Mise à jour de la base de données, veuillez patienter...

If you’re thinking of donating money to help victims of Hurricane Florence, please do your research on the charitable entity before giving: A slew of new domains apparently related to Hurricane Florence relief efforts are now accepting donations on behalf of victims without much accountability for how the money will be spent.

For the past two weeks, KrebsOnSecurity has been monitoring dozens of new domain name registrations that include the terms “hurricane” and/or “florence” and some word related to support (e.g., “relief,” “assistance,” etc.). Most of these domains have remained parked or dormant since their creation earlier this month; however, several of them became active only in the past few days, directing visitors to donate money through private PayPal accounts without providing any information about who is running the site or what will be done with donated funds.

Among the earliest of these is hurricaneflorencerelieffund-dot-com, registered anonymously via GoDaddy on Sept. 13, 2018. Donations sent through the site’s PayPal page go to an email address tied to the PayPal account on the site (info@hurricaneflorencerelieffund-dot-com); emails to that address did not elicit a response.

Sometime in the past few days, several other Florence-related domains that were previous parked at GoDaddy now redirect to this domain, including hurricanflorence-dot-org (note the missing “e”); florencedisaster-dot-org; florencefunds-dot-com; and hurricaneflorencedonation-dot-com. All of these domains include the phone number 833-FLO-FUND, which rings to an automated system that ultimately asks the caller to leave a message. There is no information provided about the organization or individual running the sites.

The domain hurricaneflorencedisasterfund-dot-com has a slightly different look and feel, invokes the name of the Red Cross and also includes the 833-FLO-FUND number. Likewise, it accepts PayPal donations tied to the same email address mentioned above. It claims “80% of all donations go directly to FIRST RESPONDERS in North & South Carolina!” although it provides no clear way to verify that claim.

The domain hurricaneflorencerelief-dot-fund, registered on Sept. 11, also accepts PayPal donations with minimal information about who might benefit from monies given. The site links to Facebook, Twitter and other social network accounts set up with the same name, although none of them appear to have any meaningful content. The email address tied to that PayPal account — hurricaneflorencerelief@gmail.com — did not respond to requests for comment.

The domain theflorencefund-dot-com until recently also accepted PayPal donations and had an associated Twitter account (now deleted), but that domain recently changed its homepage to include the message, “Due to the change in Florence’s path, we’re suspending our efforts.”

Here is a Google spreadsheet that tracks some of the domains I’ve been monitoring, including notations about whether the domains are active and if they point to sites that ask for donations. I’ll update this sheet as the days go by; if anyone has any updates to add, please drop a comment below. All of the domains mentioned above have been reported to the Justice Department’s National Center for Disaster Fraud, which accepts tips at disaster@leo.gov.

Let me be clear: Just because a site is listed here doesn’t mean it’s a scam (or that it will be). Some of these sites may have been set up by well-intentioned people; others appear to have been established by legitimate aid groups who are pooling their resources to assist local victims.

For example, several of these domains redirect to Freedomhouse.cc, a legitimate nonprofit religious group based in North Carolina that accepts donations through several domains that use an inline donation service from churchcommunitybuilder.com — a maker of “church management software.”

Another domain in this spreadsheet — florencereliefeffort.org — accepts donations on its site via a third party fundraising network Qgiv.com. The site belongs to a legitimate 501(c)(3) Muslim faith-based nonprofit in Raleigh, N.C, that is collecting money for Hurricane Florence victims.

If you’re familiar with these charities, great. Otherwise, it’s a good idea to research the charitable group before giving them money to help victims.

As The New York Times noted on Sept. 15, one way to do that is through Charity Navigator, which grades established charities on transparency and financial health, and has compiled a list of those active in the recovery from Florence. Other sites like GuideStar, the Better Business Bureau’s Wise Giving Alliance and Charity Watch perform similar reviews. You can find more details about how those sites work here.

Finally, remember that phishers and malware purveyors love to seize on the latest disasters to further their schemes. Never click on links or attachments in emails or social media messages that you weren’t expecting.

It is now free in every U.S. state to freeze and unfreeze your credit file and that of your dependents, a process that blocks identity thieves and others from looking at private details in your consumer credit history. If you’ve been holding out because you’re not particularly worried about ID theft, here’s another reason to reconsider: The credit bureaus profit from selling copies of your file to others, so freezing your file also lets you deny these dinosaurs a valuable revenue stream.

