Wireless carriers are developing a new system that could someday allow consumers to log into supporting websites without the need for traditional passwords. But given the industry’s terrible track record on privacy, significant doubts linger over whether wireless carriers should be tasked with maintaining even more of the public’s sensitive data. AT&T, Verizon, Sprint, and T-Mobile this week gave this project a formal name: Project Verify. Project Verify is a “next generation authentication platform” that’s supposed to make passwords irrelevant, instead confirming a user’s identity using a myriad of other factors, including location data, cellular handset specs, “account tenure,” SIM card information, and more. This industry video (which somehow avoids acknowledging that password managers exist), states Project Verify will improve security via evolved multi-factor authentication, while also providing greater convenience to the end user:
Security experts don’t believe the wireless industry has been proven to be trustworthy enough to handle such a responsibility.
“The carriers have a dismal track record of authenticating the user,” UC Berkeley computer science and security researcher Nicholas Weaver told security expert Brian Krebs. “If the carriers were trustworthy, I think this would be unequivocally a good idea. The problem is I don’t trust the carriers.”
Weaver isn’t alone.
From AT&T’s efforts to charge users more money to protect their privacy, to Verizon getting busted a few years ago for tracking users around the internet without telling them, the industry’s track record is arguably terrible. That reputation was compounded via numerous recent scandals related to the collection and sale of sensitive customer location data. “It probably doesn’t help that all of the carriers participating in this effort were recently caught selling the real-time location data of their customers’ mobile devices to a host of third-party companies that utterly failed to secure online access to that sensitive data,” noted Krebs. And as Motherboard’s Lorenzo Franceschi-Bicchierai has extensively documented, carriers also haven’t shown themselves capable of thwarting (or even fully addressing) SIM hijacking, a practice involving bribing or conning mobile carrier employees to port out out a user’s phone to unauthorized devices, opening the door to identity fraud and even cryptocurrency theft. Given the wireless industry can’t currently protect its users from having their identities lifted, money stolen, and valuable Instagram accounts sold, the perils of giving hackers an even juicier target starts to become fairly apparent.
The wireless industry also just played a starring role in lobbying Congress to kill federal and state-level broadband privacy protections (often by aggressively misleading lawmakers about what the rules did). The fact that wireless carriers are often bone-grafted to the nation’s intelligence apparatus with fleeting accountability and oversight is also cause for concern. Numerous tech press outlets were quick to hype the industry’s new authentication solution without highlighting the industry’s long and troubled history of privacy abuses. And while those who haven’t been paying attention may be eager to take the industry up on their offer, Weaver and Krebs reflect a growing skepticism by many that doling out even more data to mobile carriers is a particularly good idea.
“I am not likely to ever take the carriers up on this offer,” Krebs said. “In fact, I’ve been working hard of late to disconnect my digital life from these mobile providers. And I’m not about to volunteer more information than necessary beyond the bare minimum needed to have wireless service.”