August 25, 2018

WIRED quotes Jeremy Grant on the risk of having phone numbers serve as personal identifiers

2 min

On August 25, 2018, Jeremy Grant was quoted in WIRED in an article about how people’s phone numbers are actually one of the most valuable data points that hackers can take and do the most damage with after a data breach.

According to the article, over the years, the role of phone numbers has expanded from more than just a way to contact someone, but now companies are relying on smartphones to confirm or “authenticate” users, meaning that a single, often publicly available, piece of information is used both as your identity and as a means to verify that identity, which provides access to your entire online life.

"The bottom line is society needs identifiers," said Mr. Grant. "We just have to make sure that knowledge of an identifier can’t be used to somehow take over the authenticator. And a phone number is only an identifier; in most cases, it's public."

In addition, the use of phone numbers as both lock and key has led to the rise, in recent years, of so-called SIM swapping attacks, in which an attacker steals your phone number.

"The issue being exposed with SIM swaps is that if you control the phone number you can take over the authenticator," Grant said. "A lot of it gets to the same issue we run into with Social Security numbers, which is leveraging the same number as both an identifier and authenticator. If it’s not a secret, then you can’t use it as an authenticator."