Enacted in May 2018, the Economic Growth, Regulatory Relief and Consumer Protection Act rolls back some of the restrictions placed on banks in the wake of the Great Recession of the last decade. But it also includes a silver lining. Previously, states could charge a confusing range of fees for placing, temporarily thawing or lifting a credit freeze. Today, those fees no longer exist.

A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file).

And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it.

To file a freeze, consumers must contact each of the three major credit bureaus online, by phone or by mail. Here’s the updated contact information for the big three:

Online: Equifax Freeze Page
By phone: 800-685-1111
By Mail: Equifax Security Freeze
P.O. Box 105788
Atlanta, Georgia 30348-5788

Online: Experian
By phone: 888-397-3742
By Mail: Experian Security Freeze
P.O. Box 9554, Allen, TX 75013

Online: TransUnion
By Phone: 888-909-8872
By Mail: TransUnion LLC
P.O. Box 2000 Chester, PA 19016

Spouses may request freezes for each other by phone as long as they pass authentication.

The new law also makes it free to place, thaw and lift freezes for dependents under the age of 16, or for incapacitated adult family members. However, this process is not currently available online or by phone, as it requires parents/guardians to submit written documentation (“sufficient proof of authority”), such as a copy of a birth certificate and copy of a Social Security card issued by the Social Security Administration, or — in the case of an incapacitated family member — proof of power of attorney.

In addition, the law requires the big three bureaus to offer free electronic credit monitoring services to all active duty military personnel. It also changes the rules for “fraud alerts,” which currently are free but only last for 90 days. With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval — by phone or whatever other method you specify when you apply for the fraud alert.

Another important change: Fraud alerts now last for one year (previously they lasted just 90 days) but consumers can renew them each year. Bear in mind, however, that while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they’re not legally required to do this.

MANAGING EXPECTATIONS

Having a freeze in place does nothing to prevent you from using existing lines of credit you may already have, such as credit, mortgage and bank accounts. By the same token, freezes do nothing to prevent crooks from abusing unauthorized access to these existing accounts.

According to experts, the bureaus make about $1 every time they sell access your credit file. However, a freeze on your file does nothing to prevent the bureaus from collecting information about you as a consumer — including your spending habits and preferences — and packaging, splicing and reselling that information to marketers.

When you place a freeze, each credit bureau will assign you a personal identification number (PIN) that needs to be supplied if and when you ever wish to open a new line of credit. When that time comes, consumers can temporarily thaw a freeze for a specified duration either online or by phone (see above resources). Needless to say, it’s a good idea to keep these PINs somewhere safe and reliable in the event you wish to unfreeze.

One important caveat: It’s best not to wait until the last minute before starting the freeze thawing process, which can be instantaneous or can take a few days. The easiest way to unfreeze your file for the purposes of gaining new credit is to spend a few minutes on the phone with the company from which you hope to gain the line of credit (or research the matter online) to see which credit bureau they rely upon for credit checks. It will most likely be one of the major bureaus. Once you know which bureau the creditor uses, contact that bureau either via phone or online and supply the PIN they gave you when you froze your credit file with them. The thawing process should not take more than 24 hours, but hiccups in the thawing process sometimes make things take longer.

CREDIT LOCKS AND CREDIT MONITORING

All three big bureaus tout their “credit lock” services as an easier and faster alternative to freezes — mainly because these alternatives aren’t as disruptive to their bottom lines. According to a recent post by CreditKarma.com, consumers can use these services to quickly lock or unlock access to credit inquiries, although some bureaus can take up to 48 hours. In contrast, they can take up to five business days to act on a freeze request, although in my experience the automated freeze process via the bureaus’ freeze sites has been more or less instantaneous (assuming the request actually goes through).

TransUnion and Equifax both offer free credit lock services, while Experian’s is free for 30 days and $19.99 for each additional month. However, TransUnion says those who take advantage of their free lock service agree to receive targeted marketing offers. What’s more, TransUnion also pushes consumers who sign up for its free lock service to subscribe to its “premium” lock services for a monthly fee with a perpetual auto-renewal.

Unsurprisingly, the bureaus’ use of the term credit lock has confused many consumers; this was almost certainly by design. But here’s one basic fact consumers should keep in mind about these lock services: Unlike freezes, locks are not governed by any law, meaning that the credit bureaus can change the terms of these arrangements when and if it suits them to do so.

