No matter what Americans do to protect their digital privacy, especially on our handheld devices, it’s impossible to keep up with new threats. Now, there’s a new risk to our privacy and security: Our cell phone numbers are being used increasingly by information brokers as the window to personal information that’s kept by nearly all corporations, financial institutions, and, yes, social media networks.
Among those sounding the alarm bell is private investigator and former Drug Enforcement Agency agent Thomas Martin, who recently wrote a blog post titled, “Your cell phone number is your new Social Security number.” Martin’s message was clear: We are way too lackadaisical about keeping our numbers private.
“If someone you had just met asked you for your social security number, you would likely not give it to them. What if the same person asked you for your cell phone number? My guess is that you would readily tell them the ten-digit number,” he writes.
Well, too many of us are likely to divulge our ten-digit number in a flash, as millions of us do in stores and online on a daily basis. Your cell phone number, unique to you, is the gateway to your identity. It provides an entrance to all the data contained on your phone, and can connect your other information to you – your email address, physical address—everything.
Phone number identity theft is a big problem. Last year, approximately 161,000 consumers had mobile phone accounts taken over, compared to 84,000 in 2015, according to Javelin Strategy & Research in Pleasanton, Calif.
Once Martin told me all this, I started to pay attention to how often I’m asked for my cell number, either in person or online. Amazon does. Netflix, too. My bank. My health insurance company. And just the other day, shoe retailer Johnston & Murphy demanded it when I was buying a $69 belt. I balked, and they let me buy the belt anyway—but when I went back to return it a few days later, the clerk said: “You can’t return it without providing your cell number.” I explained I didn’t want it in the company’s database, so she made up a number to type in, but not before smiling at me and saying with a scary smile: “We want all the information about you we can get.”
Yes, I know. Of course, when I called the retailer in Nashville, Tenn., vice president of e-commerce Heather Marsh told me asking for a phone number is all about the consumer’s convenience. It makes shopping faster because it’s “easier to get [access] to your records” if you’ve made a purchase there before. Marsh promised me it’s not used for marketing—but that’s only one leg of this two-legged monster. Once in the database, your phone number becomes another piece of personally identifying data. But unlike our Social Security numbers, “this number is not regulated, and no companies are mandated to keep it private,” Martin explained.
Our mobile phone numbers are a “tasty target” for attackers these days, says JD Sherry, chief revenue officer at cyber security company Remediant. Most Americans have gotten wise to phishing as an entry point to email breaches, but Sherry is eager to discuss an emerging trend called SMiShing (pronounced “smishing”). “This is the act of sending a text message containing questionable links to websites that might not be in your best interest to visit,” he said.
“The bad guys,” as Sherry calls the hacker class, want to steal your credentials or install malicious software so, for instance, they can log into your banking site as you. Then, we all know what can be done: Monies transferred. Checks written. Stocks sold.
Even seemingly innocuous requests like the one from the Johnston & Murphy sales clerk can open a Pandora’s box. While Marsh said the company doesn’t use the data for marketing, the fact that they now have it means it could be hacked. “Customer phone numbers have been stolen in a large variety of data breaches including those of Anthem, Citigroup, JPMorgan Chase, Walgreens, and Yahoo,” Eric Vanderburg, director of information systems and security at Jurinnov Ltd., explained. All true.
What you can do:
- Use common sense: If you’re asked for your phone number, ask why. In general, don’t give it out to people you don’t know see if you can leave it blank on online forms—even if that means it may take a few seconds more to identify you the next time you make a purchase.
- Get a virtual phone number: This is similar to a virtual credit card number, where you have what’s essentially a fake number as your public number. Here’s where you can get one from Google Voice. https://voice.google.com
- Enable two-factor or multi-factor authentication on all your devices: This is what happens every time you go to an ATM: to make a withdrawal you need both your debit card and a PIN number. That’s two-factor authentication, which amps up the level of security on your devices.
- Sign up for the “do not call” lists, which are helpful for run-of-the-mill solicitations. JD Sherry warned me, however that “hackers don’t subscribe to such lists.” Well, at least you won’t get as many pesky marketing calls.
- Get more than one cell phone: Former DEA agent Tom Martin has three, but he only gives out the number to the phone that contains no data or links to personal information.
- Choose which private data you are willing to share: When asked for your cell number, especially at a retailer, you may be able provide an email address, zip code or just your name as a way to identify you. It’s worth asking about.
Of course, all of this takes more time and effort and raises the larger question: How much privacy and security are we willing to trade away for a little more convenience? That’s up to each of us to decide.