There are a lot of services that require you to provide a phone number as a condition of using the service.
This is really bad. This article is to discuss why that is and what you can do instead.
Calls can be spoofed
Did you know that when you make a call, you can choose whatever phone number you like? Caller ID spoofing has been widely available for decades. This means, when someone calls you, you have no way of knowing if they really are who they say they are. This is a problem since many companies rely on phones as either the preferred, or even the only way, to communicate with customers.
STIR/SHAKEN now exists to combat caller ID spoofing, but let's take a look at the FCC Robocall Mitigation database (as of 2023-01-04):
| Status | Records | Percentage |
|---|---|---|
| Complete Implementation | 2348 | 30% |
| Partial Implementation | 1524 | 19% |
| No Implementation | 2993 | 38% |
| N/A | 1039 | 13% |
| Total Records | 7904 |
57% of providers do not fully implement STIR/SHAKEN. Widespread blocking cannot be enforced until most carriers implement it, so it sounds like it'll be awhile.
In the meantime, you get to enjoy calls that look like they're coming from your grandma or bank or government agency, with little recourse. Even you (or anyone, really) can make spoof calls at home by setting up an Asterisk server. Yikes!
Texts can be spoofed
STIR/SHAKEN does nothing to address SMS Spoofing. Not only is text messaging unencrypted, but you can attach any metadata you like to the messages you send, like who it's from, and you can't verify who it came from.
In fact, two minutes of searching yielded a tutorial on how to use Twilio SMS to send your own spoofed text messages.
Texts are not encrypted
Ahh! Because SMS traffic is unencrypted, it is highly susceptible to man-in-the-middle attacks. Attackers can intercept the unencrypted traffic to monitor and even alter messages before you receive them, and you have no way of knowing. This provides a great avenue for attackers to trick you into sharing personal information, which leads us to the next point.
Phone numbers can be stolen
One big, huge problem with phones is that SIM swap scams exist. With a few clever phone calls, an attacker can trick a service provider into porting a phone number that they don't legitimately own onto a new device. In doing so, the attacker can assume your identity and take over any accounts that use your phone number for account recovery or passwordless login.
Because so many services require phone numbers by default, quite a lot of services are vulnerable to this kind of attack.
Phone numbers are public
It is often fairly easy to discover a phone number associated with an individual. This is because many organizations require this information, and then immediately sell it to data brokers, or otherwise mishandle it.
Examples of high-profile data breaches or epic mishandling abound: Equifax, Facebook, T-Mobile, and so on.
But don't take my word for it: check out Have I Been Pwned's giant list of Pwned Websites.
Your users' phone numbers are out there and are probably associated with their names and addresses. Many social media networks, by default:
-
Require a phone number
-
Allow lookup of a user by phone number
-
Make profile info publicly available
-
Sell user data to third parties unless the user explicitly opts out
When users are required to provide phone numbers, attackers are provided a tool for looking up critical information needed to execute an attack.
Conclusion
As a service provider, you put all your users at risk by requiring them to provide a phone number. Use more secure forms of authentication such as the following, and integrate with services that support them:
-
Authenticator apps
-
Hardware tokens
-
Secure email providers
-
Single Sign-On
As a user, you should prefer and migrate to services that offer these things, and refuse to use services that require phone numbers wherever possible.
2FA Directory is a great site for discovering services that support alternative 2FA methods (though it is not always up-to-date).