Stop Treating Phone Numbers As A Digital ID : technology

[-] HawlSera@lemm.ee 2 points 48 minutes ago

I absolutely love this.

[-] jpablo68@infosec.pub 7 points 4 hours ago

I'm in a quest to find a good email provider that doesn't ask for a cellphone or another email address while creating an account, cock.li used to do this but now it's "getting back on its feet"

[-] wulf@lemmy.world 2 points 55 minutes ago

Personally I use mailbox.org, it's not free, but you are not the product

[-] D_Air1@lemmy.ml 60 points 7 hours ago

Phone numbers social security numbers

Stop making personal information into digital ids because when it inevitably ends up in some kind of data breach. These companies all throw their hands up saying sucks to be you.

[-] penquin@lemm.ee 5 points 3 hours ago

Nah, man. Gotta get my $2.97 check.

[-] sugar_in_your_tea@sh.itjust.works 4 points 3 hours ago

Yeah, just generate a unique ID and ask only for the information you actually need.

[-] IDKWhatUsernametoPutHereLolol@lemmy.dbzer0.com 105 points 9 hours ago

This should be what digital ID looks like:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZ26+ARYJKwYBBAHaRw8BAQdAsUGMjbGNUyyz9PHsHKP4xj/tIfYIuHb4miPH 0iCPpu60K0VSUk9SOiBFYXJ0aC5leGUgaGFzIGNyYXNoZWQgPG5vQGVtYWlsLmV4 ZT6IcgQTFggAGgQLCQgHAhUIAhYBAhkBBYJnbr4BAp4BApsDAAoJEI6E3uMn31Z3 028BAM5o8ER0dqTsxFlZSgZOvvgFHGuy2eFgF3rULkGKl1KrAP9fdE7WwnYbBer/ AVmw5jr0P5m/XsEQQrSueuk/FLYBBbg4BGduvgESCisGAQQBl1UBBQEBB0BDR0Bv pf4jxbwp9rVowFTnL59NGqnnh6XyF/LjAoYDGgMBCAeIYQQYFggACQWCZ26+AQKb DAAKCRCOhN7jJ99Wd1dMAP45xmN03SodkWHi7PYOORqNXJUBdMzzfsRXdqE8ZXaW vAD+PqNqPcbwJYCOEAXkg7DlZ0SX3o9MViZLdzHFQ3TpUA8= =krDh -----END PGP PUBLIC KEY BLOCK-----

PGP Key Fingerprint: 857957d40f06cc816fd3d29a8e84dee327df5677

Should be good until quantum computers come around

[-] bestboyfriendintheworld@sh.itjust.works 19 points 6 hours ago

Now type it a form that doesn’t allow copy and paste.

[-] ayyy@sh.itjust.works 14 points 4 hours ago

The California DMV requires you to renew your vehicle registration every year by paying with a bank account number (no card) which is like a 30ish digit number and they disable paste. If you get it wrong they won’t notify you in any way until you get pulled over by a cop who is one bad sneeze away from murdering you. It’s a great system.

[-] frostysauce@lemmy.world 2 points 22 minutes ago

Bank account numbers are, like, 8-10 digits. Certainly not 30ish.

[-] azl@lemmy.sdf.org 1 points 51 minutes ago

I have renewed my CA registration with a credit card going back to at least 2016. A responsible driver would know their renewal failed when their registration document did not arrive via mail.

[-] AbsoluteChicagoDog@lemm.ee 4 points 47 minutes ago

Nah dude fuck that. The burned of compliance with laws shouldn't fall so hard on people.

[-] mox@lemmy.sdf.org 12 points 6 hours ago

Why?

[-] TriflingToad@sh.itjust.works 4 points 5 hours ago

tbh ive never had a password box that I can't copy/paste into

[-] AbidanYre@lemmy.world 12 points 5 hours ago

I've seen a few. They're super annoying when trying to use a password manager with a decent password.

[-] bilb@lem.monster 3 points 5 hours ago

Or even just a paper form.

