I shared my phone number. I learned I shouldn’t have.
For most of our lives, we have been conditioned to share a piece of personal information without a moment’s hesitation: our phone number.
We punch in our digits at the grocery store to get amember discount or at the pharmacy to pick up medication. When we sign up to use apps and websites, they often ask for our phone number to verify our identity.
This column will encourage a new exercise. Before you hand over your number, ask yourself: Is it worth the risk?
This question is crucial now that our primary phone numbers have shifted from landlines to mobile devices, our most intimate tools, which often live with us around the clock. Ourmobile phone numbers have become permanently attached to us because we rarely change them, porting them from job to job and place to place.
At the same time, the string of digits has increasingly become connected to apps and online services that are hooked into our personal lives. And it can lead to information from our offline worlds, including where we live and more.
In fact, your phone number may have now become an even stronger identifier than your full name. I recently found this out firsthand when I asked Fyde, a mobile security firm in Palo Alto, Calif., to usemy digits to demonstrate the potential risks of sharing a phone number.
Emre Tezisci, a security researcher at Fyde with a background in telecommunications, took on the task with gusto. He and I had never met or talked. He quickly pluggedmy cellphone number into a public records directory. Soon, he had a full dossier on me.
From there, it could have easily gotten worse. Tezisci could have used that information to try to answer security questions to break intomy online accounts. Or he could have targetedmy family andme with sophisticated phishing attacks. He and the other researchers at Fyde opted not to do so since such attacks are illegal.
“If you want to give out your number, you are taking additional risk that you might not be aware of,” said Sinan Eren, chief executive of Fyde. “Because of collisions in names due to the massive number of people online today, a phone number is a stronger identifier.”
There is no simple solution to this. In some situations, giving your digits to institutions like your bank provides an extra layer of security. But inmost cases, the potential dangers and annoyances of handing out your number outweigh the benefits, as you will read below.
HOWYOUR PHONE NUMBER EXPOSES YOU
It took only an hour formy cellphone number to exposemy life.
All that Tezisci, the researcher, had to do was plugmy number into White Pages Premium, an online database that charges $5 a month for access to public records. He then did a thorough web search and followed a data trail — linkingmy name and address to information in other online background-checking tools and public records — to track down more details.
In an hour, this is what came up:
My current home address, its square footage, the cost of the property and the taxes I pay on it.
My past addresses fromthe last decade.
The full names ofmymother, father, sister and aunt.
My past phone numbers, including the landline formy parents’ home.
Information about a property I previously owned, including its square footage and the mortgage taken out on it.
While Fyde declined to hack intomy accounts using the obtained information andmy number, the company warned that there was plenty an attacker could do:
A hacker could try to reset my password for an online account by answering security questions like “What is your mother’s maiden name?” or “Which of the previous addresses did you live at?”
An attacker could use the personal information linked to my phone number to trick a customer service representative formy phone carrier into porting my number onto a new SIM card, thus hijackingmy digits — a practice called SIM swapping.
A hijacker with control ofmy phone number could then break intomy accounts if I had mechanisms in place to receive a security code in a text message when logging in to an online account.
A scammer could also target my phone number with phishing texts and robocalls.
An intruder could use knowledge ofmy phone number to call my voicemail inbox and try to crack the personal identification number to listen tomy messages.
WHEN IT’S WISE TO SHARE YOUR NUMBER (AND WHEN IT’S NOT)
There are some situations when sharing your phone number is reasonable.
When you enter your username and password to get into your online banking account, the bankmay call or text you with a temporary code that youmust enter before you can log in. This is a security mechanismknown as two-factor verification. In this situation, your phone number is a useful extra factor to prove you are who you say you are.
Plenty of tech companies let you use your phone number to protect your accounts fromunauthorized access. But even some legitimate brands like Facebook have been scrutinized for improper use of phone numbers.
But when large companies like Facebook abuse your digits, whomdo you trust?
Unfortunately, it all involves work.
That includes first asking yourself whether the benefits of giving out your phone number outweigh the potential risks.
Youmight also want to set up a second phone number to cloak your personal digits altogether. You could share this second phone number with people and brands you don’t entirely trust. Apps like Google Voice and Burner let you create a different number that you can use for calls and texts.
As for two-factor authentication, most tech companies offer other verification options. They include apps that generate temporary security codes or a physical security key that can be plugged in. Generally, those are safer to use than a phone number.