Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.misc > #16468 > unrolled thread

[Link Posting] Phone Numbers Were Never Meant as ID. Now We're All At Risk

Back to article view | Back to comp.misc

Contents

  [Link Posting] Phone Numbers Were Never Meant as ID. Now We're All At Risk Rich <rich@example.invalid> - 2018-08-26 14:06 +0000
    Re: [Link Posting] Phone Numbers Were Never Meant as ID. Now We're All At Risk Huge <Huge@nowhere.much.invalid> - 2018-08-27 09:05 +0000
      Re: [Link Posting] Phone Numbers Were Never Meant as ID. Now We're All At Risk mausg@mail.com - 2018-08-27 15:23 +0000
    Re: [Link Posting] Phone Numbers Were Never Meant as ID. Now We're All At Risk Nyssa <Nyssa@flawlesslogic.com> - 2018-08-27 09:23 -0400
      Re: [Link Posting] Phone Numbers Were Never Meant as ID. Now We're All At Risk Huge <Huge@nowhere.much.invalid> - 2018-08-27 13:58 +0000
      Re: [Link Posting] Phone Numbers Were Never Meant as ID. Now We're All At Risk Andy Burns <usenet@andyburns.uk> - 2018-08-27 15:30 +0100
        Re: [Link Posting] Phone Numbers Were Never Meant as ID. Now We're All At Risk Nyssa <Nyssa@flawlesslogic.com> - 2018-08-27 12:38 -0400
      Re: [Link Posting] Phone Numbers Were Never Meant as ID. Now We're All At Risk Rich <rich@example.invalid> - 2018-08-27 15:58 +0000
      Re: [Link Posting] Phone Numbers Were Never Meant as ID. Now We're All At Risk Roger Blake <rogblake@iname.invalid> - 2018-08-27 22:52 +0000
        Re: [Link Posting] Phone Numbers Were Never Meant as ID. Now We're All At Risk Marko Rauhamaa <marko@pacujo.net> - 2018-08-28 08:16 +0300
          Re: [Link Posting] Phone Numbers Were Never Meant as ID. Now We're All At Risk Dan Purgert <dan@djph.net> - 2018-08-28 11:23 +0000
          Re: [Link Posting] Phone Numbers Were Never Meant as ID. Now We're All At Risk Roger Blake <rogblake@iname.invalid> - 2018-08-28 18:04 +0000
            Re: [Link Posting] Phone Numbers Were Never Meant as ID. Now We're All At Risk Dan Purgert <dan@djph.net> - 2018-08-28 23:21 +0000
        Re: [Link Posting] Phone Numbers Were Never Meant as ID. Now We're All At Risk Huge <Huge@nowhere.much.invalid> - 2018-08-28 07:52 +0000
        Re: [Link Posting] Phone Numbers Were Never Meant as ID. Now We're All At Risk Rich <rich@example.invalid> - 2018-08-28 11:03 +0000

#16468 — [Link Posting] Phone Numbers Were Never Meant as ID. Now We're All At Risk

      ####################################################################
      # ATTENTION: This post is a reference to a website.  The poster of #
      # this Usenet article is not the author of the referenced website. #
      ####################################################################

<URL:https://www.wired.com/story/phone-numbers-indentification-authentic
ation/>

The text below is a quotation from the URL above:
>
>  On Thursday, T-Mobile confirmed that some of its customer data was
>  breached in an attack the company discovered on Monday. It's a snappy
>  disclosure timeframe, and the carrier said that no financial data or
>  Social Security numbers were compromised in the breach. A relief, right?
>  The problem is the customer data that was potentially exposed: name,
>  billing zip code, email address, some hashed passwords, account number,
>  account type, and phone number. Pay close attention to that last one.
>
>  The cumulative danger of all of these data points becoming exposed - not
>  just by T-Mobile but across countless breaches - is that it makes it
>  easier for attackers to impersonate you and take control of your
>  accounts. And while the passwords are bad news, perhaps no piece of
>  standard personal information has more value than your phone number.
>
>  That's because phone numbers have become more than just a way to contact
>  someone. In recent years, more and more companies and services have come
>  to rely on smartphones to confirm - or "authenticate" - users. In
>  theory, this makes sense; an attacker might get your passwords, but it's
>  much harder for them to get physical access to your phone. In practice,
>  it means that a single, often publicly available, piece of information
>  gets used both as your identity and a means to verify that identity, a
>  skeleton key into your entire online life. Hackers have known this, and
>  profited from it, for years. Companies don't seem interested in catching
>  up.
>
>  ...

