[birger]

Isn't this information used as an extra security layer when using your mobile phone for payments or bank transactions? Here in The Netherlands when I want to use my mobile phone to log in to my bank account and do transactions, I first need to confirm my phone number and a special code. I can imagine that then they need the phone number in the header to verify it is my phone.

And how is this information different then an IP adress that they also have with each request?

[wgx]

>And how is this information different then an IP adress that they also have with each request?

Unscrupulous marketers can't do much with your IP address. They can do a lot more evil with your mobile number: SMS spam, cold calls, re-sell your data, etc, etc...

[jarofgreen]

IP address does not always personally identify someone without extra information, usually obtainable only with a court order. Your IP address does not move with you, your number does. IP can not be used to personally bother you at any point in the future. This also makes a mockery of any "safe mode" browsing you do, enabling you to be tracked regardless.

Also, just because this can be used for good does not mean A) it can't be used for bad B) it is sharing private data that should only happen with your knowledge and consent

[alexchamberlain]

Headers are too easily spoofed to carry security information without a signature.

[mooism2]

It's like security through obscurity: on its own it's inadequate, but as an extra layer it can be helpful.

[alexchamberlain]

How is this helpful? We have proved it's inconsistent... Do you check IP addresses for security too?

[mooism2]

I can imagine a bank fraud detection system being more suspicious of unusually large transactions if they originate from an unusual phone number or ip address, yes.

[0x0]

A header with a phone number does not prove anything; anyone can insert a header with a fake number in their HTTP requests.