A good new article from security journalist Brian Krebs examines – and dismisses – plans for the major US mobile operators to authenticate the online identities of their subscribers. Dubbed “Project Verify”, the idea is that operators in the Mobile Authentication Task Force will use a common procedure to authenticate users of internet services, based upon information that only a wireless provider would have, such as the user’s phone number, location and details of their handset. The members of the task force include AT&T, Sprint, T-Mobile and Verizon, so they would have huge reach in providing authentication services to American subscribers. But Krebs points out the obvious flaw:
A key question about adoption of this fledgling initiative will be how much trust consumers place with the wireless companies, which have struggled mightily over the past several years to validate that their own customers are who they say they are [his italics].
AT&T is being sued for USD224mn after yet another SIM swap led to a multimillion dollar theft from a cryptocurrency investor. T-Mobile has suffered yet another data breach which allowed hackers to obtain hashed passwords of 2 million users. All of the big four mobile networks were recently hammered by Senator Ron Wyden for selling subscriber location data too casually. And whilst they made money by exploiting customer data, Verizon and AT&T were simultaneously spending money on lobbying against a relatively mild Californian privacy law.
In summary, if US mobile operators want to leverage their reputation to sell authentication services, it would help if they had bothered to build up a reputation for being trustworthy. Their repeated failures project a different image: clueless corporate clowns who are easily duped by crooks, easily breached by hackers, greedy and reckless with personal data, and opposed to privacy safeguards. Why would anyone trust telcos to authenticate the users of the services provided by another business, if they have repeatedly failed to prevent criminals from taking control of the accounts belonging to subscribers of their own services??!!?
You can read Krebs’ article here.