Security as a service?

« View all Writing

Recently I’ve stopped giving out my phone number online. I’m sure anyone with the slightest interest in online security would be horror-struck that I’d so easily give away a crucial piece of my identity, but in the past I’ve handed it over, dozens of times, and thought nothing of it.

A smart phone is a main point of entry to our digital identity, with people spending a lot of time accessing their social accounts, email, banking in the palm of our hand, our phone number is a precious, personal bit of data. Drug dealers might ditch and burn their phone every few days, but I’ve had the same number since I was 18. My phone number is as personal to me as my home address, and I’d certainly think twice before giving that out just because someone asked.

Two factor authentication fail

In a more direct security concern, giving out my phone number willy-nilly undermines two factor authentication, where new logins to certain online services require a code to be texted to my phone alongside a password. True it’s not like having my phone number means you can instantly access my Facebook, but it isn’t making it anymore secure.

One Password may be the ultimate service to keep you digital presence smartly secure, but the next year or so will see Touch ID and all manner of other biometric and token based systems moving into mainstream use. In Kenya mobile payments using your phone number is already the norm in a country where few people have a bank account but everyone has a mobile. If your payments are going to be tied to my phone number that’s an even better reason to keep that information private.

Who you gonna call?

Why does everyone even want my phone number in the first place? Almost every time I buy something online there’s a mandatory field labelled ‘phone number’ that I have to fill in to complete my order. Why does Next or Oxfam or the Early Learning Centre (it was a Christmas present) need to ring me? You could make the argument that it’d be handy for them to ring me if I’m expecting a delivery, but then that means they’ve handed my number to their delivery contractor and I don’t remember giving my permission for them to share my information around. It’d probably buried in those ‘please read the Terms & Conditions’ pages that no-one has ever, ever read.

And somewhere along the line someone has shared, or sold, or otherwise given away, my phone number to the kind of people who spam us all with automated PPI phone calls and the like. It’s almost worth having more than one phone number, one just for spam purposes, like I have multiple email addresses. Maybe those shady drug-dealer types are on to something…