social Security numbers were compromised in the breach. A relief, right? The problem is the customer data that was potentially exposed: name, billing zip code, email address, some hashed passwords, account number, account type, and phone number. Pay close attention to that last one.
The cumulative danger of all of these data points becoming exposed—not just by T-Mobile but across countless breaches—is that it makes it easier for attackers to impersonate you and take control of your accounts. And while the passwords are bad news, perhaps no piece of standard personal information has more value than your phone number.
That’s because phone numbers have become more than just a way to contact someone. In recent years, more and more companies and services have come to rely on smartphones to confirm—or “authenticate”—users. In theory, this makes sense; an attacker might get your passwords, but it’s much harder for them to get physical access to your phone. In practice, it means that a single, often publicly available, piece of information gets used both as your identity and a means to verify that identity, a skeleton key into your entire online life. Hackers have known this, and profited from it, for years. Companies don’t seem interested in catching up.
‘If it’s not a secret, then you can’t use it as an authenticator.’
Jeremy Grant, Better Identity Coalition
Identity management experts have warned for years about over-reliance on phone numbers. But the United States doesn’t offer any type of universal ID, which means private institutions and even the federal government itself have had to improvise. As cell phones proliferated, and phone numbers became more reliably attached to individuals long term, it was an obvious choice to start collecting those numbers even more consistently as a type of ID. But over time, SMS messages, biometric scanners, encrypted apps, and other special functions of smartphones have evolved into forms of authentication as well.
“The bottom line is society needs identifiers,” says Jeremy Grant, coordinator of the Better Identity Coalition, an industry collaboration that includes Visa, Bank of America, Aetna, and Symantec. “We just have to make sure that knowledge of an identifier can’t be used to somehow take over the authenticator. And a phone number is only an identifier; in most cases, it’s public.”
Think of your usernames and passwords. The former are generally public knowledge; it’s how people know who you are. But you keep the latter guarded, because it’s how you prove who you are.
The use of phone numbers as both lock and key has led to the rise, in recent years, of so-called SIM swapping attacks, in which an attacker steals your phone number. When you add two-factor authentication to an account and receive your codes through SMS texts, they go to the attacker instead, along with any calls and texts intended for the victim. Sometimes attackers even use inside sources at carriers who will transfer numbers for them.
“The issue being exposed with SIM swaps is that if you control the phone number you can take over the authenticator,” Grant says. “A lot of it gets to the same issue we run into with Social Security numbers, which is leveraging the same number as both an identifier and authenticator. If it’s not a secret, then you can’t use it as an authenticator.”
It’s a tangle. But it doesn’t have to be like this. Thomas Hardjono, a secure identities researcher at MIT’s Trust and Data Consortium, points to credit card numbers, identifiers authenticated with a chip plus a PIN or a signature. The financial industry realized decades ago that the system wouldn’t work if it wasn’t relatively easy to change credit card info after it was exposed. You can get a new credit card as needed; changing your phone number can be incredibly inconvenient. As a result, they become more and more at-risk over time.
It’s a tangle. But it doesn’t have to be like this.
So if you’re looking for an alternative to the phone number, start with something more easily replaceable. Hardjono suggests, for example, that smartphones could generate unique identifiers by combing a user’s phone number and the IMEI device ID number assigned to every smartphone. That number would be valid for the life of the device, and would naturally change whenever you got a new phone. If you needed to change it for whatever reason, you could do so with relative ease. Under that system, you could continue to give out their phone number without worrying about what else it might affect.
“The people in the card payment space understood a long time ago that separating people’s accounts from static attributes is important, but this definitely hasn’t happened with mobile phone numbers,” Hardjono says. “Plus SMS is a weak way to authenticate anyway, because the protocols are vulnerable. So if your phone could generate this short-term identifier that’s a combination of your physical device identifier and your phone number, it would be replaceable as a safety precaution.”
And that’s just one possibility. The important thing is that it’s not necessarily bad for identifiers to be public; you just need a mechanism to change them if necessary, in a way that causes minimal headaches.
Numerous undertakings have explored these problems, but past projects have faced inertia in working to implement changes. Again, look to credit cards; the international community used chip and pin for decades before the US finally transitioned over in 2015. And the US still didn’t adopt PINs, opting for less secure signatures instead.
Substantive change likely won’t come unless the government mandates it. Managing identity schemes is a complicated; falling back on phone numbers and Social Security numbers makes life easier for companies. The Better Identity Coalition’s Grant notes, though, that recent wakeup calls, like the devastating Equifax breach, have created some real motivation within private industry.
Understandably, you’ll probably only believe it when you see it. Until that big change does, take all the precautions you can to protect your mobile account, and try to cut your phone number out of as many signups and logins as possible. It may not be the the ideal identifier, but it’s the one you’re stuck with.
Updated August 25, 9:15am EST to include reports that hashed passwords were also compromised in the T-Mobile breach.