If you have already signed up for credit monitoring services, placing a freeze on your file should not impact those services. However, it is generally not possible to sign up for new credit monitoring services once a freeze is in place. So if you wish to avail yourself of credit monitoring, it’s best to sign up before placing a freeze.

Many consumers erroneously believe that credit monitoring services will protect them from identity thieves. In truth, despite incessant marketing by the bureaus and others to the contrary, these services do not prevent thieves from using your identity to open new lines of credit, or from damaging your good name for years to come in the process. The most you can hope for is that credit monitoring services will alert you soon after an ID thief does steal your identity.

Credit monitoring services are principally useful in helping consumers recover from identity theft. Doing so often requires dozens of hours writing and mailing letters, and spending time on the phone contacting creditors and credit bureaus to straighten out the mess. In cases where identity theft leads to prosecution for crimes committed in your name by an ID thief, you may incur legal costs as well. Most of these services offer to reimburse you up to a certain amount for out-of-pocket expenses related to those efforts. But a better solution is to prevent thieves from stealing your identity in the first place by placing a freeze.

WHAT ELSE SHOULD YOU DO?

Freezing your credit file at the big three bureaus is a great start, but ID thieves can and do abuse other parts of the credit system to wreak havoc on consumers. Beyond the big three bureaus, Innovis is a distant fourth bureau that some entities use to check consumer creditworthiness. Fortunately, filing a freeze with Innovis also is free and relatively painless.

In addition, many wireless phone companies currently check consumer credit using a little-known credit reporting bureau operated by Equifax called the National Consumer Telecommunications and Utilities Exchange (NCTUE). Freezing your credit with Equifax won’t necessarily block inquiries to the NCTUE, but fortunately the NCTUE also offers a freeze process, as detailed in this story.

It’s a good idea to periodically order a free copy of your credit report. There are several forms of identity theft that probably will not be blocked by a freeze. But neither will they be blocked by a fraud alert or a credit lock. That’s why it’s so important to regularly review your credit file with the major bureaus for any signs of unauthorized activity.

By law, each of the three major credit reporting bureaus must provide a free copy of your credit report each year — but only if you request it via the government-mandated site annualcreditreport.com. The best way to take advantage of this right is to make a notation in your calendar to request a copy of your report every 120 days, to review the report and to report any inaccuracies or questionable entries when and if you spot them. Avoid other sites that offer “free” credit reports and then try to trick you into signing up for something else.

According to the Federal Trade Commission, having a freeze in place should not affect a consumer’s ability to obtain copies of their credit report from annualcreditreport.com.

It’s also a good idea to notify a company called ChexSystems to keep an eye out for fraud committed in your name. Thousands of banks rely on ChexSystems to verify customers that are requesting new checking and savings accounts, and ChexSystems lets consumers place a security alert on their credit data to make it more difficult for ID thieves to fraudulently obtain checking and savings accounts. For more information on doing that with ChexSystems, see this link.

Finally, ID thieves like to intercept offers of new credit and insurance sent via postal mail, so it’s a good idea to opt out of pre-approved credit offers. If you decide that you don’t want to receive prescreened offers of credit and insurance, you have two choices: You can opt out of receiving them for five years or opt out of receiving them permanently.

To opt out for five years: Call toll-free 1-888-5-OPT-OUT (1-888-567-8688) or visit optoutprescreen.com. The phone number and website are operated by the major consumer reporting companies. To complete your request for a permanent opt-out, you must return the signed Permanent Opt-Out Election form provided after you initiate your online request.

Citing “extraordinary cooperation” with the government, a court in Alaska on Tuesday sentenced three men to probation, community service and fines for their admitted roles in authoring and using “Mirai,” a potent malware strain used in countless attacks designed to knock Web sites offline — including an enormously powerful attack in 2016 that sidelined this Web site for nearly four days.

The men — 22-year-old Paras Jha Fanwood, New Jersey,  Josiah White, 21 of Washington, Pa., and Dalton Norman from Metairie, La. — were each sentenced to five years probation, 2,500 hours of community service, and ordered to pay $127,000 in restitution for the damage caused by their malware.