[-] Zak@lemmy.world 48 points 9 hours ago

I'm sad PGP didn't become a popular way to log into websites. A challenge-response protocol could have even been built into web browsers. Big tech is reinventing that idea as Passkey, but with a very big tech flavor.

[-] IDKWhatUsernametoPutHereLolol@lemmy.dbzer0.com 19 points 9 hours ago* (last edited 9 hours ago)

I mean, passkeys are... sort of... PGP... 🤷‍♂️

[-] Imgonnatrythis@sh.itjust.works 16 points 8 hours ago

Thanks, gonna need your phone number to verify that though.

[-] namingthingsiseasy@programming.dev 5 points 6 hours ago

No you don't! That's why we have key-signing parties!

[-] Pika@sh.itjust.works 6 points 7 hours ago* (last edited 7 hours ago)

I want to preface this response saying I full agree with this, I want something like this to happen, I am responding because of some concerns I have. The real major one: How do you verify the authentication part of the data security chain?

A PGP key alone does not authentically validate that you are who you say you are. When the source is the untrusted party, it doesn't accomplish the site's goal. It's the equivalent to me handing you a piece of paper saying "I'm John Smith and this is what I use to say I'm this" which works amazing for trusted exchanges, but when the source is "just trust me bro" it doesn't solve anything for the website owner.

Websites get around this by having trust certificates/root servers that are co-signed with the PGP key. However, we lack any system like that for personal identities. Arguably, setting up such a system would isolate most of the known internet, as it is a significant roadblock, much like how SSL certificate usage was a huge roadblock for sites before Let's Encrypt became a thing.

This setup would be amazing for logging into sites. However, it fails to accomplish what the websites that are asking for PII are looking for, which is verification that their user is who they say they are, and not a random third party.

To reliably use this setup, we would need something similar to Let's Encrypt, but for user identification. The issue with that is it would become the de-facto attack vector (for both law enforcement and criminal parties), and that site would need to require PII to address the biggest concern on these sites, which is that you are who you say you are, and not Jo Smo or a bot looking to harvest data. Additionally, as mentioned earlier, a massive retraining of the internet would need to be done, which would mostly affect non-tech folk.

I am hopeful that an easy function that won't violate users privacy comes out, but I don't think the two topics are compatible sadly

[-] socsa@piefed.social 4 points 6 hours ago* (last edited 6 hours ago)

The solution here is distributed trust by proxy. You start with a single exchange between two trusted peers, and build from there. As long as every individual link within the network is trusted, then any route between two disconnected endpoints can be trusted as well. As the network grows there is a very high statistical likelihood that there will exist many individual trust graphs between two nodes, which provides redundant validation.

I have always thought this would make a cool chat app. You enter the network by scanning someone's QR code to become their validated peer, and then you can theoretically communicate with anyone else on the network by exchanging keys via trust graphs. You could then build a social network on top of it which shows you how many hops it takes you to get to some celebrity or some shit.

[-] Pika@sh.itjust.works 2 points 5 hours ago* (last edited 5 hours ago)

tox did something similar with this outcome, but it never took off. Basically with tox each account is actually stored locally, much like how Skype did when it was p2p, but the difference is your account is actually on your device, as in if you lost your "key" you lost your account, when you connected with others, you gave your friends your TOXID which was essentially your public key signature with some added information regarding what you wanted for privacy added to it, and then your messages were relayed through a p2p DHS network. Every communication was encrypted e2e. With tox anyone could create an account with any information, but only people you added were able to message you, and visa versa. The only time you were ever publicly disclosed was during adding contacts to people you didn't already have, which helped minimize botting on it as bots wouldn't be able to message you without your ID. The issue with that method was, both parties had to be online to message each other, there was no central server to manage identity and handle users, so every connection was considered trusted since you had to manually add the person via their tox ID.

