Imagine you try to log into your bank account one day to setup a payment on your mortgage. You realize that something's wrong when the bank's website tells you you've entered the wrong password. That's strange, you think as you click the link to "reset your password."
It's an easy process, but first, the bank requires that you prove you're actually you, by sending a simple text message with a six-digit code to the mobile phone number on file. But when you request your code, the text never comes.
Now you're starting to get worried, so you call your bank to discover that this is going to be a very bad day. Someone has already set up an online payment, but not to cover your mortgage. Instead, they have much more malicious plans for your money.
And they did it all by stealing one of the most public pieces of information about you: your phone number.
The SIM-swapping problem.
By the way, if you think this can't possibly happen, just ask Jack Dorsey, the CEO of Twitter, who had his own account hacked in exactly this way a few weeks ago. It's called SIM swapping, and it's a much bigger problem than anyone seems to admit. If hackers can gain control of the Twitter account belonging to the CEO of Twitter, it might be time to start taking it seriously.
In fact, the only reason it hasn't gotten much worse is because it requires a decent amount of effort on the part of the bad guys. It's a manual, brute force attack that requires social engineering, technical know-how, and a degree of luck.
The hacker who has your phone number only has to convince any front-line mobile carrier employee who has access to customer records--say a retail store team member or customer-service agent--that they're you. Then, they simply swap your legitimate phone number to the SIM card in their phone.
Since you're not asking for personal information about an account, but simply trying to replace a phone you lost (or some other legitimate-sounding reason), that's actually easier than you might think. Sure, they might ask you for a photo ID, but it's not like it's beyond the realm of possibility that someone could find a fake ID capable of fooling a 19-year-old cell phone salesperson.
Then again, an even easier approach is to just recruit that 19-year-old in the scheme. Once that happens, a bad guy is able to basically bypass a password, no matter how secure it is.
I talked to Allison Nixon, the director of security research at Flashpoint, who encourages companies that build products to reconsider how they protect customer information, and provide password resets. Following Dorsey's hack in late August, she tweeted:
If you build a website that uses SMS based 2FA, and you also allow the same phone number for use in password reset, you just built a self-defeating login process. And you should feel bad.-- Allison Nixon (@nixonnixoff) September 3, 2019
Phone numbers aren't private.
That's because we use phone numbers--which were never meant to be private, or serve as a form of security protection--as a defense from cyber-criminals. Almost every common two-factor authentication and password reset involves a phone number.
The idea is that using a phone number allows a service provider to verify that you have possession of a phone that they have registered as belonging to you.
Which makes sense considering almost everyone over the age of 12 has a phone number. But phone numbers aren't secure. I've probably had a dozen mobile phone numbers during my adult life, all of which now legitimately belong to someone else.
Considering how vulnerable our phone numbers are, and how much of our personal and financial information they supposedly protect, it seems like someone should do something. The reason they aren't is that SIM swapping isn't considered a common enough risk to be a major concern.
Sure, it doesn't happen a lot, but ask Jack Dorsey how many times it has to happen to you before it's a real problem.
No one is solving this problem.
Unfortunately, it's a matter of friction. Every customer-facing system a business puts in place has to balance the amount of work a customer must do to accomplish their needs and the challenge that system presents for a bad guy. The harder it is for a bad guy, generally the more of a hassle it is for the customer. Make it too hard, and customers will just go somewhere else, even if it's in their best interest to stay.
No one thinks it will ever happen to them, so no one cares enough to make it worth jumping through the extra hoops required. That's always the trade off with any security system.
Nixon told me that a good place to start would be to simply "stop using phone numbers in this way." In addition, she suggests that accounts where a phone number is used to reset a password should be placed on probation, or require additional verification using non-public information.
By far the best solution is similar to the one used with services like Apple Pay, for example. If I use Apple Pay on my laptop, it requires me to authenticate the payment on my iPhone using FaceID (or TouchID on older devices). To the best of my knowledge, face-swapping is only a thing in the movies--meaning you're not getting in without my face (which is probably better for both of us).