Your Cell Phone and Your Identity: Keeping Your PII Safe
Have you considered how often your phone number has been shared? Most of us give out our cell phone numbers all the time – to friends, acquaintances, colleagues, and even big, monolithic, impersonal companies. We may even print them on business cards or list them on public forums.
A cell phone is no longer just a way to contact someone to engage in conversation. It is now the quickest way to reach a large portion of the world’s population, and it is used for much more than voice conversations. Think about all the uses of a typical smart phone:
- Text and other instant messaging,
- Social media,
- Photo and video creation and storage,
- Location services,
- Games, and
- Many other modern conveniences.
These devices have ingrained themselves into our culture, seemingly anatomically connected to the human hand. For many people, a check of their screen time statistics is often a sobering experience. In some cases, many have contemplated ways to break up with their phone.
Mobile Devices and Personally Identifiable Information (PII)
It is true that the phone has made our lives easier, but it has also raised our vulnerability to cybercrime. When we consider the information that we can learn from a phone number, it is easy to accept that a phone number has been classified among the other data that comprises Personally Identifiable Information (PII). This makes a phone number a target for bad actors.
One way that we make ourselves vulnerable is by listing an item for sale or requesting to buy an item from an online marketplace.Oftentimes, many of the respondents will request your cell phone number so you can communicate further about the item. At first, this seems innocent enough; using the selling sites’ messaging programs can be a bit cumbersome. However, in some cases, once you respond with your number, you will never hear from the interested party again because that is all they were after. Since the criminal now has a verified phone number, they can use the phone number to do everything from spoofing calls and texts to more sinister crimes such as account takeover attempts. The number can also be added to a list that is then sold to other cybercriminals.
Cell phone numbers and email addresses have become the fundamental forms of ID for the online world. Even though its use has been deprecated due to weaknesses in the SS7 routing protocol, it is still the primary method for two-factor authentication (2FA) for everything including your IoT thermostat, work VPN, work applications, and even your banking site. At one time, Twitter also required the use of a phone number for its 2FA mechanism, and its eventual removal of that requirement was celebrated within the security community.
Most sites support 2FA in its many forms, and you can check the 2fa.directory. It not only shows the site’s 2FA status but also includes a link to each specific site’s 2FA setup instructions.
There is very little security in place to secure your phone number, so an attacker can initiate a “SIM swap” to impersonate your phone. The attacker can then intercept any two-factor authentication codes and password reset links, allowing them to possibly gain access to your online accounts.
Protecting Yourself and Your Information
Phone-based attacks are not new, but they have become much more prevalent. These attempts can impact you at a personal or business level if your phone receives texts to validate your identity.
Some suggestions to protect yourself include:
- If you have the option, do not use text messaging as a 2FA method. Use a 2FA app such as Duo or Google Authenticator as your 2FA choice.
- If you cannot use an authentication application, consider getting a separate phone number that you only use for authentication purposes. Many phones will accept multiple SIMs, allowing you to have two numbers mapped to your phone.
- Set up a Google Voice number for your 2FA notifications. This will mask your true phone number.
- Most of the cell providers offer the ability “lock” your number by adding a PIN code to your account. Once a lock is set up for a number, that number cannot be transferred or “ported” to another line or carrier unless the PIN is provided.
Unless absolutely necessary, do not use your real phone number when filling in online forms. Use the “Hollywood” version of a number, that is, one that begins with 555. This is the way the television and movie industry does it so that the owner of the phone number is not harassed by curious callers.
Your phone communicates in so many different ways, it is no wonder that it is susceptible to attack, offering so much information in such a small package. Protect your cell phone number as you would any other piece of PII, as it is tied to your overall identity more than you might realize.