Remember how you said it was cool if your mobe network sold your name, number and location?

No? Well, never mind, because it's for your own protection

US mobile phone companies appear to be selling their customers' private data – including their full name, phone number, contract details, home zip code and current location to third parties – all in the name of security.

Security researcher Philip Neustrom found and linked to demo sites run by two mobile authentication companies – Danal and Payfone – that showed both companies have access to a surprising amount of personal information, including real-time location data, about millions of people.

Both companies claim to have the consent of users but that was news to many – including other security researchers – who tested the demo sites and were amazed to find their private details appear on screen. Both sites have since been taken down, and a presentation that Danal gave to AT&T on its system has also been removed.

Dan Kaminsky, best known for a finding a critical flaw in the DNS, tweeted: "Huh. Confirmed that worked. Also had my address from around 15 years ago." But SwiftOnSecurity perhaps best summed up the response for many: "what the fuuuuuuuuuuuuuuuuuuuuuuuuuck."

The companies appear to be using AT&T's Mobile Identity API, which was announced in 2013 as a way to "help businesses make mobile transactions safer and easier". The service is intended to provide additional security for doing secure things like online banking through their phones: the idea being that it provides a double check by allowing them to cross-reference login details with mobile contract and location data.

Since many online banking apps only require a single password (as opposed to, say, two-factor authentication), the double check can be a valuable way to ensure hackers aren't accessing people's bank accounts.


Danal and Payfone are obliged to receive the consent of users before they allow companies to use their service – but the demos have put a huge question mark on whether that is the case.

Do cops need a warrant to stalk you using your cellphone records? US Supremes to mull it over


Payfone insists that there is a "very rigorous framework of security and data privacy consent". But the fact that the information was readily available through an online demo had led many to speculate just how rigorous that framework really is.

The demos used your phone's IP address and only allow you to look up data on your own account. You can't, for example, type in someone else's name and gain access to their personal information. But if you are a customer of Danal or Payfone, you can access that data by simply stating that you have the user's consent. It is unclear how rigorous that check is or if companies simply default to stating consent has been given.

It's also not clear how anyone can check whether a third party feels they have given their consent to have their personal data accessed, or how they can opt out or decline to provide consent in future.

It's also not clear whether other mobile companies have a similar arrangement – supplying all their users' details to third parties that pay them, and then pushing off consent requirements to the companies below them. With a clear financial incentive to provide data on as many people as possible, confidence is not high that anyone in the chain is imposing strict requirements.


There is precedent that such an arrangement will fall foul of regulators. Back in 2016, Verizon was fined $1.35m for its use of "supercookies" that injected unique identifiers into every data request made by phone users and let the company track its users. That enabled the company to build a comprehensive profile of its customers which was then used to attract advertisers. Even if users opted out of Verizon's ad-tracking program, they were still tracked by the supercookies.

Verizon had started using the supercookies in 2012, were investigated by the Federal Communications Commission (FCC) in 2014, and the agreement was reached in 2016. But the fine was considered very small by privacy campaigners and the level of concern was such that some lawmakers promised to introduce new legislation outlawing it.

In addition to the fine, Verizon was told (PDF) by the FCC to inform all its customers that the supercookie existed and give them a simple option to have the tracker removed. It was also told it would have to actively seek permission from its millions of users before it could share the data it has amassed with third parties.

Rules that would have made it illegal for mobile and cables companies to introduce such schemes – both the use of supercookies and the third-party API data sharing that Danal and Payfone seem to be using – were due to come into effect earlier this year but were shot down at the last minute by FCC chair Ajit Pai, and then later pulled out by Republican Congressmen using an arcane law.

The use of location data is also especially sensitive at the moment with the courts debating what rules exist around such data and what legal standards have to be reached to grant access to it. ®

Other stories you might like

  • Big Tech silent on data privacy in post-Roe America
    We asked what they will do to prevent cases being built against women. So far: Nothing

    Period- and fertility-tracking apps have become weapons in Friday's post-Roe America.

    These seemingly innocuous trackers contain tons of data about sexual history, menstruation and pregnancy dates, all of which could now be used to prosecute women seeking abortions — or incite digital witch hunts in states that offer abortion bounties.

    Under a law passed last year in Texas, any citizen who successfully sues an abortion provider, a health center worker, or anyone who helps someone access an abortion after six weeks can claim at least $10,000, and other US states are following that example.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2022