Discussion:
[Link Posting] Phone Numbers Were Never Meant as ID. Now We're All At Risk
(too old to reply)
Rich
2018-08-26 14:06:49 UTC
Permalink
####################################################################
# ATTENTION: This post is a reference to a website. The poster of #
# this Usenet article is not the author of the referenced website. #
####################################################################

<URL:https://www.wired.com/story/phone-numbers-indentification-authentic
ation/>
On Thursday, T-Mobile confirmed that some of its customer data was
breached in an attack the company discovered on Monday. It's a snappy
disclosure timeframe, and the carrier said that no financial data or
Social Security numbers were compromised in the breach. A relief, right?
The problem is the customer data that was potentially exposed: name,
billing zip code, email address, some hashed passwords, account number,
account type, and phone number. Pay close attention to that last one.
The cumulative danger of all of these data points becoming exposed - not
just by T-Mobile but across countless breaches - is that it makes it
easier for attackers to impersonate you and take control of your
accounts. And while the passwords are bad news, perhaps no piece of
standard personal information has more value than your phone number.
That's because phone numbers have become more than just a way to contact
someone. In recent years, more and more companies and services have come
to rely on smartphones to confirm - or "authenticate" - users. In
theory, this makes sense; an attacker might get your passwords, but it's
much harder for them to get physical access to your phone. In practice,
it means that a single, often publicly available, piece of information
gets used both as your identity and a means to verify that identity, a
skeleton key into your entire online life. Hackers have known this, and
profited from it, for years. Companies don't seem interested in catching
up.
...
Huge
2018-08-27 09:05:12 UTC
Permalink
Post by Rich
####################################################################
# ATTENTION: This post is a reference to a website. The poster of #
# this Usenet article is not the author of the referenced website. #
####################################################################
<URL:https://www.wired.com/story/phone-numbers-indentification-authentic
ation/>
On Thursday, T-Mobile confirmed that some of its customer data was
breached in an attack the company discovered on Monday.
Ah, yes. T-Mobile. The company that keeps your password in a database
in plain text and insists this is not a problem because of their "great
security".

Phags.
--
Today is Pungenday, the 19th day of Bureaucracy in the YOLD 3184
~ Stercus accidit ~
m***@mail.com
2018-08-27 15:23:17 UTC
Permalink
Post by Huge
Post by Rich
####################################################################
# ATTENTION: This post is a reference to a website. The poster of #
# this Usenet article is not the author of the referenced website. #
####################################################################
<URL:https://www.wired.com/story/phone-numbers-indentification-authentic
ation/>
On Thursday, T-Mobile confirmed that some of its customer data was
breached in an attack the company discovered on Monday.
Ah, yes. T-Mobile. The company that keeps your password in a database
in plain text and insists this is not a problem because of their "great
security".
Phags.
A civvy (non computer aware person) told me this story. His home phone
number does not show up on mobiles when he calls them. Now, he is
very nosy about his neighbours, so he rings up the social welfare
office, giving the neighbours name, and the person answering says,
"Could you tell me your number, it is not showing here."

He does , giving the neighbours mobile number, and is told the neighbours
social welfare status.
--
***@ireland.com
Will Rant For Food
Nyssa
2018-08-27 13:23:53 UTC
Permalink
Post by Rich
####################################################################
# ATTENTION: This post is a reference to a website.
# The poster of # this Usenet article is not the
# author of the referenced website. #
####################################################################
<URL:https://www.wired.com/story/phone-numbers-indentification-authentic
ation/>
On Thursday, T-Mobile confirmed that some of its
customer data was breached in an attack the company
discovered on Monday. It's a snappy disclosure
timeframe, and the carrier said that no financial data
or Social Security numbers were compromised in the
breach. A relief, right? The problem is the customer
data that was potentially exposed: name, billing zip
code, email address, some hashed passwords, account
number, account type, and phone number. Pay close
attention to that last one.
The cumulative danger of all of these data points
becoming exposed - not just by T-Mobile but across
countless breaches - is that it makes it easier for
attackers to impersonate you and take control of your
accounts. And while the passwords are bad news, perhaps
no piece of standard personal information has more value
than your phone number.
That's because phone numbers have become more than just
a way to contact someone. In recent years, more and more
companies and services have come to rely on smartphones
to confirm - or "authenticate" - users. In theory, this
makes sense; an attacker might get your passwords, but
it's much harder for them to get physical access to your
phone. In practice, it means that a single, often
publicly available, piece of information gets used both
as your identity and a means to verify that identity, a
skeleton key into your entire online life. Hackers have
known this, and profited from it, for years. Companies
don't seem interested in catching up.
...
Ah, yes, the infamous "we'll send a text code to your
phone" verification method.