Mirai enslaves poorly secured “Internet of Things” (IoT) devices like security cameras, digital video recorders (DVRs) and routers for use in large-scale online attacks.

Not long after Mirai first surfaced online in August 2016, White and Jha were questioned by the FBI about their suspected role in developing the malware. At the time, the men were renting out slices of their botnet to other cybercriminals.

Weeks later, the defendants sought to distance themselves from their creation by releasing the Mirai source code online. That action quickly spawned dozens of copycat Mirai botnets, some of which were used in extremely powerful denial-of-service attacks that often caused widespread collateral damage beyond their intended targets.

The source code release also marked a period in which the three men began using their botnet for far more subtle and less noisy criminal moneymaking schemes, including click fraud — a form of online advertising fraud that costs advertisers billions of dollars each year.

In September 2016, KrebsOnSecurity was hit with a record-breaking denial-of-service attack from tens of thousands of Mirai-infected devices, forcing this site offline for several days. Using the pseudonym “Anna_Senpai,” Jha admitted to a friend at the time that the attack on this site was paid for by a customer who rented tens of thousands of Mirai-infected systems from the trio.

In January 2017, KrebsOnSecurity published the results of a four-month investigation into Mirai which named both Jha and White as the likely co-authors of the malware.  Eleven months later, the U.S. Justice Department announced guilty pleas by Jha, White and Norman.

Prior to Tuesday’s sentencing, the Justice Department issued a sentencing memorandum that recommended lenient punishments for the three men. FBI investigators argued the defendants deserved light sentences because they had provided the government “extraordinary cooperation” in identifying other cybercriminals engaged in related activity and helping to thwart massive cyberattacks on several companies.

The government said Jha was especially helpful, devoting hundreds of hours of work in helping investigators. According to the sentencing memo, Jha has since landed a paying job at at a Silicon Valley technology firm, although the government declined to name his employer.

However, Jha is not quite out of the woods yet: He has also admitted to using Mirai to launch a series of punishing cyberattacks against Rutgers University, where he was enrolled as a computer science student at the time. Jha is slated to be sentenced next week in New Jersey for those crimes.

The Mirai case was prosecuted out of Alaska because the lead FBI agent in the investigation, 36-year-old Special Agent Elliott Peterson, is stationed there. Peterson was able to secure jurisdiction for the case after finding multiple DVRs in Alaska infected with Mirai. Last week, Peterson traveled to Washington, D.C. to accept the FBI’s Director Award — one of the bureau’s highest honors — for his role in the Mirai investigation.

Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card.

Indianapolis-based GovPayNet, doing business online as GovPayNow.com, serves approximately 2,300 government agencies in 35 states. GovPayNow.com displays an online receipt when citizens use it to settle state and local government fees and fines via the site. Until this past weekend it was possible to view millions of customer records simply by altering digits in the Web address displayed by each receipt.

On Friday, Sept. 14, KrebsOnSecurity alerted GovPayNet that its site was exposing at least 14 million customer receipts dating back to 2012. Two days later, the company said it had addressed “a potential issue.”

“GovPayNet has addressed a potential issue with our online system that allows users to access copies of their receipts, but did not adequately restrict access only to authorized recipients,” the company said in a statement provided to KrebsOnSecurity.

The statement continues:

“The company has no indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction. Additionally, most information in the receipts is a matter of public record that may be accessed through other means. Nonetheless, out of an abundance of caution and to maximize security for users, GovPayNet has updated this system to ensure that only authorized users will be able to view their individual receipts. We will continue to evaluate security and access to all systems and customer records.”

In January 2018, GovPayNet was acquired by Securus Technologies, a Carrollton, Texas- based company that provides telecommunications services to prisons and helps law enforcement personnel keep tabs on mobile devices used by former inmates.

Although its name may suggest otherwise, Securus does not have a great track record in securing data. In May 2018, the New York Times broke the news that Securus’ service for tracking the cell phones of convicted felons was being abused by law enforcement agencies to track the real-time location of mobile devices used by people who had only been suspected of committing a crime. The story observed that authorities could use the service to track the real-time location of nearly any mobile phone in North America.

Just weeks later, Motherboard reported that hackers had broken into Securus’ systems and stolen the online credentials for multiple law enforcement officials who used the company’s systems to track the location of suspects via their mobile phone number.

