Phone numbers for signing up is quite dangerous

Swami Gulagulaananda said:
"Reduce, reuse... I am not so sure about recycling phone numbers"

In the good ol' days, people used to create accounts on various platforms using email addresses. But as smart phones started becoming ubiquitous and as 'Mobile First' approaches became the norm with a million apps cropping up every other day, a paradigm shift happened in the sign up process - Mobile numbers were introduced for registering new accounts.

Mobile numbers had a few advantages over email addresses - Creating an email addresses is cheap, and people can quickly create multiple email addresses without much hassle. However, people most likely have only one number, and occasionally, some have two. People are less likely to abuse systems like First time user discount using mobile phones because it is not possible, unlike emails. Verification using OTP is a lot faster than signing up using emails.

And so, signing up using mobile phones started becoming the de-facto standard. But what about platforms that had already accounts registered using email addresses? They decided to create a hybrid system of accepting mobile numbers in the future and then allowed customers to sign in using either method. Paytm and Facebook are fine examples of this.

However, one thing has not been taken into account by most of these companies. People some times give up their phone numbers, and these numbers get recycled. And this can create a lot of problems.

Today, one of my friends went into a panic mode. Her Facebook profile had the picture of an unknown moustached man and his name adorned her profile's name-slot. She believed that her account had been hacked by some guy... The reality was that he was the new user of her old phone number - a number she had abandoned some time back. So, the moustached man simply signed up/signed into his Facebook account using his phone number. Facebook simply looked up to see if an account with such a phone number already existed - Since it did, it happily gave access of this account to him.

We were able to quickly boot him out - After using email recovery to sign in, we changed password, removed all signed in users, kicked him out a second time after he signed in again, and then disassociated the phone number to lock him out. While the profile picture was brought back, Facebook's policy of not being able to change names for 60 days has made his name stick to her profile (a complaint has been registered)

However, this got me thinking about other places where we also use phone numbers - Especially these days with a large number of app based wallets like Paytm, Mobikwik, Tez and PhonePe using mobile numbers to not only create accounts, but also use the phone number to connect with the bank to get account information. This is very dangerous.

Developers should make it a point to make sure that phone numbers are not primary IDs, but instead, create an account ID and use phone numbers as one of the ways to sign in, so that disassociation doesn't result in account deletion (Facebook has done this... AWS Cognito does this by default)

Also, there should be a service that deletes phone numbers from all associated accounts like banks, wallets, social media, etc. so that recycling doesn't cause this much heart burn.


Comments

Popular posts from this blog

The (fake) Quest To Eradicate AIDS with Mythical Mystical Indian roots

The story of the Muslim boy, raised by a Hindu man