Since I do NOT have a cell phone of any kind (much less
a smart one), I've had all sorts of problems with places
that insist that's the only way to verify that I'm me.

Sometimes an email explaining that my landline doesn't
accept texts will get to someone who can override the
problem, but often I've ended up locked out with no way
to override it, and no one who will take the issue
seriously. (What do you mean, you don't have a cell
phone? EVERYONE has a cell phone, so you must be a crook!)

I also wonder why T-Mobile or any cell service provider
would need to know a customer's social security number.
Talk about an invitation for mischief and mayhem!

Nyssa, who won't give out her SS number unless it's to
a government agency with a need to know
Huge
2018-08-27 13:58:02 UTC
Permalink
On 2018-08-27, Nyssa <***@flawlesslogic.com> wrote:

[59 lines snipped]
Post by Nyssa
I also wonder why T-Mobile or any cell service provider
would need to know a customer's social security number.
Because, contrary to the original requirements (and indeed, to the
SS Admin's charter) the SSN has become an ID number.
Post by Nyssa
Talk about an invitation for mischief and mayhem!
Quite.
Post by Nyssa
Nyssa, who won't give out her SS number unless it's to
a government agency with a need to know
https://www.allclearid.com/personal/when-you-can-say-no-to-providing-your-social-security-number/

I tried to open a bank account in the USA a few years ago, for entirely
innocuous reasons (my parents live there) and was told, wrongly, by a
number of banks that I couldn't do so because I do not have an SSN (on
account of not living in or being a citizen of the USA.)

There doesn't seem to be a "Falsehoods Programmers Believe ..." list
about SSNs, although there are some applicable points here;

https://samphippen.com/falsehoods-dev/
--
Today is Pungenday, the 19th day of Bureaucracy in the YOLD 3184
~ Stercus accidit ~
Andy Burns
2018-08-27 14:30:19 UTC
Permalink
Post by Nyssa
the infamous "we'll send a text code to your
phone" verification method.
Since I do NOT have a cell phone
Does you provider support SMS delivery to a POTS phone?
Here if you don't have SMS compatible phones (generally DECT models)
they will deliver it as a robo-spoken message.
Nyssa
2018-08-27 16:38:38 UTC
Permalink
Post by Andy Burns
Post by Nyssa
the infamous "we'll send a text code to your
phone" verification method.
Since I do NOT have a cell phone
Does you provider support SMS delivery to a POTS phone?
Here if you don't have SMS compatible phones (generally
DECT models) they will deliver it as a robo-spoken
message.
I doubt that this would be available. Even if it were,
no doubt Verizon (the landline company that bought out
GTE that originally owned the lines) would charge a
hefty fee for the service (just as they do for everything
else).

A few companies/websites will find an alternative method
of verification once they get over the shock of hearing
from someone without a cell phone. Most others just
ignore it and hope you will either go away or borrow
a friend's phone long enough to play their silly games.

