The original post: /r/privacy by /u/Zireael61 on 2024-11-08 21:37:30.
Companies often ask for our phone numbers for various reasons, and we typically need to provide them to receive services. I believe the biggest issue with this system is the risk of data leaks or the possibility that companies might simply sell our data. I think this problem could be solved by adopting a new system. This approach would also benefit companies, as data breaches would be less problematic if they didn’t hold customers’ personal information.
Here’s the idea: Suppose Company X needs my number for communication, verification, etc. Instead of obtaining my actual number, they would receive a token generated by my mobile carrier, which would verify its authenticity. Let’s say Company X receives a unique 512-bit token along with the name of my mobile carrier to confirm that the token is valid.
When Company X wants to send me a message, they would include this token in their request to the mobile carrier rather than using my phone number. Since the carrier knows which token is linked to which user, they can forward the message directly to me. This way, Company X never needs to know my phone number.
If a malicious party somehow gains access to this token, any message sent to me using it would still appear as though it came from Company X. This helps me pinpoint exactly which company’s data may have been compromised. Additionally, I could contact my mobile carrier to delete or revoke any tokens I no longer wish to use, instantly cutting off all messages linked to that token.
This idea is similar to 3D Secure: when you enter your card details and are redirected to the bank’s verification system. Here, when I need to verify my mobile number, I would simply click a button to add my number and be redirected to my mobile carrier’s portal. I would enter my phone number and then input a one-time code received via SMS to complete the verification. If the verification is successful, Company X would receive a token.
As long as there’s no data breach at the mobile carrier, this setup would be completely secure and would protect my privacy. I think it’s more ideal to trust your mobile carrier than to trust numerous companies. What do you think? Could we see a similar approach in the future, or do you think there’s a flaw in this idea? I just thought of this while trying to sleep.