How Your Mobile Phone Is Tracking You - and How to Fight Back
7:54PM Jul 26, 2020
Our next speaker is longtime regular presenter here at hope as well as a writer and columnist for 2600. Fans of his work in the magazine window him as the telecom informer. here to speak with us now about how your mobile phone is tracking you and how to fight back. Please welcome to profit.
Oh, it looks like we're here. recording time to get started. This is way different than I normally do for hope. I'm used to being in front of a room of a lot of people. And I hope virtual hope has been really great for you. Thanks for being here. Thanks for supporting 2600 and this presentation is about how your mobile phone is tracking To you and how you can fight back. And, you know, I think we all know that our mobile phones are tracking us. But it's kind of tough for that to really be actionable. And it's also hard to understand the full extent of it. So who am I I'm t profit, also known as, as the telecom and former, I write for 2600. And I've been writing since 1990. So it's been 30 years now, which is pretty cool. And if you don't subscribe, I really hope that you do subscribe to 2600 because you are why we do all of this. And I really would love to see more people get interested in telecom because there's a lot there and buy right in. Let's see if I can figure out how to advance the slide. There we go. So mobile phones used to look like this. I actually had a Motorola branch when I was in college. They were easily cloneable. So you could actually wire up
a parallel cable
to these terminals on the back, you know, underneath the battery. And if you did that, and you ran a program called mod 60 six.xc on a 386, dx 25 and nothing else, you could change the ESN and min pair. And, you know, basically, these were just mostly radios. You know, they started off being made by Motorola. You know, they were pretty solid, his radios, the security wasn't all that good. And, you know, they certainly didn't have any capabilities to be tracked down like you could do it.
wasn't a device that was inherently designed to reveal. You know, figure out where you physically were located or report that anywhere. And so Some of you may have seen this if you've been around hope for a long time or 2600 this is Kevin Mitnick. He was actually wanted by the US Marshals. And it was hard for them to track him down even though he was on teleconferences on cloned cellular phones every day practically. And the reason for this is the tracking phones wasn't easy in 1995, especially if you were cloning them. As Kevin was doing, you know, he was basically using stolen credentials, loading them onto his phone. And you know, calling as somewhere, someone else so it was really tough to figure out where he was at the time. The the information wasn't nearly as available on the network side as it is today.
if you've read the book, take down and he'll probably hate that I mentioned this, but By Shimomura the method that they use to find and ultimately apprehend, Kevin Mitnick was triangulation. And so what they did is figured out which phone that he was on. And from there, they were able to force the phone that ping between multiple powers, they were then able to infer an area where he likely was. And they got it down to an apartment complex and from there was just wait and see. And eventually he was apprehended. And so, you know, it used to take real work. And this is a theme that I've kind of hammered on a lot at home. It used to take real work to actually track somebody down. If you wanted to do that, in the telecommunications world, you'd have to go down to a central office to tap a phone or you'd have to, you know, go out into the field to find somebody who was using a mobile device. This wasn't an easy Do it actually took work and it these days is a very different situation. So how did all of that start? Like many things, it started with 911. So, you know, there was a really big problem in the early 90s, the popularity of cellphones exploded, you know, everybody was getting them and they started calling 911 with problems. They needed, you know, resolve and they didn't actually know where they were. And this is a pretty common problem. So, you know, what do you do if you call if you call 91191, and you don't know where you are on a traditional landline phone, and I'll show the architecture a little bit later on a different slide. The company was connected to a database of where everything was and all of that information got sent over to 911 when you call and so was no secret, you know, anywhere that you are calling 911. From but on a mobile phone Have any information at all when you called in, in fact, it didn't always get routed to a 911 public safety access point here in the Pacific Northwest, a lot of the time you'd call 911. And it would go to the State Patrol. Why? Well, back then most people were using mobile phones and cars. And you know, they were using them while they were driving. And so most of the calls that came in involve things on the highways. So that's why they picked the state patrol is where to send the car calls. So you know, if you're calling to report a fire, the State Patrol would probably try to figure out where you were, and then they'd have a list of you know, who the other agencies were from, you know, fire, medical or whatever, and they could send you over to them, but it took a while. And, you know, these jurisdictional boundaries can get really complicated. So sometimes it'd be taking it it takes being transferred two or three times before you ended up with, you know, the ambulance service in your area. So this was a legitimate problem. So in 1996, the FCC made an order for a 911. And what they did is basically required the mobile carriers to send along a phone number, the tower location. And basically it was the phone number, the mobile device that was calling in the tower location, which is the tower that you were connected to when you were on a mobile device. You're in the Pacific Northwest so that tower can be a long way away and really far from where you are. If you're out in issaquah you know, the tower was up on on a mountain above the town. So you literally could be anywhere in town. And also the tower on top of the mountain was picking up stuff on the other end so you could almost be to North Bend, you could be out Port snoqualmie which if you know the area is pretty far. So you know if you if you're calling from an analog cellular phone, You know, it gets even worse here, because what if you were up on the site of, you know, Tiger mountain or something. So this data just wasn't very good. It's better than nothing. But it wasn't enough to solve the problem of whereas somebody calling 911 actually located so we can send the correct help.