A story here on May 22 illustrated how Securus’ site appeared to allow anyone to reset the password of an authorized Securus user simply by guessing the answer to one of three pre-selected “security questions,” including “what is your pet name,” “what is your favorite color,” and “what town were you born in”. Much like GovPayNet, the Securus Web site seemed to have been erected sometime in the aughts and left to age ungracefully for years.

Data exposures like these are some of the most common but easily preventable forms of information leaks online. In this case, it was trivial to enumerate how many records were exposed because each record was sequential.

E-commerce sites can mitigate such leaks by using something other than easily-guessed or sequential record numbers, and/or encrypting unique portions of the URL displayed to customers upon payment.

Although fixing these information disclosure vulnerabilities is quite simple, it’s remarkable how many organizations that should know better don’t invest the resources needed to find and fix them. In August, KrebsOnSecurity disclosed a similar flaw at work across hundreds of small bank Web sites run by Fiserv, a major provider of technology services to financial institutions.

In July, identity theft protection service LifeLock fixed an information disclosure flaw that needlessly exposed the email address of millions of subscribers. And in April 2018, PaneraBread.com remedied a weakness that exposed millions of customer names, email and physical addresses, birthdays and partial credit card numbers.

Got a tip about a security vulnerability similar to those detailed above, or perhaps something more serious? Please drop me a note at krebsonsecurity @ gmail.com.

The four major U.S. wireless carriers today detailed a new initiative that may soon let Web sites eschew passwords and instead authenticate visitors by leveraging data elements unique to each customer’s phone and mobile subscriber account, such as location, customer reputation, and physical attributes of the device. Here’s a look at what’s coming, and the potential security and privacy trade-offs of trusting the carriers to handle online authentication on your behalf.

Tentatively dubbed “Project Verify” and still in the private beta testing phase, the new authentication initiative is being pitched as a way to give consumers both a more streamlined method of proving one’s identity when creating a new account at a given Web site, as well as replacing passwords and one-time codes for logging in to existing accounts at participating sites.

Here’s a promotional and explanatory video about Project Verify produced by the Mobile Authentication Task Force, whose members include AT&T, Sprint, T-Mobile and Verizon:

The mobile companies say Project Verify can improve online authentication because they alone have access to several unique signals and capabilities that can be used to validate each customer and their mobile device(s). This includes knowing the approximate real-time location of the customer; how long they have been a customer and used the device in question; and information about components inside the customer’s phone that are only accessible to the carriers themselves, such as cryptographic signatures tied to the device’s SIM card.

The Task Force currently is working on building its Project Verify app into the software that gets pre-loaded onto mobile devices sold by the four major carriers. The basic idea is that third-party Web sites could let the app (and, by extension, the user’s mobile provider) handle the process of authenticating the user’s identity, at which point the app would interactively log the user in without the need of a username and password.

In another example, participating sites could use Project Verify to supplement or replace existing authentication processes, such as two-factor methods that currently rely on sending the user a one-time passcode via SMS/text messages, which can be intercepted by cybercrooks.

The carriers also are pitching their offering as a way for consumers to pre-populate data fields on a Web site — such as name, address, credit card number and other information typically entered when someone wants to sign up for a new user account at a Web site or make purchases online.

Johannes Jaskolski, general manager for Mobile Authentication Task Force and assistant vice president of identity security at AT&T, said the group is betting that Project Verify will be attractive to online retailers partly because it can help them capture more sign-ups and sales from users who might otherwise balk at having to manually provide lots of data via a mobile device.

“We can be a primary authenticator where, just by authenticating to our app, you can then use that service,” Jaskolski said. “That can be on your mobile, but it could also be on another device. With subscriber consent, we can populate that information and make it much more effortless to sign up for or sign into services online. In other markets, we have found this type of approach reduced [customer] fall-out rates, so it can make third-party businesses more successful in capturing that.”

Jaskolski said customers who take advantage of Project Verify will be able to choose what types of data get shared between their wireless provider and a Web site on a per-site basis, or opt to share certain data elements across the board with sites that leverage the app for authentication and e-commerce.

“Many companies already rely on the mobile device today in their customer authentication flows, but what we’re saying is there’s going to be a better way to do this in a method that is intended from the start to serve authentication use cases,” Jaskolski said. “This is what everyone has been seeking from us already in co-opting other mobile features that were simply never designed for authentication.”

