Published on 00/00/0000
Last updated on 00/00/0000
Published on 00/00/0000
Last updated on 00/00/0000
Share
Share
INSIGHTS
7 min read
Share
Update: Oct. 12, 2023
I originally wrote in this post that we need a standardized way for applications on the Internet to find out when the previous user of a given phone number has stopped using it. I have since learned* that the U.S. Federal Communications Commission (FCC) created the Reassigned Numbers Database, which is helping to address that problem. I've updated this post to reflect that.
Phone numbers are fascinating. Yeah, I said it. Seriously—what if I told you that the least interesting thing about phone numbers is that they make our phone system work? Years from now, when our phone system (voice calls and even SMS) becomes totally obsolete, I predict we’ll still rely on phone numbers in one way or another.
Here's why I think those strings of digits are a lot cooler than they get credit for, and how I think we should use them in the future.
You know a phone number when you see one. If you find a string of digits written on a bathroom wall, you know what it is, why it’s there, and what to do with it. Phone numbers are pretty short, too, when you think about it—short enough that we can easily share them with each other and remember them, relative to spelling out a name or remembering an email address.
Your phone number is a universal identifier. Phone numbers are international, and no one else in the world can have your number but you. When traveling from country to country, where one language is made of completely different characters than the next, numbers are often easiest to work with. We can take this method of communication—this least common denominator of getting ahold of one another—anywhere in the world.
We use numbers to log in to social and messaging apps, and this is a big reason why I believe they’re here for the long haul. WhatsApp is the most popular messaging app in the world with more than 2 billion active users, and like those coming in just behind it (Facebook Messenger, WeChat, and Viber), all you need is a phone number to get started. (Source: Statista)
While security could improve with phone number authentication, using phone numbers as unique identifiers tends to be more secure than using email addresses, which is why I predict we’ll keep using them as login credentials.
We’ve established an etiquette around phone numbers. You know when to keep a number private and when to share it. For example, if you call someone at work and they’re not in, it’s not reasonable to expect the workplace to give out that person’s private number. We have trained one another how to use phone numbers properly. And if you abuse a phone number, expect to be blocked.
While we have country and area codes, those mean less and less nowadays. In fact, they often only indicate where you were living back when you first got a cell phone. We can move our number from business to business, from one side of the country to the other, and from one carrier to the next. Sure, there is a lot of fine print on what you can and can’t move, but all in all, the numbers we use the most are portable.
But do you actually own your number? Cellular network carriers would like to argue that you don’t. More on that below.
You probably have a personal address book in your phone, which is how you map a phone number you have to the name you call the person who uses it. For example, when I call someone, the phone number is matched to however they know me — Cullen, Cullen Jennings, Dad, you get the idea. There are multiple Cullen Jennings in the world, but let's say I am the only Cullen Jennings in your address book. When I call you, my phone number is then mapped to a human readable name that you chose for me in your phone. A different Cullen Jennings can’t impersonate me when they call you (unless they happen to steal my phone number).
We need a better collective response to this than what we have today. My daughter got a new phone number recently, and the person who used to have that number had their banking information attached to it. My daughter couldn’t attach her new number to her bank until the other person unattached theirs. It was a months-long hassle, and the whole time the previous user’s banking info was available to the wrong person.
Say you use your number to login to WhatsApp or Twitter, then you change numbers. There should be a simple way to disconnect that phone number from that app along with any others.
There is a way to identify if a phone number in the U.S. has moved from one user to the next, and that's with the FCC's Reassigned Numbers Database (RND). This helps businesses refrain from contacting someone who hasn't given permission to be contacted because they're using someone else's old number.
With more than 300 million users in the database, the RND is a great start. While it doesn't have every phone number in the world (and is only limited to the States) and seems to be geared towards businesses not end-users, it's setting a model for solving this problem.
How do I know it’s really you on the other end of that text? We need an optimal method for identity verification with phone numbers. Yes, we often use SMS to prove you possess your own phone, but this method is far from ironclad. We can and should come up with better security that can withstand SIM-jacking and other attacks. (Phone numbers are still one of the more secure channels, which is why we keep using them. It could just be better.)
Today, our best solution for authenticating phone numbers with phone calls is STIR/SHAKEN, which is designed to protect against caller-ID spoofing. STIR/SHAKEN is a suite of protocols and procedures based on the RFC 8224 standard by a group of us with the Internet Engineering Task Force.
I started working on this project many years ago, trying to improve the trust we have in phone numbers. If we know who is using a phone number, that builds up the reputation system we have around phone numbers. We can then use that reputation system to stop bad actors from using telephone numbers for scams. Today, STIR/SHAKEN a required protocol by multiple regulators including the Federal Communications Commission and the Canadian Radio-television and Telecommunications Commission.
Do you actually own your phone number? The mobile service providers of the world would say you didn’t — that they own your digits instead. But from a regulatory point of view, I think the government should move to allowing people and businesses to control their own numbers entirely. To some extent, this is allowed in many countries today for some types of numbers, but it would be much better to be very explicit that numbers are for the benefit of, and under the control of, the end users.
Despite these challenges, phone numbers aren’t going anywhere. I believe these familiar, unique, international identifiers will be around for years to come.
*Thanks to Nicholas Degani, principal at Reticulated Strategies and former counsel at the FCC, for pointing this out to me.
Get emerging insights on emerging technology straight to your inbox.
Discover why security teams rely on Panoptica's graph-based technology to navigate and prioritize risks across multi-cloud landscapes, enhancing accuracy and resilience in safeguarding diverse ecosystems.
The Shift is Outshift’s exclusive newsletter.
Get the latest news and updates on cloud native modern applications, application security, generative AI, quantum computing, and other groundbreaking innovations shaping the future of technology.