[toc] | [next] | [standalone]

#16469

On 2018-08-26, Rich <rich@example.invalid> wrote:
>       ####################################################################
>       # ATTENTION: This post is a reference to a website.  The poster of #
>       # this Usenet article is not the author of the referenced website. #
>       ####################################################################
>
><URL:https://www.wired.com/story/phone-numbers-indentification-authentic
> ation/>
>
> The text below is a quotation from the URL above:
>>
>>  On Thursday, T-Mobile confirmed that some of its customer data was
>>  breached in an attack the company discovered on Monday. 

Ah, yes. T-Mobile. The company that keeps your password in a database
in plain text and insists this is not a problem because of their "great
security".

Phags.

-- 
Today is Pungenday, the 19th day of Bureaucracy in the YOLD 3184
                      ~ Stercus accidit ~

[toc] | [prev] | [next] | [standalone]

#16474

On 2018-08-27, Huge <Huge@nowhere.much.invalid> wrote:
> On 2018-08-26, Rich <rich@example.invalid> wrote:
>>       ####################################################################
>>       # ATTENTION: This post is a reference to a website.  The poster of #
>>       # this Usenet article is not the author of the referenced website. #
>>       ####################################################################
>>
>><URL:https://www.wired.com/story/phone-numbers-indentification-authentic
>> ation/>
>>
>> The text below is a quotation from the URL above:
>>>
>>>  On Thursday, T-Mobile confirmed that some of its customer data was
>>>  breached in an attack the company discovered on Monday. 
>
> Ah, yes. T-Mobile. The company that keeps your password in a database
> in plain text and insists this is not a problem because of their "great
> security".
>
> Phags.
>

A civvy (non computer aware person) told me this story. His home phone
number does not show up on mobiles when he calls them. Now, he is
very nosy about his neighbours, so he rings up the social welfare
office, giving the neighbours name, and the person answering says,
"Could you tell me your number, it is not showing here."

He does , giving the neighbours mobile number, and is told the neighbours 
social welfare status.


-- 
Maus@ireland.com
Will Rant For Food

[toc] | [prev] | [next] | [standalone]

#16471

Rich wrote:

>       ####################################################################
>       # ATTENTION: This post is a reference to a website. 
>       # The poster of # this Usenet article is not the
>       # author of the referenced website. #
>       ####################################################################
> 
> <URL:https://www.wired.com/story/phone-numbers-indentification-authentic
> ation/>
> 
> The text below is a quotation from the URL above:
>>
>>  On Thursday, T-Mobile confirmed that some of its
>>  customer data was breached in an attack the company
>>  discovered on Monday. It's a snappy disclosure
>>  timeframe, and the carrier said that no financial data
>>  or Social Security numbers were compromised in the
>>  breach. A relief, right? The problem is the customer
>>  data that was potentially exposed: name, billing zip
>>  code, email address, some hashed passwords, account
>>  number, account type, and phone number. Pay close
>>  attention to that last one.
>>
>>  The cumulative danger of all of these data points
>>  becoming exposed - not just by T-Mobile but across
>>  countless breaches - is that it makes it easier for
>>  attackers to impersonate you and take control of your
>>  accounts. And while the passwords are bad news, perhaps
>>  no piece of standard personal information has more value
>>  than your phone number.
>>
>>  That's because phone numbers have become more than just
>>  a way to contact someone. In recent years, more and more
>>  companies and services have come to rely on smartphones
>>  to confirm - or "authenticate" - users. In theory, this
>>  makes sense; an attacker might get your passwords, but
>>  it's much harder for them to get physical access to your
>>  phone. In practice, it means that a single, often
>>  publicly available, piece of information gets used both
>>  as your identity and a means to verify that identity, a
>>  skeleton key into your entire online life. Hackers have
>>  known this, and profited from it, for years. Companies
>>  don't seem interested in catching up.
>>
>>  ...
Ah, yes, the infamous "we'll send a text code to your
phone" verification method.