I expect this solution /could/ be moved into a centralized system for all user accounts, since the only way to add people was manually adding their private key, but I would expect that on large scale, the lack of ability to actually stop problematic users might dissuade platforms from wanting to implement it, since account creation was as easy as just clicking "create account" and no accounts were ever verified server side, which in order to do, brings back to the issue topic: Privacy vs Security

[-] kautau@lemmy.world 2 points 5 hours ago

Like this?

https://en.wikipedia.org/wiki/Secure_Scuttlebutt

load more comments (2 replies)

[-] undefined@lemmy.hogru.ch 200 points 11 hours ago* (last edited 6 hours ago)

To the same audience: quit selling my fucking phone number!

I ditched a phone number I had for 10+ years because it was leaked everywhere. Only a few short months after updating my number with the DMV and a handful of other government agencies I started receiving scam calls/messages again.

At some point we need to adopt some fucking privacy laws. This is absolutely bonkers—is no one else fed up??

Edit: I already know how to silence unknown callers. What I want is to not have the problem in the first place, ideally by 1) having companies not sell personal data to third parties and 2) being able to block spoofed (non-encrypted) caller ID.

[-] mox@lemmy.sdf.org 10 points 6 hours ago

quit ~~selling~~ demanding my fucking phone number!

FTFY

[-] SnotFlickerman 90 points 10 hours ago

Oh everyone is fed up but we just elected a guy and government who is sure to make it all way way way worse.

He just helped put the nail in the coffin of the lie that crypto is for anything but scams, don't worry, it's gonna get real bad before it gets any better.

[-] tourist@lemmy.world 16 points 8 hours ago

In South Africa, where I live, everyone is assigned an ID Number at Birth. You need an ID number, thumbprint scan AND proof of address to get issued a SIM card number due to a law introduced called RICA. It was meant to help fight crime. Worried that the government could listen in to calls or read their SMSs, the criminals just switched to WhatsApp, which also happened to become cheaper than SMSs and gained popularity in this time.

The cops never seemed to crack WhatsApp. The only drug busts that happen are when an open secret becomes laughably too open and when they harass every person arriving from South America at O.R. Tambo international airport just to catch the decoy mules carrying 12g of cocaine (total). Every dealer I ever organised with was over WhatsApp.

So now, woopsi, RICA stopped nothing and just became a liability. That treasure trove of fragile data made its way to scammers and spammers. A total net negative.

I'd encourage everyone else in other countries to apply major pushback to any government proposals in this direction.

[-] DannyBoy@sh.itjust.works 10 points 9 hours ago

Did we? My government leader hasn't changed nor have we had an election lately

[-] nyan@lemmy.cafe 6 points 8 hours ago

There's a subset of Americans who are rather like ostriches: heads so deeply buried in the sand that they forget anything exists outside their immediate surroundings. Reminding them that the rest of the world is out there rarely has any positive results, however.

[-] pHr34kY@lemmy.world 10 points 7 hours ago* (last edited 7 hours ago)

Australia has a "do not call register". It seems to mostly work, but telcos are having trouble with calls originating from outside the network with spoofed caller ID. We still get spam/scam calls from India among other places.

Even if they're not calling you directly, they are still using your phone number to link you to things and create a shadow profile behind the scenes.

[-] sugar_in_your_tea@sh.itjust.works 1 points 3 hours ago

So does the US, though you need to re-register every so often. It works pretty well, but it's not advertised very well.

[-] DaddleDew@lemmy.world 39 points 10 hours ago

I'm pretty sure a lot of scam calls use machines that call every possible phone number within an area code and see who answers. There is no way to avoid it.

[-] Pika@sh.itjust.works 8 points 8 hours ago

this right here. I stopped getting scam calls years ago, I stopped answering and they just eventually stopped calling. If you don't interact with the call (interact being ignore it or mute it NOT reject it) and it just goes to voicemail, they seem to eventually stop

[-] BlemboTheThird@lemmy.ca 10 points 8 hours ago

Lucky you. I've been letting calls from any number I don't recognize go to voicemail for years and nothing ever seems to change.