you know, the FCC started floating some proposals, and that got privacy people very concerned. Because I, it started to come together what the plan actually was, and that was that phones and carriers, phones would be enabled with capability where carriers would be able to locate you with a high degree of specificity and report that to 911. And, you know, in order to do that, technically, there is just way more of that phones. needed to have a gold pin to track location, then previously was the case. And so, you know, privacy advocates really got alarmed here because remember, still, you know, even the two in 2002 were largely used for calls and texts. mobile data was barely a thing. There was a there was this thing called whack that you could use. It was, you know, slimmed down versions of mobile websites. There wasn't really an app ecosystem to speak of, you get these like weird Java applets. The thing that was crazily innovative then was ringing tones like and, you know, barely any devices supported them. So, you know, this idea of phones being able to track you to almost exactly where you are, and that was just a really new thing. And, you know, rightly privacy groups were concerned But they got run over. And this is actually the story of everything having to do with with mobile location. You know, privacy concerns just get run over 2005 phase two comes out. And what phase two was was literally everything in phase one, which wasn't much plus a requirement that 95% of phones that carriers supported had GPS capability built in. And when I say GPS capability, it's air quotes around GPS because it didn't need to be the GPS chips that we have in modern smartphones now, which is a which is actually a full GPS receiver. It could it could be carrier assisted basically using a technology very similar to the triangulation technology that Kevin Mitnick. And so most carriers opted to roll out with this triangulation technology. It was hard it was just expensive at the time to get full, cheap. Yes bullpen that technology just wasn't there. And, and, you know, the other problem that they had is that it was an FCC requirements that the carriers, Vince, their subscribers to upgrade. The fines weren't very high and it was way cheaper to pay the fines than it was to convince you not to pay for people's upgrades. So carriers just kind of waited out the upgrade the ordinary upgrade cycle, they paid the fines in the meantime. And so by 2005, the 90% of phones located within 300 meters requirement wasn't really mad, but you know, by
we were pretty close to that. And to kind of give you an idea before we dive into you know, are things started shaping up into how they are today. This is the architecture of 911. It's a review simplified diagram. And I like this particular one, which I fished off of Wikipedia, because it kind of shows the difference between how wireline and wireless work. So if you look at the wireline side
that this was a,
this is a this was and this is for phase two, by the way, the 911 architecture. So this is, you know, kind of what's in play today. The next version is coming in, I'll get to that. But you'd pick up a landline phone, it would hit the central office, there'd be a VI, which would go to the AI database and the aeoi database basically, is kind of like a GIS system that pulls data that you know, that basically proves where that phone is installed in a way that's consumable by public safety access points. And then that gets all set over to the dispatch system. This is you know, these are standardized formats of how they work. And eventually, you know, that location information would come in and get forwarded on to the emergency service. And, you know, 911 systems has a structured way that data interchange happens and there are standards for how all of this stuff works and needs to be transmitted. So you know, mobile phones were new. And with wireless calls for phase two, they've got a location database has basically you know, GPS coordinates. So that's a little bit different than the you know, the aeoi and street address guide that you're dealing with with the landline because the landline is always in a fixed location and mobile phones, you know, move around. So what they try to do is send now GPS coordinates Do as as to where you are, you know, and there's a range of where those are. And so that's why if you dial 911, they can get pretty a pretty good bead on where you are usually, it's not 100% accurate, but it's pretty close.
