Mobile phone verification codes have become the scapegoat for cybercrime. Let me speak up for telecom operators!

[[347439]]

It should be pointed out that this is the value of SMS verification codes, not their obligation! Why can mobile phone numbers be used to verify personal information? When did mobile phone numbers have this function? If verification codes can replace passwords and user will, what is the point of identity authentication?

Mobile phone verification code becomes the "scapegoat", I'm here to speak up for the telecom operators!

Recently, an article titled "A stolen mobile phone reveals a black industry chain of stealing personal information and stealing funds" has attracted great attention. In the article, a veteran of information security with the ID "Old Camel of Information Security" recorded in detail every step that he and his wife took in fighting against the black industry after their mobile phone was lost.

The outcome of the confrontation was that the black industry was ultimately "one step ahead", which ultimately led to Meituan Lending generating a loan of 5,000 yuan and ETC credit cards generating various consumption records such as buying cards and recharging.

Why did a veteran in information security fail in the fight against the black industry? Almost all analytical articles point the finger at one key point: the SMS verification code. Obviously, according to public opinion, the blame should be borne by the telecom operators.

As expected, in response to this issue, the Ministry of Industry and Information Technology announced today that it had interviewed the relevant persons in charge of the telecom companies involved on October 12, requiring the three basic telecom companies to strengthen security protection while facilitating users to handle business in sensitive links involving user identities such as service password reset and unblocking, strengthen risk prevention awareness training for customer service personnel, and be vigilant against abnormal business handling behaviors. At the same time, the Ministry of Industry and Information Technology also reminded the majority of users to set SIM card passwords in a timely manner, report the loss of their mobile phones as soon as possible, and strengthen security risk awareness.

From the actual situation, the current "SMS verification code" has become the main channel for everyone's identity authentication in cyberspace. Using a mobile phone number + verification code can complete many important operations, such as quick login, changing passwords, transferring money, paying, applying for loans, etc. However, in many cases, the SMS verification code does not play the role of identity authentication at all, but instead becomes a loophole for the black industry to take advantage of, causing property losses to users.

From this perspective, it is not too unfair for telecom operators to bear the blame. At least as a de facto authentication tool, the security of SMS verification codes does not seem to be high enough to ensure the safety of people's property.

However, as a communications industry practitioner, I still want to speak up for telecom operators, because I think mobile phone verification codes are unnecessary and have no obligation to endorse user identity authentication!

Around the end of 2015, the Cyberspace Administration of China issued the "Internet User Account Name Management Regulations", which required Internet users to use real names in certain scenarios. Since then, Chinese Internet companies have begun to use SMS verification codes to authenticate users, which is the most convenient method available. China's Internet has begun to build a real-name network space based on "SMS verification code identity authentication", and the chaos of fake accounts, counterfeit accounts, etc. has been rectified. It can be said that SMS verification codes have made a huge contribution to maintaining the order of the Internet.

But it should be pointed out that this is the value of SMS verification codes, not an obligation! Why can mobile phone numbers be used to verify personal information? When did mobile phone numbers have this function? If verification codes can replace passwords and user will, what is the point of identity authentication?

Although SMS verification codes can serve as a means of identity authentication, they cannot actually verify the identity of the person, name, or evidence. They can only verify the identity of the person and the evidence. The first two problems can be solved by technical means, but the last problem is a natural flaw in SMS verification code technology. This has also led to many black industry crimes.

In fact, our Internet companies, especially Internet financial companies, should keep pace with the times and update their system's trusted identity authentication tools. For example, when it comes to high-risk businesses such as lending, why can't dynamic face recognition be introduced? Among the currently published financial technology innovations, we can see a large number of applications related to trusted identity authentication and big data risk control.

It's the Internet age, but many people's thinking is still stuck in the 2G era!

Appendix: Let me popularize the process of setting the mobile phone PIN code.

After setting the PIN code on the SIM card, you will be asked to enter the PIN code when you turn on the phone (for example, restarting the phone after changing the card). If you enter the wrong code three times, the card will be locked, which is equivalent to adding a threshold. How to set the PIN code of the SIM card?

Taking Xiaomi mobile phone as an example (system is MIUI12), first click on Settings > click [Password & Security] > click [System Security]. At this time, your phone card will appear under the "SIM card lock method" column. Click in to set up to lock your SIM card. At the same time, you can modify the PIN code. The default PIN code is generally "1234".

This article is reprinted from the WeChat public account "悲了伤的白犀牛", written by 悲了伤的白犀牛. To reprint this article, please contact 悲了伤的白犀牛 public account.