Nyssa, who needs her landline for her dialup connection
and has a 2m mobile radio device if needed on the road for
an emergency
Rich
2018-08-27 15:58:19 UTC
Permalink
I also wonder why T-Mobile or any cell service provider would need to
know a customer's social security number.
Because, sadly, the "credit reporting agencies" (Equifax et al.) all
use the SSN as a unique key to identify you in their database.
Therefore, in order for T-Mobile to look up your credit rating (to see
if they want to provide you a plan where you pay /after/ you've used up
a month's service [1]) they need the SSN to look you up in the Equifax's of
the world.
Talk about an invitation for mischief and mayhem!
Yup. Exactly why the Equifax breach last year was so damaging.




[1] I.e., they want to see that you "usually pay your bills on time" so
they can then decide that yeah, you will likely also "pay this bill in
time".
Roger Blake
2018-08-27 22:52:16 UTC
Permalink
Post by Nyssa
Nyssa, who won't give out her SS number unless it's to
a government agency with a need to know
The SS number problem is due to one of many government Big Lies.

When Social Security was being debated, even in that pre-computer era
Americans were concerned about its being used to track them. The federal
government promised up, down, and sideways on a stack of bibles that
the SS number would *NEVER* be used as a national ID, it would only be
used for Social Security purposes. (Early cards even said as much on
their face.)

Just another lie. Yet there are people who can't understand why some
of us don't trust government.
--
-----------------------------------------------------------------------------
Roger Blake (Posts from Google Groups killfiled due to excess spam.)

NSA sedition and treason -- http://www.DeathToNSAthugs.com
Don't talk to cops! -- http://www.DontTalkToCops.com
Badges don't grant extra rights -- http://www.CopBlock.org
-----------------------------------------------------------------------------
Marko Rauhamaa
2018-08-28 05:16:07 UTC
Permalink
Post by Roger Blake
Just another lie. Yet there are people who can't understand why some
of us don't trust government.
The same people who swear by the US Constitution trust the government
the least.

So is the US Constitution an utter failure or not? Or is the problem
with the quality of the citizenry?

There are more modern countries with fresher constitutions and more
functioning governments. It's funny how the Americans by and large want
their governments to stay away from their lives while in Finland (where
I live) people constantly demand the government do more for them.


Marko
Dan Purgert
2018-08-28 11:23:47 UTC
Permalink
Post by Marko Rauhamaa
Post by Roger Blake
Just another lie. Yet there are people who can't understand why some
of us don't trust government.
The same people who swear by the US Constitution trust the government
the least.
So is the US Constitution an utter failure or not? Or is the problem
with the quality of the citizenry?
More that there is the realization of the fallibility of man, and the
reasonably well-documented proof that governments tend toward amassing
power ... and the more power there is, the more potential for
corruption.
Post by Marko Rauhamaa
There are more modern countries with fresher constitutions and more
functioning governments. It's funny how the Americans by and large want
their governments to stay away from their lives while in Finland (where
I live) people constantly demand the government do more for them.
Sparknotes version of it is that the US was pretty much founded on the
idea that "the government" is a required evil to ensure that (in
general), the governed people retain their liberties.

To that end, when the US Constitution was written, the states would not
ratify it without the Bill of Rights being added in (NOTE -- those
amendments are not _granting_ the people anything they didn't already
have), as the state governments and, by extension, the people governed
were (rightly) worried that at some point in the future, the government
could become tyrannical (or at the very least, infringe on those
rights).

We can see some of that happening in places like Canada, where "hate
speech(tm)" laws have been enacted. Whereas here, I can legally say
anything I want about some dude dressing up in his wife's clothes,
without being arrested for "saying mean thingsi(tm)" (or whatever).
--
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281
Roger Blake
2018-08-28 18:04:24 UTC
Permalink
Post by Marko Rauhamaa
The same people who swear by the US Constitution trust the government
the least.
That is because government has veered so far off the rails that
were supposed to constrain it.
Post by Marko Rauhamaa
So is the US Constitution an utter failure or not? Or is the problem
with the quality of the citizenry?
It has failed at the mission of confining government to enumerated
powers and preventing it from doing things like domestic spying on
all citizens. It has failed to keep us a nation of laws rather than
men. (Today it almost doesn't matter what the law actually says,
it matters what judges says it means.)
Post by Marko Rauhamaa
There are more modern countries with fresher constitutions and more
functioning governments. It's funny how the Americans by and large want
their governments to stay away from their lives while in Finland (where
I live) people constantly demand the government do more for them.
"More functioning" is a value judgement. Perhaps you mean governments
that force the highest number of regulations on their citizens and
micro-manage their lives to the highest extent possible. That is what
I see when I look at most countries with "fresher constitutions and
more functioning governments."