so this technology, you know, one thing that I see kind of as a recurring theme is that 911 growth technology improvements in the mobile system, which then enabled a whole bunch of other technology to happen. And so now it was considered really radical in 2002, that your phone would be able to track everywhere you are at any given time. And then in 2008, Google Maps came out. So you know, if he ever had like a Garmin GPS device, and you had to, you know, it couldn't pick up a satellite when you were in a parking garage. You know, all these problems went away with Google Maps on the iPhone. You know, this just wouldn't have been possible without the technology that was put in place for you 911. So, almost overnight, it just happened really quickly, like, smartphones got popular can and the apps that made good use of location data, I mean, you know, I had an app that could remember where my car was, I always forget where it is, is the Costco parking lot, right? So, you know, X marks the spot, right? So this is this all becomes, you know, right around 2008. That's around the time that you know, that this stuff started getting really popular. And so we just went into a mad rush, location based technologies. You know, Uber is another example that came out in 2009. This is actually the 2011 version of Uber. That was the earliest screenshot that I was able to find. And, you know, the reason I like this screenshot is that it shows that even in In 2009, although the location technology was was pretty good, it was nowhere near as good as it is today.
there were these maps and workarounds on apps, so you would have to like position around a map to where you were exactly. And that would tell the driver where you were. So and this was one such app, there's other ones. There's an app called Foursquare that I use that still has this has this, you know, location data and map thing. And it's because even today, location data is pretty good, but it's not 100% accurate all the time.
It's gotten really good
through augmenting the information that comes from GPS. So one way that Google does it is they've basically mapped every wireless access point in the world and so they can infer better where you are based on the strength of the wireless access points the near you and if you think That's pretty creepy. Well
just wait until later in my presentation.
2011 there's this case test case that came out. And you know, we've had quite a few talks over the years at home on salsalate location data and who can access it. You know what that really means from a legal perspective. And the E FF fought this really hard 2011 the FBI investigating some robberies and so they just decided to go around and try to figure out who all the cell phones were in the area of crime.
They were trying to catch the thief.
So they just issued general warrant
actually they didn't they didn't even issue a general warrant. They didn't have a word. They just asked Metro PCs to give them the records and they did and You know, this actually went all the way to the Supreme Court. And, you know, numerous courts said, Yeah, sure, you know, like, please give up whatever you want. With that without a warrant skated. And it eventually got to the supreme court saying that the Supreme Court disagreed, and they said, Actually, you need to work for this.
So, I just
want to want you to keep that in the back of your mind. You know, if the police are going to do something, they need a warrant, if they're getting it from the phone company. And that might be a premonition to something. So 2019 last year, rape bombs act.
So what that's requiring now
is, you know, there's this problem in tall buildings where if you call 911, the address is there. But, you know, it's hard to know which floor somebody had a heart Attack on in, especially if they can't communicate with you really well. And with all these mass shootings and other incidents, you know, where people can call 911, but not necessarily talk. It's, you know, gotten concerning to emergency services that they have the ability to locate people not just at an address, or within, you know, a few hundred feet. You look at something, you know, just as a flat surface, but kind of how can they identify specifically where you are inside of the building. And there was talk that this Act would include mobile phones. And you know, that's pretty tough right now, because the geospatial data is just not quite there today. To really be able to determine where inside of a building you are, I mean, you'd have to put Bluetooth beacons all over the place or something. So See infrastructures there, you know, you can, you can infer that this kind of capability is going to be expected in mobile phones as well. So we won't be just looking at, you know, like, a flat surface. But we'll also be looking at the full 3d space. I'm not sure how that's going to work. Exactly, you know, the current technology doesn't support it.