Since I do NOT have a cell phone of any kind (much less
a smart one), I've had all sorts of problems with places
that insist that's the only way to verify that I'm me. 

Sometimes an email explaining that my landline doesn't
accept texts will get to someone who can override the
problem, but often I've ended up locked out with no way
to override it, and no one who will take the issue
seriously. (What do you mean, you don't have a cell
phone? EVERYONE has a cell phone, so you must be a crook!)

I also wonder why T-Mobile or any cell service provider
would need to know a customer's social security number.
Talk about an invitation for mischief and mayhem!

Nyssa, who won't give out her SS number unless it's to
a government agency with a need to know
 

[toc] | [prev] | [next] | [standalone]

#16472

On 2018-08-27, Nyssa <Nyssa@flawlesslogic.com> wrote:

[59 lines snipped]

> I also wonder why T-Mobile or any cell service provider
> would need to know a customer's social security number.

Because, contrary to the original requirements (and indeed, to the
SS Admin's charter) the SSN has become an ID number.

> Talk about an invitation for mischief and mayhem!

Quite.

> Nyssa, who won't give out her SS number unless it's to
> a government agency with a need to know

https://www.allclearid.com/personal/when-you-can-say-no-to-providing-your-social-security-number/

I tried to open a bank account in the USA a few years ago, for entirely
innocuous reasons (my parents live there) and was told, wrongly, by a
number of banks that I couldn't do so because I do not have an SSN (on
account of not living in or being a citizen of the USA.)

There doesn't seem to be a "Falsehoods Programmers Believe ..." list
about SSNs, although there are some applicable points here;

https://samphippen.com/falsehoods-dev/

-- 
Today is Pungenday, the 19th day of Bureaucracy in the YOLD 3184
                      ~ Stercus accidit ~

[toc] | [prev] | [next] | [standalone]

#16473

Nyssa wrote:

> the infamous "we'll send a text code to your
> phone" verification method.
> Since I do NOT have a cell phone

Does you provider support SMS delivery to a POTS phone?
Here if you don't have SMS compatible phones (generally DECT models) 
they will deliver it as a robo-spoken message.

[toc] | [prev] | [next] | [standalone]

#16476

Andy Burns wrote:

> Nyssa wrote:
> 
>> the infamous "we'll send a text code to your
>> phone" verification method.
>> Since I do NOT have a cell phone
> 
> Does you provider support SMS delivery to a POTS phone?
> Here if you don't have SMS compatible phones (generally
> DECT models) they will deliver it as a robo-spoken
> message.

I doubt that this would be available. Even if it were,
no doubt Verizon (the landline company that bought out
GTE that originally owned the lines) would charge a
hefty fee for the service (just as they do for everything
else).

A few companies/websites will find an alternative method
of verification once they get over the shock of hearing
from someone without a cell phone. Most others just
ignore it and hope you will either go away or borrow
a friend's phone long enough to play their silly games.

Nyssa, who needs her landline for her dialup connection
and has a 2m mobile radio device if needed on the road for 
an emergency

[toc] | [prev] | [next] | [standalone]

#16475

Nyssa <Nyssa@flawlesslogic.com> wrote:
> I also wonder why T-Mobile or any cell service provider would need to
> know a customer's social security number.

Because, sadly, the "credit reporting agencies" (Equifax et al.) all
use the SSN as a unique key to identify you in their database. 
Therefore, in order for T-Mobile to look up your credit rating (to see
if they want to provide you a plan where you pay /after/ you've used up
a month's service [1]) they need the SSN to look you up in the Equifax's of
the world. 

> Talk about an invitation for mischief and mayhem!

