Researcher finds third parties have access to cellphone data
Data includes full name, location, and billing addressBy David Matthews
Verizon is no stranger to privacy controversies. The wireless carrier was discovered to use a "permacookie" back in 2015 in which a string of about 50 characters called a Unique Identifier Header (UIDH) allowed Verizon to track subscribers for advertising purposes. The company eventually allowed customers to opt out of the UIDH system and was subsequently fined by the FCC.
Philip Neustrom, co-founder of Shotwell Labs, discovered demo websites that, when visited using a mobile data connection, report back a startling amount of personal data. This data includes your full name, phone number, contract details, and location (inferred from tower information) which means that GPS is not required.
Danal and Payfone, the two websites referenced, are basically using your mobile phone's IP address to look up your phone number and billing information that are supplied by the carriers. Access to this information is made possible by certain APIs from Verizon and AT&T that allow access to Verizon's UIDH and AT&T's "Mobile Identity API" repespectively.
To be fair, using these APIs to help detect fraud is a legitimate use case. Financial institutions could use that data to verify that it's really you calling about your account. TechCrunch's Devin Coldewey contacted Payfone's CEO Rodger Desai about their use of the APIs. Desai responded saying:
"There is a very rigorous framework of security and data privacy consent. The main issue is that with all the legitimate mobile change events fraudsters get in... For example, if you download a mobile banking app today, the bank is not sure if it is you on your new phone or someone acting as you - the fraudster only needs your bank password"
The problem seems to be that mobile carriers don't seem to be verifying customer consent. Even worse, after using AT&T's opt out option, it still doesn't appear to have done anything. Philip and others report that after waiting the recommended 48 hours, the aforementioned websites were still able to siphon their personal data.
While there doesn't seem to be any immediate danger, it's disconcerting that mobile carriers still appear to be in the business of selling real time access to subscriber data with only trivial "consent" and auditing.