5g doesn't either. So
it's gonna be interesting.
meeting the requirements, but I think that we could see a new wave of technology that, you know, really goes full 3d inside of buildings. And that'll be an, you know, that'll be enabled by requirements for 911. Because that's, you know, believe it or not 11 one one is just this thing that keeps moving mobile technology forward. It gets stagnant for a while, and then there's a 911 requirement for local data and then boom, all of these new things suddenly become available on the technology side. The minute this gets updated to require two beacons inside of buildings or whatever, you know, that's going to be where we get a whole bunch of hyper local mobile services. And you know, to a degree that we don't really have today. But wait a minute, you know, so there's a couple of slides ago I talked about, had to have a warrant to get full site location data. This is gas buddy. And if you look under the settings menu, and then you go to additional settings, and then you go to location, then you see this and it's like, wait a minute, they're just really burying it. They don't want you to see that. So cubic. Got in the news lately, because they have been tracking what people are actually doing on their mobile phones relative to the pandemic. versus what's, you know, actually legally allowed? And they're able to see that, you know, we have all sorts of scofflaws that are, you know, gathering in groups and that are not following quarantine. How are they finding that data out? Because gas buddies narking on you, basically, a lot of me and I don't want to beat up on gas buddy. There's a whole bunch of apps that share this information with cubic. I shut it off. At least gas buddy allows you to do that some apps don't give you the capabilities to shut it off. So you know, props to gas buddy for that. But service is gathering precise location data if you let it just because you have a gas and gas app installed. And depending on the platform you're on, it could be doing this persistently all the time. Like not just when you're running the app.
So be aware.
Look For Sale.
You know, this isn't new in 2018. And the links right here, The New York Times blew the lid off of this. Yeah, there's they went out and bought a whole bunch of data to, you know, track politicians that hit you know it. It got a very notice when they did this was a whole bunch of you know, political controversy over it. And then like many other things in the privacy space, it just blew over that very little changed. All of this is still happening. It's just different companies involved, you know, there's a different veneer of legitimacy. There was like no veneer of legitimacy in 2018. Now, there's a veneer of legitimacy, which we'll get to later. So, you know, it's not just apps doing this. Salt carriers are selling your real time phone location data as well. So yeah, so providers got caught selling, real time location. data to these data brokers. And so these are like middlemen that would be intermediaries between the carriers who had the location data and somebody that wanted it. And yeah, there was a high profile article where a bounty hunter went and tracked down somebody's, you know, physical location based just on their mobile number. And it was one of these shady data brokers that had very few controls at all on who could buy the data. So if you just knew who this company was, and you paid them not very much money, if if you wanted to stock your acts, or whatever nefarious thing, you know, find out where the President is, like, you could just pay these guys a little bit of money and they just get the information straight from the carrier. You know, kind of a security problem, kind of a privacy problem. So, you know, these the carriers said that they'd stopped doing it. They haven't I don't think I can't prove it. But I can prove that there's data that would be very hard to get from anyone other than carriers. So we'll get to that. Anyhow, the underlying point is that carriers have repeatedly been caught selling information, and they promise to stop and then they've been caught again doing it. And, you know, the reality is it's just too lucrative to sell this information to data workers, that data is very valuable.
again, not every reason why a carrier would want why somebody would want information from a carrier is nefarious, right? location smarts, the first company that got caught doing this, and what they appear to be selling now is a service to help banks stop credit card fraud. And how they do that is they look at all when you're No running a transaction is your mobile device in the vicinity of that transactions. So if they know your phone number, they can ping the carrier, the carrier will have one where you physically are, and they can match that up with whether you really are in a bodega in Brooklyn, when you really live in, you know, the South Puget Sound in Washington like I do, and instead of immediately getting flagged for fraud, like happen every time I went to hope, you know, for years, because New York is kind of the epicenter of fraud. And so if you use a credit card there and you're, you're not often in New York, you know, if you if you're like me, and you went to hope in past years, you probably remember at least one of your credit cards getting shut off because you used it in New York and you had to call the bank while
they can just ask your phone company.
Sky rainy in New York is the profit there and if the answer is yes, Then maybe they don't shut your card off. So could save you time.
