[sneak]

This would also be impossible if services stopped demanding your phone number to make an account.

This is a growing trend in consumer services, and it's a privacy nightmare.

Imagine if they demanded your SSN to sign up? A phone number is no different or less sensitive a unique identifier, perhaps even moreso these days.

There are widespread reports of delivery businesses selling their phone number databases (with associated credit card suffixes, delivery addresses, order history, et c) to large advertising companies for data mining.

Providing your direct cell number to an app is basically like providing your home address and a bunch of other sensitive data. Don't do it, or make a burner gmail account to get a disposable Google Voice number for each account that you must have that demands a phone number. Then, that number isn't reused and an attacker that obtains your mobile number can't attack your login method for other apps.

Reusing phone numbers is about as bad as reusing passwords.

[tialaramex]

> Imagine if they demanded your SSN to sign up? A phone number is no different or less sensitive a unique identifier, perhaps even moreso these days.

I have extremely bad news for you. US Social Security Numbers are not in fact unique, and the fact they're "sensitive" is a terrible joke because it's pretty easy to discover the SSN for an individual based on public information, especially older people because SSNs weren't even randomised at issuance until relatively recently.

Any system that depends on keeping public facts secret is horribly broken, yes that also includes "verifying" credit cards based on a bunch of digits that are written right on the card itself.

[IgorPartola]

I work on such a system. I have the same sentiment as you, but the reality is that every entity along the way, including federal, state, county, city, and sub-city level governments all treat SSN as a unique identifier and accept no substitutes. The one and only way to get away from this is to pass massive legislature and have the federal government provide better IDs to the public, something most people don’t actually want. It will never happen unless a massive amount of people get defrauded overnight. Like 10-40% of the country, and literally in a short enough period of time to create a news shitstorm. This cannot be changed by your software system being different, and if it is, it will already start at a disadvantage for not being compatible with everything around it.

[sneak]

I'm aware, I'm a hacker (in the evening news definition of the term as well as the TMRC one). I was referring to the fact that most USians would not sign up for a whatever b2c service that demanded their SSN, but wouldn't hesitate to provide their phone number.

We should all stop doing either.

[lotsofpulp]

> Imagine if they demanded your SSN to sign up? A phone number is no different or less sensitive a unique identifier, perhaps even moreso these days.

The goal is for the service to have a unique identifier, and phone numbers happen to be a really good one to prevent spam also since it outsources verification of human entity to the phone companies.

[IncRnd]

> since it outsources verification of human entity to the phone companies.

That's not the reason phone numbers are used. They are used, because they are something you have in addition to something you know like an SSN or password. This is two factor authentication.

[toomuchtodo]

You’re not wrong. The problem is the lack of an authoritative identity provider in the US.

[sneak]

No, that's not the problem, the problem is that many many organizations demand an authoritative identity when no such thing is necessary or advisable.

https://sneak.berlin/20200118/you-dont-need-to-see-my-id/

The US has plenty of centralized identity systems, including the Real ID one, a backdoor federal ID system that is required to board all commercial flights in that country.