Yup.  Exactly why the Equifax breach last year was so damaging.




[1] I.e., they want to see that you "usually pay your bills on time" so
they can then decide that yeah, you will likely also "pay this bill in
time".

[toc] | [prev] | [next] | [standalone]

#16478

On 2018-08-27, Nyssa <Nyssa@flawlesslogic.com> wrote:
> Nyssa, who won't give out her SS number unless it's to
> a government agency with a need to know

The SS number problem is due to one of many government Big Lies.

When Social Security was being debated, even in that pre-computer era
Americans were concerned about its being used to track them. The federal
government promised up, down, and sideways on a stack of bibles that
the SS number would *NEVER* be used as a national ID, it would only be
used for Social Security purposes. (Early cards even said as much on
their face.)

Just another lie. Yet there are people who can't understand why some
of us don't trust government.

-- 
-----------------------------------------------------------------------------
  Roger Blake (Posts from Google Groups killfiled due to excess spam.)

  NSA sedition and treason        -- http://www.DeathToNSAthugs.com
  Don't talk to cops!             -- http://www.DontTalkToCops.com
  Badges don't grant extra rights -- http://www.CopBlock.org
-----------------------------------------------------------------------------

[toc] | [prev] | [next] | [standalone]

#16481

Roger Blake <rogblake@iname.invalid>:
> Just another lie. Yet there are people who can't understand why some
> of us don't trust government.

The same people who swear by the US Constitution trust the government
the least.

So is the US Constitution an utter failure or not? Or is the problem
with the quality of the citizenry?

There are more modern countries with fresher constitutions and more
functioning governments. It's funny how the Americans by and large want
their governments to stay away from their lives while in Finland (where
I live) people constantly demand the government do more for them.


Marko

[toc] | [prev] | [next] | [standalone]

#16484

Marko Rauhamaa wrote:
> Roger Blake <rogblake@iname.invalid>:
>> Just another lie. Yet there are people who can't understand why some
>> of us don't trust government.
>
> The same people who swear by the US Constitution trust the government
> the least.
>
> So is the US Constitution an utter failure or not? Or is the problem
> with the quality of the citizenry?

More that there is the realization of the fallibility of man, and the
reasonably well-documented proof that governments tend toward amassing
power ... and the more power there is, the more potential for
corruption.

>
> There are more modern countries with fresher constitutions and more
> functioning governments. It's funny how the Americans by and large want
> their governments to stay away from their lives while in Finland (where
> I live) people constantly demand the government do more for them.

Sparknotes version of it is that the US was pretty much founded on the
idea that "the government" is a required evil to ensure that (in
general), the governed people retain their liberties.

To that end, when the US Constitution was written, the states would not
ratify it without the Bill of Rights being added in (NOTE -- those
amendments are not _granting_ the people anything they didn't already
have), as the state governments and, by extension, the people governed
were (rightly) worried that at some point in the future, the government
could become tyrannical (or at the very least, infringe on those
rights).

We can see some of that happening in places like Canada, where "hate
speech(tm)" laws have been enacted.  Whereas here, I can legally say
anything I want about some dude dressing up in his wife's clothes,
without being arrested for "saying mean thingsi(tm)" (or whatever).


-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

[toc] | [prev] | [next] | [standalone]

#16485

On 2018-08-28, Marko Rauhamaa <marko@pacujo.net> wrote:
> The same people who swear by the US Constitution trust the government
> the least.

That is because government has veered so far off the rails that
were supposed to constrain it.

> So is the US Constitution an utter failure or not? Or is the problem
> with the quality of the citizenry?

It has failed at the mission of confining government to enumerated
powers and preventing it from doing things like domestic spying on
all citizens. It has failed to keep us a nation of laws rather than
men. (Today it almost doesn't matter what the law actually says,
it matters what judges says it means.)

> There are more modern countries with fresher constitutions and more
> functioning governments. It's funny how the Americans by and large want
> their governments to stay away from their lives while in Finland (where
> I live) people constantly demand the government do more for them.