can also establish what they call a smart zone around your consumer home area. And then you get real time alerts when you're legitimately traveling if you're the bank, so, you know, maybe what you do if you're a bank is you whitelist transactions, or you you have an allow list for transactions to use the new term. Sorry, I'm old. I'm trying to pet her I promise. And what you do is, you have the allow list, and you bet around the consumers home area. And then you know, base you could base that on zip code potentially right. And, you know, if somebody's traveling like, you could get real time alerts. So if they show up at a gas station in Grants Pass Oregon and they live where I am and it's pay at the pump. That seems a little bit unusual. Well, you'll be able to ask the carrier Hey, did you know key profit really prides itself on I five, like for most of the day? And if the answer is yes, then you just let the transaction good for right so some other location but you know those two things when I look at that it's how else would you get that without the person knowing you know, if I installed an app on the phone or if I got like a push notification or something, you know, these are these are ways to the technology could work but that's all with my consent and with my action. But you know, banks are doing this. There's very few banks that will ping you. When you make a transaction suspicious and lock it. There's a there's a handful that do but, you know, some banks are just seem to mysteriously know when you're doing things that are legit versus not and It seems to be these kinds of platforms. So another clue that this is potentially this location as a service platform is potentially in cahoots with the carriers as they claim that they have presence detection for indoor locations and they've got secure cross carrier access to mobile and landline devices. So that'd be really hard right presence detection for indoor locations for you know, with a mobile phone that would require a knowing whether a cell site is a Microsoft and very few people would know that other than the carrier. You know, mobile and landline device location while your mobile device location from a carrier to carrier cross carrier. That means that you know, they have to be getting from the carrier we're not talking about an app here we're talking about the carrier giving locations party data feed, So there's another company called uniko. I hope I'm saying their name right, these Silicon Valley names are very special sometimes. Okay, verifying full names, secondary account name, home address, I could maybe do that from public databases or something. But wait a minute, we're looking at these risk factors mobile, fixed weight, new accounts, burner phones, who has that information other than the carrier who has information about name and address changes activation, deactivation date or number porting other than the carrier. So clearly, and this I retrieved both of these screenshots today from from their respective websites, this stuff is live right now. So you know, don't accept any excuses that Oh, it's just an old page and like it's old data and we promised we wouldn't do that and we respect to you know, nothing is more important to you than our privacy, blah, blah, blah. I don't believe it because all of this stuff is here. Even after these companies have been raked over the coals, so I think they're just selling this right now. And the way they've been able to sell it seems to align with something that happened with my Wells Fargo account, which is the consent loophole. So apropos of nothing on my December statement for wells from Wells Fargo, which is one of the banks that I have an account with. I got this interesting consent loophole. Most people that read this stuff, it's in the fine print at the bottom here, Steven, I read this. And so I went and read through here and it's like,
wait a minute, you authorize
your wireless operator to disclose your mobile number, name, address, email, network status, customer type, customer role, billing type, mobile device identifiers. I am si n IMEI and the other subscriber device details Whatever those are, is available to Wells Fargo and service providers for the duration of the business relationship, only for identity verification and fraud avoidance.
Okay, that's interesting. It
concerning to me that
contracts can be updated this way. And this level of information can be made available to your bank with you probably not even having any idea that's what they're doing or what they're using it for. So it would be nice to see some details on exactly what's being done with this information. Well, Wells Fargo considers fraud or identity verification and why they consider mobile carrier subscriber information to be valid identity verification in the first place. So that gets to Alright, so my banks tracking me my staff is tracking me. How in the world can I fight back against this you know, especially if we've got new spooky stuff like spatially aware united one one coming down the pipe pipe? Well, it's tough, here's some things you can do. First thing is go scrub your apps. You know, if you don't need an app installed, and it's free, there is probably a reason why it's free, it is likely to be gathering information and selling it. So if there's an app, you really need to keep with the permissions of the app, you can do this at a really granular level in the latest Android. And so you can go in there and say, for this app, these are the specific things that are allowed. And you can even specify when it's allowed. And I recommend that you always only allow an app to do something. If you're actually using the app there, there are very few apps that need access to to run in the background. And, and move data around without your consent. There's a handful, but the majority of apps, you know when you're just using local You should really only need to be using that interactively. Don't give your mobile phone number to corporations, we see what happens if you give it to Wells Fargo. See you only have a landline. So no matter how many times they beg and plead and you know, if you don't have a mobile phone number on file a companies will try down. Every time I log into something bam, I'm getting, you know, prompted for a mobile phone number like everything from eBay to like every bank, but I'm just like, Nope, I'm old fashioned. I only have a landline. So there's not a whole lot they can do if that's all you've got. Except there's one bank that bank, which will not let you have an account. If you don't have a mobile phone. They're literally digitally. You know, forcing the digital divide. You are not allowed to sign up for an account with that bank. If you do not have a mobile phone. I went around and around with them. I'm like, I only have a landline. What do we do? And they're like, well, we don't want you as our customer if you know mobile phone. That's the bottom line. Whether it's legal or not, I'm not sure. Seems like digital red lightning to me. But that is a separate talk. Use phone proxy services. So what's the phone proxy service? Google Voice is a good one. Keep in mind that if you give all your information to Google, who knows what they're doing with it, I have to make trade offs in my life. So, you know, the ecosystem that you pick is going to be Google or Apple. And I'm in the Google ecosystem. So I picked Google Voice which works pretty seamlessly with that. The upside of using a phone proxy service is that there's no subscriber information that they can pull that subscriber information is Google. And when I'm giving somebody my number, you know, Google Voice has the ability to work with SMS, it does voice calls, you can get MMS But it isn't wrapped up in your carriers. So getting the location data is really hard if if all you have is my Google Voice number. So the flipside of that is, the more privacy that you assert the shady or you may look to algorithms. So, you know, I asked for a fairly high degree of privacy, not really, I mean, like, I'm really reachable.
