iMessage Security

[maxsmacs]

I've always thought that giving out your actual phone number to be a security risk. Consider that your iMessage number may be your only number that financial institutions, utilities, etc use. Wondering how this stacks up in security from those security minded?

Meanwhile, an obvious solution is to iMessage with your email only, or get a second number (VOIP or real). Does anyone do this?

 

[FreakinEurekan]

You can't add just any-old-number to iMessage; VoIP etc aren't permitted to be added to it.

But you could use an email.

FWIW I don't share your concern about giving the phone number being a "Security risk." It IS a Spamming risk - but that's an annoyance, not a security concern.

 

[NoBoMac]

^This.

The bigger security risks, imo, are accounts that do not have 2FA, security keys, secondary PINs, etc. enabled. And poor password management.

For example, if one gets codes sent to their email and the account is not secured and one uses weak passwords and or re-uses passwords, bad guys can take over the email account, lock one out, and then intercept security codes (and password reset links as another example) that are being sent.

And common sense comes into play. Obviously, need to not respond to "Your iCloud account needs to be verified" and ilk messages.

 

[Bichon]

I think what the OP is worried about are SIM swapping attacks, where the perpetrator uses persuasive social engineering tactics to convince a cellular service provider to move their victim's phone number to a device they control. The purpose, of course, to compromise SMS based two-factor authentication and gain access the the victim's accounts.

Using SMS for two-factor and then trying to protect oneself by attempting to limit the dissemination of their mobile number seems futile, given that marketers share phone numbers freely to their business partners, data brokers sell them, they are available in data dumps on the dark web, etc.

Better by far is to avoid SMS based two-factor whenever better options are available, relying instead on factors like authenticator apps and FaceID.

 

[maxsmacs]

I think what the OP is worried about are SIM swapping attacks, where the perpetrator uses persuasive social engineering tactics to convince a cellular service provider to move their victim's phone number to a device they control. The purpose, of course, to compromise SMS based two-factor authentication and gain access the the victim's accounts.

Using SMS for two-factor and then trying to protect oneself by attempting to limit the dissemination of their mobile number seems futile, given that marketers share phone numbers freely to their business partners, data brokers sell them, they are available in data dumps on the dark web, etc.

Better by far is to avoid SMS based two-factor whenever better options are available, relying instead on factors like authenticator apps and FaceID.

The reason I bring this up is the desire to be even more secure than just sim swapping or 2FA. If you don't give out your number, it's one less piece of PII that's floating out there than can be used to look you up or correspond your data in other systems. I feels like a calculated risk to integrate it into existing SMS systems, but if the goal was to only build functionality for imessage within the iOS/iPadOS/MacOS platform, then that really isn't needed.