"More functioning" is a value judgement. Perhaps you mean governments
that force the highest number of regulations on their citizens and
micro-manage their lives to the highest extent possible. That is what
I see when I look at most countries with "fresher constitutions and
more functioning governments."

In any event I don't have the temerity to tell people in other countries
how they should live. That is up to them.

The U.S. has a history of recognizing government as a very dangerous
entity and emphasizing individual liberty and freedom over the state.

Of course the reality has often fallen far short of that ideal and today
is virtually unrecognizeable. From my own standpoint all I want from
the national government is to confine its activities to those items
specifically assigned to it and otherwise leave me the hell alone.

Government by its very nature, being founded in violence and coercion,
is a criminal enterprise. The very best you will ever get out of it
is "necessary evil." (To paraphrase Thomas Paine.)

-- 
-----------------------------------------------------------------------------
  Roger Blake (Posts from Google Groups killfiled due to excess spam.)

  NSA sedition and treason        -- http://www.DeathToNSAthugs.com
  Don't talk to cops!             -- http://www.DontTalkToCops.com
  Badges don't grant extra rights -- http://www.CopBlock.org
-----------------------------------------------------------------------------

[toc] | [prev] | [next] | [standalone]

#16486

Roger Blake wrote:
> On 2018-08-28, Marko Rauhamaa <marko@pacujo.net> wrote:
> [...]
> The U.S. has a history of recognizing government as a very dangerous
> entity and emphasizing individual liberty and freedom over the state.
>
> [...]
>
> Government by its very nature, being founded in violence and coercion,
> is a criminal enterprise. The very best you will ever get out of it
> is "necessary evil." (To paraphrase Thomas Paine.)
>

Well said, good sir.

-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

[toc] | [prev] | [next] | [standalone]

#16482

On 2018-08-27, Roger Blake <rogblake@iname.invalid> wrote:
> On 2018-08-27, Nyssa <Nyssa@flawlesslogic.com> wrote:
>> Nyssa, who won't give out her SS number unless it's to
>> a government agency with a need to know
>
> The SS number problem is due to one of many government Big Lies.
>
> When Social Security was being debated, even in that pre-computer era
> Americans were concerned about its being used to track them. The federal
> government promised up, down, and sideways on a stack of bibles that
> the SS number would *NEVER* be used as a national ID, it would only be
> used for Social Security purposes. (Early cards even said as much on
> their face.)
>
> Just another lie. Yet there are people who can't understand why some
> of us don't trust government.

Never attribute to malice what can be adequately explained by stupidity.


-- 
Today is Setting Orange, the 21st day of Bureaucracy in the YOLD 3184
                      ~ Stercus accidit ~

[toc] | [prev] | [next] | [standalone]

#16483

Roger Blake <rogblake@iname.invalid> wrote:
> On 2018-08-27, Nyssa <Nyssa@flawlesslogic.com> wrote:
>> Nyssa, who won't give out her SS number unless it's to
>> a government agency with a need to know
> 
> The SS number problem is due to one of many government Big Lies.
> 
> When Social Security was being debated, even in that pre-computer era
> Americans were concerned about its being used to track them. The federal
> government promised up, down, and sideways on a stack of bibles that
> the SS number would *NEVER* be used as a national ID, it would only be
> used for Social Security purposes. (Early cards even said as much on
> their face.)

And /officially/, it is still not a "national IO" (when viewed from the
now *very extremely narrow* viewpoint of just the Federal Govt's
definition of what it is, where they also ignore that they themselves
miss-use it at the IRS as one's tax ID number).

In reality, yes, it has become a national ID number.

The problem, of course, is that the idiots who were debating and
promising "no, it will not be used as a national ID" were politicians. 
And politicians always think that simply because they say "jump", all
their subjects will return "how high, SIR".  What the idiots left out
of the statute was any clause that imposed a severe penalty for use of
the SSN for any purpose other than for social security purposes.

But because politicians inhabit an alternate reality where they think
everyone obeys simply because they say so, the penalties for miss-use
never got put into the statute.

[toc] | [prev] | [standalone]

Back to top | Article view | comp.misc

csiph-web