Stacheldraht Blog

Your Phone (Number) is not your Friend

I have worked in IT for 20+ years. I have messed with telcom systems before the iPhone was invented. Let me share my amazing knowledge with you! Episode 3.

No. This is not a post about super-hackers from China hacking into your smartphone. This is about phone calls, SMS, and just your plain old phone number.

Do you remember the last time you relocated to another region of your country, or simply got a new cellphone contract? Do you remember being able to transfer your phone number to the new region, or contract? Do you remember that the order for your home phone connection or SIM card, and the order to transfer the number, were 2 distinct requests?

Because most people order their phone number transfer when they also order a new contract, they believe that these two actions are tightly related - they are not. There is very little from stopping you to request a phone number transfer of my personal cellphone number to your SIM. Try it!

You probably have no interest in trying that, right? Because, even if I’m right, and my phone number is transferred to your SIM, people will find out, right? I will just call my carrier, and tell them something is wrong, they will figure this all out, and then they will call the police on you and put you in prison for the rest of your life, right?

Do you remember on how many websites your phone number is registered as means of Multi-Factor-Authentication, so that you can receive an SMS in addition to your login credentials?

I already hear you saying “Okay, fine, but they would still need my password.”. Do you remember on how many websites your phone number is registered as means to RECOVER your entire account if you lost both your password and MFA?

Even if you realize what’s happening, how long do you think it will take you to reach someone on the phone support line to revert something like this? Do you think they would even understand? How long do you think I need to have control of your phone number, so that I can recover access to your account and replace all your login options? It is measured in minutes.

But people first have to know your phone number to mess with you, right?

Is that the same phone number you gave away at the bar last week? Is that the same phone number you gave your dentist office, who put them into their “free patient relations cloud platform”? Is that the same phone number you have on your social media profile? The same one everybody in your WhatsApp contact list knows? Is that the same phone number you have in your email signature? You know, the one you send to EVERYONE through your auto-responder while you’re on vacation?

This is not theory. This is how attacks work today. Offensive actors do not transfer your phone number to their own cellphone; they have disposable SIMs.

Phone numbers that are involved in any form of authentication, must never be public. Have multiple numbers, or refuse to use a phone for authentication and recovery entirely.