Hidden threats to your phone number being exposed
This week I read a worried headline claiming that in a recent consumer data breach, hackers were successful in gaining access to consumers’ phone numbers. It was treated as an important and disturbing revelation.
I am, of course, a senior citizen – a digital visitor. Unlike the digital natives, I did not come out of the womb in a world where the Internet existed and where everyone had in their pocket a small powerful computer connected to the world. I embrace the hyper-connected world, but it can still seem strange to me.
However, for much of my life, almost everyone who had phones listed their phone numbers in public directories so that anyone could find them. With the exception of a few particularly cautious or secretive ones, the phone number was public information. The idea that much of anyone would fear their phone number might be associated with their name was silly.
If anyone wanted to talk to you, they just had to look up you in the local directory or call the phone company – there was only one phone company – and ask for your number. How else would Aunt Emmy or your school partner find you? You wanted the number to be public.
This dynamic has not completely disappeared, especially in the business world. Service providers often list their cell numbers with office phones, if they have a separate landline in the office, so customers can reach them. But for many people, their phone numbers are private information and they would be distressed to learn that hackers have gained access to these numbers. Beyond the main privacy concerns, should we be concerned if our mobile numbers are obtained by hackers?
There are practical security reasons why we should wish our phone numbers to be kept private. The vice article reporting on the exposure of phone numbers in the recent Robinhood hack observed, “Phone numbers are especially valuable to hackers because services often use SMS for multi-factor authentication. If a hacker can take control of a victim’s number, they may be able to redirect login verification codes to themselves. Or, armed with a phone number, a hacker can send phishing messages or calls to the target to try and get their verification codes. Earlier this month, Motherboard reported on the burgeoning underground trade of bots that streamline the process of social engineering targets via automated phone calls. It’s not just about avoiding spam calls or our disadvantaged loved ones.
One of the obvious security risks is allowing malicious actors to gain access to your phone, which is much more likely if the hacker has your phone number. With the application of advanced spyware, hackers can send you a text containing a hyperlink. Like other forms of phishing attacks, clicking on the link could allow the hacker to take control of your phone, compromising their data, but could also allow the hacker to activate applications like your phone’s microphone to hear. your conversations next to your phone, or even allow the hacker to send SMS directly from your phone.
On a less intrusive but equally overwhelming path, control over your phone can lead to control over your social media accounts, which are often linked to your phone number. The malicious actor can masquerade as you on social media and monitor or even destroy your online relationships. Even dropping your old phone number can lead to cyber attacks in your life. It may be advisable, when changing the number, not to return your old number to the telephone companies, but to use a number parking service that will keep that number for you at a reasonable cost. If you don’t, your old number will be put back into circulation and possibly picked up by a new person after 45 days.
The most important concern is probably online banking applications. People who access their bank accounts through mobile apps could expose those accounts to criminals if the phone is hacked. Many crypto traders use mobile apps to manage their digital wallets and accounts and could also be vulnerable to losing their coin due to crypto transfers initiated from captured phones. Knowing your phone number can also help a criminal defeat the two-factor authentication required by a financial services company to access the account.
An attack called “Sim-jacking” could allow you to take complete control of your phone number. This technique consists of tricking the owner of the phone into communicating a code to the malicious actor, which allows the thief to take control of the number. So, sim-jacking doesn’t require a deep technical understanding, just the skills of a crook. According to the Guardian Sim-jacking attacks have tripled in the UK since the start of the pandemic.
While we are all to be aware of the risks, we don’t want to exaggerate them either. People who know your mailing address can target you on their way back from the store. People who know your email address can also use that information against you. Mere exposure of a phone number does not indicate a likelihood of an attack. Millions of phone numbers are available to potential criminals and almost all of them will never get the attention of a hacker.
It’s just helpful to remember that the small computers we carry can create risk in our lives, and knowing a phone number can lead to more problems than obnoxious business calls and texts.
Copyright © 2021 Womble Bond Dickinson (US) LLP All rights reserved.National Law Review, Volume XI, Number 322