With the data breaches going on in Singhealth and Facebook, old assumptions are being challenged:
Federated signons (using Google and Facebook to sign on to other sites1 while convenient, are not fool proof.
Government related entities2 while having the manpower and the resources to implement sophisticated measures are still susceptible to data breaches.
However, I am in the mood for thinking about where the next hot area of security breaches can come in. Then I thought about phone numbers. There’s a lot of nice things about mobile phone numbers. They are very personal, many people remember them and they come with 2FA. The PDPC recommends the phone number as an alternative identifier to the NRIC.
What happens when more people get on the 2FA route? As security practices evolve, so would hackers. It is not impossible for someone to “spoof” you telephone number and use it to re-route 2FA messages.
The more comprehensive solution is to use something which doesn’t use your SIM card as a security function. For example, LastPass allows you to authenticate using your fingerprint or a local app.
Unfortunately, security structures depend on the people implementing them, not users. As of writing, I am aware that Standard Chartered and DBS are the only banks which offer a “Digital Token” as 2FA instead of SMS OTPs.3
However an advantage between NRICs and Phone Numbers is that you can have as many phone numbers as you like. Having several phone numbers makes it far more difficult for a hacker to create a profile of you. With Dual-Sim phones, one still can have 2 phone numbers, but 1 phone.
Creating a firewall between a phone number you use for personal purposes, and one for secured transactions. If let’s say SingHealth or Facebook discloses your personal number, there is some relief that no one gets _all _of your information.
If you think that this is a good idea (and you don’t mind paying a one-time $18 registration fee for it), you can consider the $0/month Circles.Life flexible plan. If you expect to receive SMS OTPs only or hardly make any calls, there is no way you can bust the minimal limits on the plan, meaning that it’s a nearly free mobile phone number. Even if for some strange reason you find yourself very chatty on the alternative number, it’s flexibility means it will revert to $0 once you don’t need to chat.
I would give you a referral code… but it doesn’t apply to the $0/month plan.
Are there other uses for an alternative mobile phone number? Comment and let me know!
I advocated the use of federated signons as an alternative to using NRICs as an identifier for logons. I still think there are use cases for using federated signons (for example, the operation is too small to implement a home spun sign on system). This may ultimately actually depend in the end on whether someone trusts Google or Facebook instead. ↩︎
There is enough material in the Singhealth debacle for a completely new post. More specifically, I am waiting to study the full report before commenting. ↩︎
Physical tokens exists, but given that all banks allow you to choose between receiving an SMS OTP or use a Physical Token, most if not all people use SMS OTPs. ↩︎