What can someone do with your phone number?
December 17, 2019 / Alex LintonPrivate messaging, Security
The dangers of phone numbers in the digital age
Have you thought about how closely your phone number is tied to your identity these days? We use our numbers to swap contact details, talk and text, and confirm and authenticate who we are online. Consider how many apps you have that now require you to ‘level up’ your security using SMS-based two-factor authentication.
Here’s the issue: phone numbers were originally designed as identifiers for telephone networks, not for broader digital use. Yet, many aspects of our digital lives now rely on them. While this offers convenience and simplicity—and supposedly security—there are significant risks to consider before linking your phone number to your online identity.
SMS security issues
Security problems with 2-factor authentication
When you make an account using your phone number, or add your number to set up two-factor authentication, you get a text with a verification code. We all know the drill: Punch in your mobile number, wait a few seconds, type in the six-digit authentication code and away you go.
But did you know that the system which delivers those codes is shockingly insecure?
SMS (text) messages are part of the GSM telecommunications standard. GSM was first deployed in the early 1990s, making it over twenty years old! This venerable communications standard has held up surprisingly well, considering how quickly standards and protocols become obsolete in the fast-moving world of technology.
However, GSM has some serious security vulnerabilities that affect the security of SMS.
GSM data traffic between a mobile phone and a service provider is encrypted using the A5/1 and A5/2 stream cipher encryption algorithms, and the A5/3 block cipher encryption algorithm.
Stream ciphers turn each character in a message into another random character, and the receiving device uses a special key to reverse this process.
Block ciphers do the same thing, but with whole blocks of information rather than one character at a time, which lets them use more complex encryption for each block of encrypted information.
This sounds great—except for the fact that A5/1 and A5/2 were developed in the late 1980s, and A5/3 was developed in the late 1990s. Since then, hackers have demonstrated a number of ways to break all three algorithms. The much less secure A5/2 has since been retired, but A5/1 and A5/3 are still vulnerable to a number of attacks that make it possible for people to intercept and read SMS messages before they reach your phone.
What does this mean for you?
All of your accounts using SMS-based two-factor authentication rely on a decades-old communication protocol, secured by outdated insecure encryption methods. These twenty- and thirty-year-old systems are meant to protect your personal information, but they no longer offer adequate security. Simply put: that’s not good enough anymore.
SIM swapping
So, what even is SIM swapping?
While SMS may seem secure, gaining access to your text messages often doesn't require advanced hacking skills. Attackers can easily bypass security by exploiting the weakest link—human error. Sometimes, all it takes is knowing who to call.
Even the most secure password is useless if someone can convince you—or your phone provider—to give it up. Hackers often use social engineering to impersonate you and convince companies to hand over access to your accounts. Once they do, the attacker gains full control, as they are now ‘you’. This tactic, known as social engineering, is a go-to tool in any hacker’s toolkit.
Social engineering is used in a range of scenarios, from harmless pranks to serious scams. Infamous security researcher Kevin Mitnick once used it to get free bus rides in Los Angeles at just 12 years old. In a more dangerous case, the Badir brothers ran a six-year-long phone scam that earned them over US$2 million by pretending to be operators at a fake long-distance phone company.
How easy is it to hijack a phone number using social engineering? Surprisingly easy. This method, known as a SIM swap attack, exploits vulnerabilities in mobile phone security.
Here’s how it works.
First, a malicious actor puts a blank SIM card into a burner phone.
They call up your mobile service provider and trick them into thinking they are you, through a combination of lies and manipulation — social engineering.
Your mobile service provider then transfers your mobile number to the attacker’s blank SIM. Now, all your texts and calls — including 2-factor authentication codes — are sent straight to the attacker’s phone. Instant access to your emails, bank accounts, cloud data and even your playlists!
Mobile service providers already have protocols in place to make it quick and easy to transfer a number from one SIM to another. These transfer systems exist so that if you lose your phone (or your SIM), you can quickly get back up and running using a new SIM.
Cell phone provider number recycling
The accidental hack
SIM swapping is a huge security issue. With a single phone call, your number can end up in someone else’s hands. But sometimes phone numbers change hands without anyone doing anything malicious at all. Have you ever received a text message from someone thinking you were someone else? It’s likely they’ve fallen victim to phone number ‘recycling’.
Phone providers regularly terminate inactive mobile phone numbers, putting those numbers back into the pool of numbers that can be given to new accounts. Sometimes, this recycling deadline can be as short as 90 days. This means if you don’t pay your phone bill or show activity on the account within 90 days, the provider could recycle your number and hand it over to a new customer.
Number recycling can lead to some awkward situations: anybody trying to contact you on that number will end up texting a stranger. But even worse, if your number’s new owner tries to use the number to create an account with an app or website that you’ve already linked the number to, the new owner could end up getting access to your existing account—your private information could be compromised completely by accident!
Cell phone provider lookup: Doxxing
What is Doxxing?
So, we know SMS is old, insecure, vulnerable, and even hackable by accident. But it gets worse. There’s a very real danger to linking your online life to your phone number: phone numbers (in most countries, at least) are a concrete link between your online personas and your real-world identity.
If you’re using a service that relies on phone numbers as usernames or logins, you have to give people your phone number in order for them to contact you through that service. This means that people you add on these services can call you and text you. Worse, they can even use your phone number to figure out your real name and address through a form of Internet stalking known as doxxing.
‘Doxxing’ is a catch-all term for a wide range of approaches and attacks, but they all have one thing in common: the goal of doxxing is to identify real-life information about you, which can then be used for other nefarious purposes like scamming or even real-life stalking.
Doxxing can be incredibly easy—so easy that anyone, not just malicious hackers, can do it. By using your phone number, people can take advantage of reverse phone lookup services to find your real name and physical address. Even a basic Google search of your phone number can reveal your social media profiles, photos, posts, and more. With just your phone number, others can access a vast amount of personal information.
The situation worsens when attackers combine this with social engineering. After discovering your social media profiles through your phone number, they can create fake accounts to manipulate your friends and gather more information about you.
Once you link your phone number to any online account, service, or app, your real identity is permanently tied to it, posing serious risks to your online privacy and security.
Keep your phone number safe: What can you do?
Your number’s number is up
In short, don’t use anything that forces you to give up or use your phone number as an identifier. That’s not easy when most apps require you to. Most.
Phone numbers are outdated and insecure. Using a phone number to secure your online life gives malicious actors a dozen different doors into your digital identity. And thanks to number recycling, someone else could get access to your accounts totally by accident!
It’s time for us to find better ways to keep our digital lives secure. Mobile two-factor authentication apps like Authy and LastPass Authenticator are a step in the right direction, but even then, if someone gets ahold of the device holding your authenticator app, you could be in trouble.
Phew, that’s a lot! A better solution is to keep your online accounts completely separate from your real identity—no linking your phone number when you can! Apps like Session don’t require phone numbers at all.
Staying away from phone-number-required apps and services will help you keep your online and mobile life truly secure, with less chance of anyone invading your privacy through hacking, SIM swapping, number recycling or doxxing.
For more updates, insights, and the latest on privacy and security, follow Session on Twitter. Stay informed and join the conversation!
How to stay safe on Session
December 18, 2024 / Session
The Privacy Risks of Digital IDs: What You Need to Know
November 26, 2024 / Session
Session User Survey: What Drives You to Join Online Communities?
October 21, 2024 / Wesley Sukh
Celebrating Global Encryption Day
October 20, 2024 / Session
Introducing the Session Technology Foundation
October 15, 2024 / Session
Groups v2: a better way to connect with friends and family on Session
October 09, 2024 / Cameron Lee