Session

Row of people holding mobile phones colored Session green (hex code #00F782) representing them using the Session app

Are phone numbers safe in the digital age?

Have you ever noticed how closely your phone number is tied to your identity these days? We use our numbers to swap contact details, talk and text, and confirm and authenticate who we are online. Consider how many apps you have that now require you to ‘level up’ your security using SMS-based two-factor authentication.

Here’s the problem: phone numbers were never meant to be anything more than user identifiers for the telephone network. Many aspects of our digital lives now hinge on our mobile phone numbers. We get plenty of benefits from this arrangement: convenience, simplicity, and — supposedly — security. But there are some crucial risks and dangers you need to be aware of before tying your phone number to your online identity.

Phone number security risk #1: SMS security issues

There’s a hole in my two-factor, dear Liza, dear Liza…

When you make an account using your phone number, or add your number to set up two-factor authentication, you get a text with a verification code. We all know the drill: Punch in your mobile number, wait a few seconds, type in the six-digit authentication code and away you go.

But did you know that the system which delivers those codes is shockingly insecure?

SMS (text) messages are part of the GSM telecommunications standard. GSM was first deployed in the early 1990s, making it almost twenty years old! This venerable communications standard has held up surprisingly well, considering how quickly standards and protocols become obsolete in the fast-moving world of technology.

However, GSM has some serious security vulnerabilities that affect the security of SMS.

GSM data traffic between a mobile phone and a service provider is encrypted using the A5/1 and A5/2 stream cipher encryption algorithms, and the A5/3 block cipher encryption algorithm. 

Stream ciphers turn each character in a message into another random character, and the receiving device uses a special key to reverse this process.

Block ciphers do the same thing, but with whole blocks of information rather than one character at a time, which lets them use more complex encryption for each block of encrypted information.

This sounds great — except for the fact that A5/1 and A5/2 were developed in the late 1980s, and A5/3 was developed in the late 1990s. Since then, hackers have demonstrated a number of ways to break all three algorithms. The much less secure A5/2 has since been retired, but A5/1 and A5/3 are still vulnerable to a number of attacks that make it possible for people to intercept and read SMS messages before they reach your phone.

So what does this mean for you?

All of your accounts that rely on SMS-based two-factor authentication are using a twenty-year-old communications protocol, secured by twenty- and thirty-year-old insecure encryption schemes, to keep people away from your personal information.

Yeah. We’re gonna say it. That’s not good enough anymore.

Phone number security risk #2: SIM swapping

Who ya gonna call?

So we know that SMS isn’t the most secure protocol in the world. So what? It still takes some serious technical knowledge and skill to hack into your text messages — right?

Not exactly.

Sometimes, hacking your account is as simple as knowing who to call.

The easiest way for someone to get access to your mobile number doesn’t involve firing up a command line and hacking like a madman. Instead, attackers exploit the weakest link in these security scenarios: people.

The most secure account password in the world is useless if someone can convince you — or the company your account is with — to give it up. People trying to gain access to your accounts can contact the account or service provider and convince the company that they’re you. The company then gives the attacker access to your account — they’re ‘you’, after all. This tactic, known as social engineering, is the first (and often the most reliable) tool in any hacker’s toolkit.

Social engineering can be used for all sorts of things, ranging from harmless to nefarious. Famous — and notorious — security researcher Kevin Mitnick used social engineering to get unlimited bus rides in Los Angeles by convincing a bus driver to tell him where he could get a  punch card machine (used for validating bus tickets). Mitnick was just 12 years old at the time. In a less amusing case, the Badir brothers — three Israeli brothers who were blind from birth — set up a six-year-long phone scam ring that brought in more than US$2 million, all by convincing their victims that they were operators at a nonexistent long-distance phone company. 

When it comes to mobile phones, it’s often much easier than you might expect to hijack a phone number using social engineering. This kind of hijacking is referred to as a SIM swap attack. Here’s how it works.