[-] Speculater@lemmy.world 8 points 6 hours ago

Setup a whitelist, I think it's native on iPhone and there are multiple Android apps. Only calls from your contact list will ring through. My voicemail is, "You're getting this because you're not on my contact list, send a text and I'll get back to you."

load more comments (3 replies)

[-] adarza@lemmy.ca 17 points 10 hours ago

lists sourced from drivers licenses and motor vehicle registration records are literally sold by some states.

load more comments (3 replies)

load more comments (2 replies)

[-] spankmonkey@lemmy.world 35 points 10 hours ago

It is the same thing that happened with US Social Security Numbers, which were originally just tracking numbers for that one purpose that were coopted by capitalists and treated like something special.

[-] sugar_in_your_tea@sh.itjust.works 1 points 3 hours ago

It's not just "capitalists" (whatever that means), every government agency seems to want it, employers and banks are required to ask for it, etc. It's more than just "some people misused it," we actually wrote it into regulations.

[-] Corkyskog@sh.itjust.works 6 points 7 hours ago

I remember I was flipping through some of my mom's old college stuff and there was a club that she was involved with and everyone listed their address and social security numbers. It was wild, no idea why they felt the need to collect socials. But this was a very long time ago.

[-] grysbok@lemmy.sdf.org 1 points 1 minute ago

My college ID used to be my social security number, so maybe it was something like that? Iirc that's no longer allowed in the US.

load more comments (4 replies)

[-] Pika@sh.itjust.works 8 points 8 hours ago* (last edited 8 hours ago)

Are internet security and internet privacy incompatible goals?

Yes. They are completely incompatible goals when anything relating to identity/being is linked to it. Examples of this could be anything from your name, to your behavioral patterns, to your phone number

Disregarding the entire possibility that ANY site is hack-able/breach-able, the issue stands that the reasons that most sites request PII is valid, for security reasons. There does not exist any valid method of ensuring users identity that does not violate users privacy. CAPTCHAS are proven inefficient, email domains are easy as a 1-2 click. Once the setup is done server side changing to a new address is as easy as changing your server settings and registering a new domain, then just pointing your MX records there. Heck depending on your postfix setup you might not even have to change server settings, if your account lookup is setup to ignore the domain and it all uses the same database. Even phone numbers have proven troublesome but its the least troublesome method available

The entire reason PII style setups are used, is because its an easy verification site side, but a hard to spoof verification customer side. Like the article says, phone numbers are hard to change for verification, many only let you change so many times in X period, and usually require some form of physical identity to register, and the ones who don't are forced such as VOIP style numbers get blocked.

We lack currently a good system aside from that, because at the end of the day, how do you prove you are who you say you are, without disclosing your identity. I personally think it should be fine to give up some PII for security purposes, but this NEEDS to be restricted only to security and should never be shared with any entity, and this includes government overreach. Alas this will never happen.

[-] AnAmericanPotato@programming.dev 5 points 6 hours ago

This assumes a legitimate need to prove who you are outside the context of that specific site, rather than just within it. Sometimes that need is real, sometimes it is not.

When it's not, and you only need to prove you are the same person who created the account, then a simple username and password is sufficient. Use 2FA (via authenticator app or key, NOT via SMS or email) on top of that. This allows users to prove to a sufficient degree that they are the owner of that account.

This is how most Lemmy instances work, for example. I can sign up by creating a username and password, with optional 2FA. They do not need my email. They do not need my phone number. They do not need my name, or my contacts, or anything else that is not related to my identity within their server.

I realize that this is untenable at large scales for any communications platform. Spam (and worse) is a problem wherever there are easy and anonymous signups. I'm honestly not sure how Lemmy is as clean as it is. I guess it's just not popular enough to attract spammers.

[-] Pika@sh.itjust.works 2 points 5 hours ago

You are correct with this comment yea, the biggest drawback (which as acknowledged we have seen on lemmy) is the anonymous of the account. It's easy to spin up spam instances, and due to how federation works its hard to combat against it. I remember LW had an issue regarding that a bit ago with someone threatening to just keep changing domains to avoid blocking, which is indeed a problem for any of these style services. I agree at large scale, most sites are not going to want to have to put up with losing that level of control moderation side. It creates a lot of headaches and for most sites it's just easier to enforce a policy that forces disclosing PII.

Technology

Our Rules

Approved Bots