But I don't give up a ton of information
that can be used nefariously without
without my knowledge, so
it looks pretty shady to the algorithms right? If I'm using Google Voice, a lot of stuff just walks me out. Not giving a mobile phone number to corporations looks a little bit weird. No, it is some inconvenience having to go through and scrub my apps and you know, kick stuff off my phone periodically that doesn't need to be there. But What I do, I also have some other, you know, things that I do to maintain privacy in my life. I'm not nearly as crazy with it as many people in the privacy community are, I need a balance of, you know, reasonable degree of security versus, you know, a reasonable degree of privacy. And I think that I've struck it for my personal use case.
Another thing you can do is you can just hack the algorithm.
So, you use a prepaid mobile service that will show up as a burner phone if you've never registered it, but if you register it, it just shows up as a as a mobile account. So register everything with the name and address and I would like to remind you that Emmanuel Goldstein PO Box 752, middle Island, New York 11953 is not your name and address. Oh, another thing you can do like one thing that they you know, I don't think enough people do to preserve privacy is Use corporations and LLCs and trusts for doing that. It's really easy to form an LLC, pretty easy to form a corporation, not very expensive to maintain any of them. And then that gives you the ability to open business accounts for everything. So you can open business bank accounts, business, phone accounts, business credit cards, and then everything's in the business name, which for whatever reason, because corporations tend to trust businesses, ends up ranked higher and higher trust by the algorithms. So I've got all this business stuff because they legitimately own a business. And I'm able to use those resources to be able to get around a lot of the algorithms hating me in my personal life. And then one other really fun thing that I like to do, just because I have phone numbers all over the world is to register for services using those foreign phone numbers. I lived and worked in Europe for a year and so I have a Dutch phone number. I register for Everything might be a GDPR headache for companies using my Dutch phone number, and, you know, what that automatically does is it just turns off a lot of the more intrusive and annoying Privacy Practices because they're not compatible with GDPR. So if you've got a phone number, you know, you can use these algorithms to your advantage by running them through different filters.
And that is one thing that you can do. So,
that's my punch list. I'm happy to answer more in the QA, you know, give you some ideas. And I want to do here is Thank you. Thanks for putting up with this crazy format for a talk. This was one shot and go I I'm not going to go back and tweak in the senate because the talks pre recorded at the last possible second 112 in the morning, right now. This is due right now. So it's not going to be as polished as I normally AM, hey, it is nine days of hope. Thanks so much for supporting hope for supporting 2600. You're what makes all of this possible. And I really mean that. So thanks for not demanding a refund and being here for this crazy experiment. And I hope to see you all in person in two years in New York. Thanks again. And we'll get to the QA hopefully on the live session starting right now. Bye.
Thank you t profits very much. And as as past you just mentioned, we have a few minutes for q&a. So please, if you're in our audience on matrix, leave them in the livestream q&a channel, and we can ask them one question from the audience. Do we need BTB In future if infrastructure continues to improve, and includes five G's precise location features.
