Don’t give out your personal mobile telephone number by default

This week, the New York Times published a stellar piece by Brian Chen which spells out the problems that stem from giving out your mobile number when asked for a means of being contacted by phone:

For most of our lives, we have been conditioned to share a piece of personal information without a moment’s hesitation: our phone number. We punch in our digits at the grocery store to get a member discount or at the pharmacy to pick up medication. When we sign up to use apps and websites, they often ask for our phone number to verify our identity.

An increasing number of Americans don’t have landlines and have become accustomed to typing their mobile number into online forms or giving it out without a second thought to entities of all kinds. If you do that, though, you’re increasing your risk of becoming a victim of cybercrime.

In fact, your phone number may have now become an even stronger identifier than your full name. I recently found this out firsthand when I asked Fyde, a mobile security firm in Palo Alto, Calif., to use my digits to demonstrate the potential risks of sharing a phone number.

Emre Tezisci, a security researcher at Fyde with a background in telecommunications, took on the task with gusto. He and I had never met or talked. He quickly plugged my cellphone number into a public records directory. Soon, he had a full dossier on me — including my name and birth date, my address, the property taxes I pay and the names of members of my family.

The CEO of Fyde is quoted in the next paragraph explaining that phone numbers are actually more unique than names are.

Many people can be called “James Smith” or “Mary Jones”, for example, but only one of those people will have a phone number like 907-555-0100 (that’s a fake phone number, by the way.) So if you give out your mobile number by default, then you’re creating a strong link between your mobile number and your name, which can be exploited by bad actors.

What should you do instead?

First: Get a VOIP (Voice Over Internet Protocol) telephone number and give that out as your primary phone number instead.

Even when you’re asked for a mobile number on forms, give out your VOIP number instead. Only provide your mobile number to family, friends, and institutions you trust. For example, you’ll probably want your bank or credit union to have your mobile number, along with your parents, siblings, spouse, children, and close friends.

Reputable VOIP providers include OomaGrasshopper, and RingCentral. Ooma is primarily marketed towards residential users, while Grasshopper and RingCentral are marketed towards business users.

Note that Ooma doesn’t support text messaging. If you want a VOIP number with SMS support, don’t pick Ooma.

There are also app-based VOIP providers, like Shuffle. These provide the ability to create auxiliary phone numbers (referred to variously as secondary phone numbers and auxiliary phone numbers.)

All reputable VOIP services cost money, so there is a cost associated with setting up and maintaining a VOIP number. But it’s worth it. You’ll have a number you can give out that isn’t directly associated with the smartphone you’re carrying around and the SIM card inside it.

Second: Avoid using the Short Message Service (SMS) for two-factor authentication. Use an authenticator app instead (like Authy, available for both iOS and Android), or better yet, hardware-based authentication like a YubiKey if that’s supported. These methods are more secure than getting a code by text message and putting that in.

Many platforms that require a telephone number to set up multi-factor authentication will accept a VOIP number (Google is a good example of a provider that accepts VOIP numbers) so you can provide that instead of your mobile number when you’re going through the initial setup.

Written by Andrew