  1. First, a malicious actor puts a blank SIM card into a burner phone.
  2. They call up your mobile service provider and trick them into thinking they are you, through a combination of lies and manipulation — social engineering.
  3. Your mobile service provider then transfers your mobile number to the attacker’s blank SIM. Now, all your texts and calls — including 2-factor authentication codes — are sent straight to the attacker’s phone. Instant access to your emails, bank accounts, cloud data and even your playlists! 

Mobile service providers already have protocols in place to make it quick and easy to transfer a number from one SIM to another. These transfer systems exist so that if you lose your phone (or your SIM), you can quickly get back up and running using a new SIM.

Phone number security risk #3: Number recycling

The accidental hack

SIM swapping is a huge security issue — with a single phone call, your number can end up in someone else’s hands. But sometimes phone numbers change hands without anyone doing anything malicious at all. Have you ever received a text message from someone thinking you were someone else? It’s likely they’ve fallen victim to phone number ‘recycling’.

Phone providers regularly terminate inactive mobile phone numbers, putting those numbers back into the pool of numbers that can be given to new accounts. Sometimes, this recycling deadline can be as short as 90 days — meaning if you don’t pay your phone bill or show activity on the account within 90 days, the provider could recycle your number and hand it over to a new customer.

Number recycling can lead to some awkward situations: anybody trying to contact you on that number will end up texting a stranger. But even worse, if your number’s new owner tries to use the number to create an account with an app or website that you’ve already linked the number to, the new owner could end up getting access to your existing account — your private information could be compromised completely by accident!

Phone number security risk #4: Doxxing

Get your doxx in a row

So, we know SMS is old, insecure, vulnerable, and even hackable by accident. But it gets worse. There’s a very simple, very real danger to linking your online life to your phone number: phone numbers (in most countries, at least) are a concrete link between your online personas and your real-world identity.

If you’re using a service that relies on phone numbers as usernames or logins, you have to give people your phone number in order for them to contact you through that service. This means that people you add on these services can call you and text you. Worse, they can even use your phone number to figure out your real name and address through a form of Internet stalking known as doxxing.

‘Doxxing’ is a catch-all term for a wide range of approaches and attacks, but they all have one thing in common: the goal of doxxing is to identify real-life information about you, which can then be used for other nefarious purposes like scamming or even real-life stalking. 

Doxxing can be incredibly easy — so easy that anyone, not just malicious hackers, can do it. Reverse phone number lookup services let someone type in your phone number and find your real name and physical address. Even just a simple Google search of your phone number can reveal social media profiles, pictures, posts and more — people can find treasure troves of information about you using only your phone number.

Things can get even worse if an attacker adds some social engineering into the mix. Once they’ve found your social media profiles, they can start targeting your friends, setting up fake accounts to contact them and find out more about you through lies and manipulation.

Once you use your phone number to identify yourself online, that account (or service, or app) is inextricably linked to your real identity — which can have serious implications for your online privacy.

So what can I do?

Your number’s number is up

In short, don’t use anything that forces you to give up or use your phone number as an identifier. Also, we get it – that’s not easy when most apps still do. Most.

Phone numbers are outdated and insecure. Using a phone number to secure your online life gives malicious actors a dozen different doors into your digital identity. And thanks to number recycling, someone else could get access to your accounts totally by accident!

It’s time for us to find better ways to keep our digital lives secure. Mobile two-factor authentication apps like Authy and LastPass Authenticator are a step in the right direction — but even then, if someone gets ahold of the device holding your authenticator app, you could be in trouble.

Phew, that’s a lot! A better solution is to keep your online accounts completely separate from your real identity — no linking your phone number when you can! Apps like Session skip over phone numbers entirely.

Staying away from phone-number-required apps and services will help you keep your online and mobile life truly secure — with less chance of anyone invading your privacy through hacking, SIM swapping, number recycling or doxxing.