20.5k unique visitors in the last 3 days

Scorn for Web Identity Scheme of US Mobile Operators

The operators want to authenticate subscribers when they use online services provided by other businesses.

A good new article from security journalist Brian Krebs examines – and dismisses – plans for the major US mobile operators to authenticate the online identities of their subscribers. Dubbed “Project Verify”, the idea is that operators in the Mobile Authentication Task Force will use a common procedure to authenticate users of internet services, based upon information that only a wireless provider would have, such as the user’s phone number, location and details of their handset. The members of the task force include AT&T, Sprint, T-Mobile and Verizon, so they would have huge reach in providing authentication services to American subscribers. But Krebs points out the obvious flaw:

A key question about adoption of this fledgling initiative will be how much trust consumers place with the wireless companies, which have struggled mightily over the past several years to validate that their own customers are who they say they are [his italics].

AT&T is being sued for USD224mn after yet another SIM swap led to a multimillion dollar theft from a cryptocurrency investor. T-Mobile has suffered yet another data breach which allowed hackers to obtain hashed passwords of 2 million users. All of the big four mobile networks were recently hammered by Senator Ron Wyden for selling subscriber location data too casually. And whilst they made money by exploiting customer data, Verizon and AT&T were simultaneously spending money on lobbying against a relatively mild Californian privacy law.

In summary, if US mobile operators want to leverage their reputation to sell authentication services, it would help if they had bothered to build up a reputation for being trustworthy. Their repeated failures project a different image: clueless corporate clowns who are easily duped by crooks, easily breached by hackers, greedy and reckless with personal data, and opposed to privacy safeguards. Why would anyone trust telcos to authenticate the users of the services provided by another business, if they have repeatedly failed to prevent criminals from taking control of the accounts belonging to subscribers of their own services??!!?

You can read Krebs’ article here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email