The Phone As Your Identity

In all these cases, as with Kenna’s, the hackers don’t even need specialized computer knowledge. The phone number is the key. And the way to it get control of it is to find a security-lax customer service representative at a telecom carrier. Then the hacker can use the common security measure called two-factor authentication (2FA) via text. Logging in with 2FA via SMS is supposed to add an extra layer of security beyond your password by requiring you to input a code you receive via SMS (or sometimes phone call) on your mobile phone. All fine and dandy if you’re in possession of your phone number. But if it’s been forwarded or ported to your hacker’s device, then that code is sent straight to them, giving them the keys to your email, bank accounts, cryptocurrency, Facebook and Twitter accounts, and more.

Last summer, the National Institutes of Standards and Technology, which sets security standards for the federal government, “deprecated” or indicated it would likely remove support for 2FA via SMS for security. While the security level for the private sector is different from that of the government, Paul Grassi, NIST senior standards and technology advisor, says SMS “never really proved possession of a phone because you can forward your text messages or get them on email or on your Verizon website with just a password. It really wasn’t proving that second factor.”

Worst of all is if the hacker doesn’t have your password but the password recovery process is done via SMS. Then they can reset your password with just your phone number — one factor.

But 2FA via SMS is ubiquitous because of its ease of use. “Not everyone is running around with a smartphone. Some people still have dumb phones,” says Android security researcher Jon Sawyer. “If Google cut off 2FA via SMS, then everybody with a dumb phone would have no two-factor at all. So what’s worse — no two-factor or two-factor that is getting hacked?” (At the end of 2016, 2.56 billion non-smartphones and 3.6 billion smartphones will be in use worldwide, according to mobile industry market research firm CCS Insight.)

This is exactly why Google says it offers 2FA via SMS — it is the method that could offer the most users an extra layer of security. The company also offers users options with higher levels of security, such as an app called Google Authenticator that randomly generates codes or hardware devices like Yubikeys, for users at higher risk (though one could argue those methods should be used by all users who manage any sensitive information such as bank accounts with their email address).

Even cryptocurrency companies that would seem to fall in that higher risk category still use 2FA via SMS. When asked why Coinbase, which has a reputation for good security, still allows for 2FA via SMS (although it does offer more secure options as well) , director of security Philip Martin responded via email, “Coinbase has about five million users in 32 countries, including the developing world. The unfortunate fact is many users have no better technical alternative than SMS, because they lack a smart phone or the technical confidence and knowledge to use more sophisticated techniques. Given those restrictions, our attitude is any 2FA is better than no 2FA.” Another Bitcoin startup also known for strong security and that also has a growing customer base in emerging markets, Xapo, uses 2FA via SMS but plans to phase it out soon. (Both services have other security measures in place that have prevented users whose phones were hijacked from losing coins.)

Jesse Powell, CEO of U.S.-based exchange Kraken, who wrote an extensive blog post detailing how to secure one’s phone number, blames the telcos for not safekeeping phone numbers even though they are a linchpin in security for so many services, including email. “The [telecom] companies don’t treat your phone number like a bank account, but it should be treated like your bank. If you show up without your pin code or your ID, then they shouldn’t help you,” he says. “But they prioritize convenience above all else.”

He says that attitude especially puts people who own cryptocurrency at risk. “The Bitcoin people have a different threat level,” says Powell. The average person might have photos or private information compromised, or be able to ask their bank to reverse the credit card transaction. “But for people in the bitcoin space, there are real consequences,” he says. “The phone companies aren’t building a service for people who are in charge of millions of dollars. They’re in the business of providing a consumer product.”

Fenbushi Capital’s Shen described a mismatch between the security required so far online versus the kind of security needed for those working at the frontier of cryptocurrency. “I think most of the current services like Google, Yahoo or Facebook or Amazon are working out solutions good for the information web,” he says. “Now we are at the value web, which is real money involved.”