The majority of places aren't checking your identity, cross-referencing your birthdate, and personalising your experience based on your Zodiac sign. At most, they'll wish you a happy birthday and / or let you recover your account by providing your date of birth.

But, of course, lots of people know your birthday. Everyone you went to school with, family members, colleagues. It might even be on your Wikipedia bio.

A date of birth is not a suitable security measure. So I set mine to be a random number.

Let's get a few things straight. Don't lie to the cops, the state, or your spouse. If you give an incorrect date of birth to an insurance company, medical provider, or financial institution; you're gonna have a bad time.

But for most other services...?

If I'm signing in to a free WiFi service, my date of birth is 1st of January, 1901 (or whatever the earliest year they will accept).

If a service uses my DoB for account recovery, I generate a random number, save it in my password manager, and tell the site I was born on 17/07/1985, or whatever.

Look, I'm aware there are some theoretical downsides. If you ever lose your fake details, you won't be able to prove your identity using official ID. If you use fake details to get an age related discount, that's probably fraud - so don't do that!

For the vast majority of services which have no legitimate reason for knowing your age, it's OK to use a random number.

Yes, users should probably take better care of their digital credentials and bury them in a digital vault. But there are some things which are simply impossible for a user to protect against. Take, for example, a SIM-swap attack.

You probably have your phone-number tied to all sorts of important services. If you want to recover your email, log in to a bank, or prove your identity - you'll probably need to receive a call or SMS. If an attacker can take over your phone number, they're one step closer to taking over your accounts.

I keep saying "your phone number", but that's a clever lie. The phone number does not belong to you. It belongs to the network operator and they define which SIM the number points to.

This means a suitably authorised person at the telco can point "your" number to a new SIM card. That's helpful if you've lost your SIM but bad if an attacker wants to divert your number.

What can you do to stop this attack? Nothing.

Oh, you can have a strong and unique password on your account, and you can hope your telco uses TOTP and PassKeys. But it turns out that it is possible to bribe telco employees for the low, low price of US$1000.

If your security rests on a phone number, you've effectively outsourced your security to the most bribeable manager employed by your telco.

Now, I said there's nothing you can do. That isn't quite true. You can attempt to pen-test yourself.

Go to your phone company's account. Set a long password and complex password. Change your mother's maiden name to HK2BY@]'PU,:!VQ;}baTj. Turn on every security measure you can find. Call the phone company from a different phone and explain that you lost your phone and want a new SIM card. If they ask for your mother's maiden name, say "Oh, I set it to a long stream of gibberish". If they ask where to send the SIM, give a trusted friend's address. If your phone company is negligent and send out a new SIM on the basis of poor verification, then you should move your number to a more reputable provider.

It's good fun to try and social-engineer a call-centre worker for your own details. But it's probably illegal to try and bribe someone to hijack yourself.

Anyway, please try to remove your phone number as a critical lynchpin in your security regime.

I'm doing everything a geek can to protect their online life. Is it enough?

Terence Eden is on Mastodon

@edent

Is there a market / service for *personal* pen-testing or social engineering?

I like to think I've got all my security set up. But how easily could a fraudster take over my life?

---

This is not an invitation to hack me. I'd like to pay a professional to see how far they can infiltrate my online life. Is my bank particularly vulnerable to social engineering? Does my hosting provider accept a fax to transfer away my domains? Is an image of my passport floating around the dark web? What OSINT should I be scrubbing from the web?

I've got a stupid amount of smarthome tech - and I know there's no way to secure my network - but I imagine that's a target for someone more dedicated than a casual thief.

I can find pentesting services for companies. I can find some which claim to test the security of CEOs and celebrities. But I can't find anything for ordinary people.

Does this service exist? If not, is this a million-dollar start-up idea?