‘A DISMAL TRACK RECORD’

A key question about adoption of this fledgling initiative will be how much trust consumers place with the wireless companies, which have struggled mightily over the past several years to validate that their own customers are who they say they are.

All four major mobile providers currently are struggling to protect customers against scams designed to seize control over a target’s mobile phone number. In an increasingly common scenario, attackers impersonate the customer over the phone or in mobile retail stores in a bid to get the target’s number transferred to a device they control. When successful, these attacks — known as SIM swaps and mobile number port-out scams —  allow thieves to intercept one-time authentication codes sent to a customer’s mobile device via text message or automated phone-call.

Nicholas Weaver, a researcher at the International Computer Science Institute and lecturer at UC Berkeley, said this new solution could make mobile phones and their associated numbers even more of an attractive target for cyber thieves.

Weaver said after he became a victim of a SIM swapping attack a few years back, he was blown away when he learned how simple it was for thieves to impersonate him to his mobile provider.

“SIM swapping is very much in the news now, but it’s been a big problem for at least the last half-decade,” he said. “In my case, someone went into a Verizon store, took over the account, and added themselves as an authorized user under their name — not even under my name — and told the store he needed a replacement phone because his broke. It took me three days to regain control of the account in a way that the person wasn’t able to take it back away from me.”

Weaver said Project Verify could become an extremely useful way for Web sites to onboard new users. But he said he’s skeptical of the idea that the solution would be much of an improvement for multi-factor authentication on third-party Web sites.

“The carriers have a dismal track record of authenticating the user,” he said. “If the carriers were trustworthy, I think this would be unequivocally a good idea. The problem is I don’t trust the carriers.”

It probably doesn’t help that all of the carriers participating in this effort were recently caught selling the real-time location data of their customers’ mobile devices to a host of third-party companies that utterly failed to secure online access to that sensitive data.

On May 10, The New York Times broke the news that a cell phone location tracking company called Securus Technologies had been selling or giving away location data on customers of virtually any major mobile network provider to local police forces across the United States.

A few weeks after the NYT scoop, KrebsOnSecurity broke the story that LocationSmart — a wireless data aggregator — hosted a public demo page on its Web site that would let anyone look up the real-time location data on virtually any U.S. mobile subscriber.

In response, all of the major mobile companies said they had terminated location data sharing agreements with LocationSmart and several other companies that were buying the information. The carriers each insisted that they only shared this data with customer consent, although it soon emerged that the mobile giants were instead counting on these data aggregators to obtain customer consent before sharing this location data with third parties, a sort of transitive trust relationship that appears to have been completely flawed from the get-go.

AT&T’s Jaskolski said the mobile giants are planning to use their new solution to further protect customers against SIM swaps.

“We are planning to use this as an additional preventative control,” Jaskolski said. “For example, just because you swap in a new SIM, that doesn’t mean the mobile authentication profile we’ve created is ported as well. In this case, porting your sim won’t necessarily port your mobile authentication profile.”

Jaskolski emphasized that Project Verify would not seek to centralize subscriber data into some new giant cross-carrier database.

“We’re not going to be aggregating and centralizing this subscriber data, which will remain with each carrier separately,” he said. “And this is very much a pro-competition solution, because it will be portable by design and is not designed to keep a subscriber stuck to one specific carrier. More importantly, the user will be in control of whatever gets shared with third parties.”

My take? The carriers can make whatever claims they wish about the security and trustworthiness of this new offering, but it’s difficult to gauge the sincerity and accuracy of those claims until the program is broadly available for beta testing and use — which is currently slated for sometime in 2019.

As with most things related to cybersecurity and identity online, much will depend on the default settings the carriers decide to stitch into their apps, and more importantly the default settings of third-party Web site apps designed to interact with Project Verify.

Jaskolski said the coalition is hoping to kick off the program next year in collaboration with some major online e-commerce platforms that have expressed interest in the initiative, although he declined to talk specifics on that front. He added that the mobile providers are currently working through exactly what those defaults might look like, but also acknowledged that some of those platforms have expressed an interest in forcing users to opt-out of sharing specific subscriber data elements.

“Users will be able to see exactly what attributes will be shared, and they can say yes or no to those,” he said. “In some cases, the [third-party site] can say here are some things I absolutely need, and here are some things we’d like to have. Those are some of the things we’re working through now.”