Ever since we started carrying our phones around with us, our phone numbers have become more ingrained as part of our identity. Few people would dream of giving their number to a total stranger on the street. But while we’re protective of our numbers in the real world, many people will happily anchor their number to anything online, from social media and shopping to their bank account.
Using phone numbers as identity proof online has become commonplace. There are numerous major sites that request or require a phone number in order for users to gain access. Often, phone numbers can be used to quickly regain access to an account after forgetting your password. Here’s the trouble: It’s impossible for sites to verify who’s really at the other end of that phone number.
Imagine you need to change your number for whatever reason. If the person who gets your old number tries to activate an account on a site you also use, that website could prompt them to log into an account that already has that number — AKA your account. This is exactly what happens if you try to activate a preexisting phone number on Facebook. What’s worse, just by clicking “Recover my account” and entering the phone number, it’s possible to change an account password and log in over SMS. Instagram, PayPal, and Yahoo are also major sites with this known security flaw.
In a March 2019 interview with Krebs on Security, Allison Nixon, director of security research at Flashpoint, revealed she once accidentally hijacked another user’s bank account when trying to activate a new phone number she’d acquired.
It’s not just losing control of your phone number that can put your accounts in jeopardy. Through SIM-swapping attacks, fraudsters can steal information from your phone while the phone is still in your possession — not to mention anyone who uses their smartphone for business and has that number listed on their website.
With how easy it is to access someone else’s phone number, using them as proof of identity online is about as secure as requiring only a person’s name in order to access their sensitive information.
Thanks for reading,
PS. When was the last time you changed your passwords? If it's been a while, you must download our brand new report "The Ultimate Hacker-Proof Password Checklist"