In any event I don't have the temerity to tell people in other countries
how they should live. That is up to them.

The U.S. has a history of recognizing government as a very dangerous
entity and emphasizing individual liberty and freedom over the state.

Of course the reality has often fallen far short of that ideal and today
is virtually unrecognizeable. From my own standpoint all I want from
the national government is to confine its activities to those items
specifically assigned to it and otherwise leave me the hell alone.

Government by its very nature, being founded in violence and coercion,
is a criminal enterprise. The very best you will ever get out of it
is "necessary evil." (To paraphrase Thomas Paine.)
--
-----------------------------------------------------------------------------
Roger Blake (Posts from Google Groups killfiled due to excess spam.)

NSA sedition and treason -- http://www.DeathToNSAthugs.com
Don't talk to cops! -- http://www.DontTalkToCops.com
Badges don't grant extra rights -- http://www.CopBlock.org
-----------------------------------------------------------------------------
Dan Purgert
2018-08-28 23:21:03 UTC
Permalink
Post by Roger Blake
[...]
The U.S. has a history of recognizing government as a very dangerous
entity and emphasizing individual liberty and freedom over the state.
[...]
Government by its very nature, being founded in violence and coercion,
is a criminal enterprise. The very best you will ever get out of it
is "necessary evil." (To paraphrase Thomas Paine.)
Well said, good sir.
--
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281
Huge
2018-08-28 07:52:54 UTC
Permalink
Post by Roger Blake
Post by Nyssa
Nyssa, who won't give out her SS number unless it's to
a government agency with a need to know
The SS number problem is due to one of many government Big Lies.
When Social Security was being debated, even in that pre-computer era
Americans were concerned about its being used to track them. The federal
government promised up, down, and sideways on a stack of bibles that
the SS number would *NEVER* be used as a national ID, it would only be
used for Social Security purposes. (Early cards even said as much on
their face.)
Just another lie. Yet there are people who can't understand why some
of us don't trust government.
Never attribute to malice what can be adequately explained by stupidity.
--
Today is Setting Orange, the 21st day of Bureaucracy in the YOLD 3184
~ Stercus accidit ~
Rich
2018-08-28 11:03:06 UTC
Permalink
Post by Roger Blake
Post by Nyssa
Nyssa, who won't give out her SS number unless it's to
a government agency with a need to know
The SS number problem is due to one of many government Big Lies.
When Social Security was being debated, even in that pre-computer era
Americans were concerned about its being used to track them. The federal
government promised up, down, and sideways on a stack of bibles that
the SS number would *NEVER* be used as a national ID, it would only be
used for Social Security purposes. (Early cards even said as much on
their face.)
And /officially/, it is still not a "national IO" (when viewed from the
now *very extremely narrow* viewpoint of just the Federal Govt's
definition of what it is, where they also ignore that they themselves
miss-use it at the IRS as one's tax ID number).

In reality, yes, it has become a national ID number.

The problem, of course, is that the idiots who were debating and
promising "no, it will not be used as a national ID" were politicians.
And politicians always think that simply because they say "jump", all
their subjects will return "how high, SIR". What the idiots left out
of the statute was any clause that imposed a severe penalty for use of
the SSN for any purpose other than for social security purposes.

But because politicians inhabit an alternate reality where they think
everyone obeys simply because they say so, the penalties for miss-use
never got put into the statute.
Loading...