This week I read a worried headline claiming that, in a recent consumer data breach, the hackers had managed to access consumers’ telephone numbers. This was treated as an important and troubling revelation.
I am, admittedly, an old person – a digital visitor. Unlike digital natives I did not emerge from the womb into a world where the internet existed and everyone carried in their pockets a small, powerful computer connected to the world. I embrace the hyper-connected world, but it can still feel strange to me.
However, for a significant portion of my life, nearly all people who had telephones listed their phone numbers in public directories so that everyone could find them. Except for a particularly careful or secretive few, the phone number was public information. The idea that much of anyone would be concerned that their phone number could be associated with their names was silly.
If someone wanted to talk to you, they just needed to look you up in the local directory, or call the phone company – there was only one phone company – and ask for your number. How else would Aunt Emmy or your school study partner find you? You wanted the number to be public.
This dynamic has not completely disappeared, especially in the business world. Service providers often list their cell numbers along with office phones, if they have a separate landline in the office, for clients to reach them. But for many people, their phone numbers are private information and they would be distressed to learn that hackers had gained access to those numbers. Beyond core privacy issues, should we be concerned if our cell numbers are obtained by hackers?
There are practical security reasons that we should want our phone numbers to remain private. The Vice article reporting on phone number exposure in the recent Robinhood hack observed, “Phone numbers are particularly valuable to hackers because services often use SMS for multi-factor authentication. If a hacker can take control of a victim’s number they may be able to reroute login verification codes to themselves. Or, armed with a phone number, a hacker can send phishing messages or calls to the target to try and obtain their verification codes. Earlier this month, Motherboard reported on the booming underground trade of bots that streamline the process of social engineering targets via automated phone calls.” More is at stake than simply avoiding spam calls or our disfavored relatives.
More is at stake than simply avoiding spam calls or our disfavored relatives.
One of the obvious security risks is providing malicious actors with access to your phone, which is much more likely if the hacker holds your phone number. With the application of advanced spyware, hackers can send you a text with a hyperlink in it. Like other forms of phishing attacks, clicking on the link could allow the hacker to take control of your phone, compromising its data, but could also let the hacker turn on applications like your phone’s microphone to hear your phone-adjacent conversations, or even permit the hacker to send out texts directly from your phone.
On a less intrusive but similarly upsetting path, control of your phone can lead to control of your social media accounts, which are often linked to your phone number. The malicious actor may pose as you on social media and monitor, and possibly wreck, your online relationships. Even abandoning your old phone number can lead to cyberattacks on your life. It may be advisable when changing numbers not to release your old number back to the phone companies, but using a number parking service that will hold that number for you at a reasonable cost. If you don’t do so, your old number goes back into circulation and possibly picked up by someone new after 45 days.
The most significant concern is likely online banking apps. People who access their bank accounts through mobile applications could be exposing those accounts to criminals if the phone is hacked. Many crypto traders use mobile apps to manage their digital wallets and accounts and could also be vulnerable to losing their coin to crypto transfers initiated from captured phones. Knowing your phone number can also help a criminal defeat the two-factor authentication required by a financial services company for account access.
An attack called “Sim-jacking” could allow a complete take-over of your phone number. This technique involves tricking the phone owner into releasing a code to the malicious actor, which allows the bad guy to take control of the number. So sim-jacking doesn’t require deep technical understanding, simply the skills of a con artist. According to the Guardian sim-jacking attacks have tripled in the UK since the start of the pandemic.
While we all should be aware of the risks, we also do not want to overstate them. People who know your street address can target you coming home from the store. People who know your email address can use that information against you as well. The simple exposure of a phone number does not indicate a likelihood of attack. Millions of phone numbers are available to potential criminals and nearly all of them will never gain a hacker’s attention.
It just helps to remember that the tiny computers we carry can create risk in our lives, and that knowledge of a phone number can lead to more problems than obnoxious commercial calls and texts.