So that really is going to be up to 911. What is required by 911? And what technical specifications come out. appealing building code and doing it at a nationwide level is a very complicated thing as you can imagine. And there may be a better technology that comes along than Bluetooth. So I'm not sure that it's necessarily going to be based on that. Bear in mind that, you know, if we go with Bluetooth beacons as the technical layer, that means Bluetooth has to be able to come on whether you want it on or not, it means that it's going to be draining your battery. So I don't think it's the best technology. It's the best one we have right now for this kind of thing, but there's new research all the time and I think that there's a lot of possibilities in the future. Do I think that you know, in one one regulations are going to get updated to try to identify you inside of a building? Yeah. salutely I mean it, it doesn't do a whole lot of good if you're at a giant Stadium, for example, and you dial 911. And, you know, the only thing the fire department knows if you've had a heart attack is that you're somewhere in that stadium. So it's, we can see this coming. It's just a question of exactly how it's going to be implemented. And one.
Next question from the audience, what is the best way to balance the security benefit of two factor authentication with the fact that you must turn over to them your mobile number?
That's really tough one because you know, a lot of the a lot of the time to FA is a Trojan horse to get your mobile number and maybe track you with it. So the way that I do it is twofold. The first is I have a separate device just for multi factor authentication. And I use that separate device with non SMS based multi factor authentication services. And there's a lot of things that you can use, like Google Authenticator, for example, that don't require you to get an SMS. But to give you the benefit of multi factor authentication, and in fact, it's better than SMS based multi factor authentication because it's more secure. The problem is that if anything ever happens to that device, then you've lost your two FA tokens. It gets pretty
untangle yourself from that problem then. So it's just again going to be kind of a security versus convenience question. The other thing that I do with SMS to FA is, phone proxy services, like Google Voice do support these. It's just a question of whether they're using a surface to rate whether your phone number is shady and allow you to use it or not. So for example, a couple of banks that I do business with refused to accept a Google Voice number. They consider that to be totally shady and it's not a valid option at all. Wells Fargo In fact, refused to accept the Google Voice numbers so they sent me a hard a hardware token for multi factor authentication. And so that's what I have to use. But normally they charge for it. And because I only have a landline and that was the only way I could get an SMS is they waive the normal $35 fee and sent me the hard token for free. So small victories I guess.
Next question. Have you seen other industries saying the no phone no account to you? Or do you know of other companies that have similar practices?
Best bank is the first one that I've run into that's done this. And, you know, I see what I saw when they told me this, I couldn't really believe it. Because there are a lot of parts of the country where you still can't really get mobile phone service. The more rural and remote that you're in, if you're in you know, anywhere from speak in Washington to halfway up the hall, right, and Alaska. There are just lots of places where mobile phone service isn't available yet. It's not a lot of people, but there are there is a lot of geography, right? So are we going to enforce a digital divide through banking Are we going to Raw digital red line around rural areas and say people who live in these places and can only get a landline can't have a bank account now. We're in uncharted territory. And so far, you know, the banks are doing that. At least one bank is fast bank. And it's kind of an open question as to what else is going to do that and and whether or not it's going to remain legal, but I don't think it should be. And if you don't think it should be, you should probably talk to your Congress, people and
other members of the audience. So to what extent can a 911 location be spoofed on a commercially available zone?
I don't even want to get into that.
And the reason why I don't want to get into that is there's a thing called swatting. And that's just not something that I am even willing to help anybody consider doing. Okay.
I think this will have to be the last question where we're just about out of time, but someone asks, Do you know if anyone has tried using GPS spoofing, so the mobile phone thinks that somewhere else would that set off an alarm when it doesn't jive with the location provided by tower triangulation.
So, I don't
know what the thrust of the question is. But what I can say is that, you know, so many of you know that I used to run a dating app called cuddly. And oh, yeah, There sure are GPS spoofing apps. If you have a rooted android phone or or read an iOS device, there are location spoofing apps, apps that exist for this. And we see that all the time in dating apps now you know, where usually it's innocuous people are just, you know, located in Legos and tried to scam somebody in the class. So actually not so innocuous. That's, that's 99% of the use case. And then 1% is just lonely people who don't have anybody around them in their remote areas. So they're trying to you know, make them Virtually closer to a city. So, yeah, these things do exist. They can be used for nefarious purposes or not. I'm not going to get into the 911 use case with these kinds of apps.
um, to profit. Thank you. Thank you very much. And thank you all for watching.
All right, thanks a lot.