How can a website verify that my phone number belongs to me?

Question

I was signing into a Capital One credit card website that I hadn't used in a long time, and once I entered my user name and password, it requested my mobile phone number for additional verification.

I entered my number, and I was given a short, < 10 second waiting screen that said "We are contacting your carrier to verify your phone number". It passed whatever that validation was and then sent me a typical text-message verification code that I had to enter to continue.

So, my question is, did they really contact my mobile phone carrier to verify my name or address (the only thing they know about me) based on my phone number? Is this just security theater, or is there an API or database available where I can verify that a phone number does indeed have a certain name attached to it?

I've never seen this before and would like to understand how this system works, and how it's protected from abuse.

Answer 1

Is this just security theater

No.

or is there an API or database available where I can verify that a phone number does indeed have a certain name attached to it?

The phone companies (ed: didn't used to, but apparently now they do per @ceejayoz) make this information public (caller registry is not reliable, esp. in cases where the name on the bill isn't the owner of the phone), but given the wealth of information marketing agencies and credit bureaus hoard, the information is absolutely out there-- it's just a question of whether anybody is selling it yet. Hell, even Facebook could offer such a service if they were so inclined.

But given what I've dealt with in this space in years past, it's more likely they're checking to verify the carrier itself. Fraudsters using burner phones to abuse OTP systems was a massive, massive problem that had yet to be solved while I was still there and we didn't have a reliable way to filter them out at the time-- yet simply knowing if we were dealing with a Verizon or Boost Mobile customer and performing additional verification for the latter before sending out texts would have eliminated a significant amount of fraud.

Answer 2

Number verification

Following the conversation in the comments:

jrtapsell: My guess would be something like this to get rid of virtual numbers -> https://www.twilio.com/lookup

JPhi1618: @jrtapsell, cool. I looked into Twilio once upon a time for SMS sending, but didn't know they had this service. My name does come up when I enter my number, so it's at least plausible.

They may just be trying to filter out virtual numbers and high risk carriers using a service like Twillio, although their site seems to suggest that in the US you can get the user's name:

Many local phone numbers in the U.S. register with a central Caller ID Name (CNAM) database. This database contains identity information about the business or person associated with the number. Use CNAM Lookup to programmatically return that identity information for each phone number. The calls you make and messages you send are more informed so you don’t get bogged down with upfront questions.

Trying to get the name for my number came back with nothing though, so YMMV, but they seem to suggest that you can reduce fraud by flagging virtual numbers here:

While phone numbers help businesses identify end users, the fact is numbers are very easy to acquire from some carriers. Anyone can obtain multiple phone numbers from a free online provider, enabling them to create fake profiles to defraud or spam a business. To address this challenge, businesses can identify the carrier behind the phone number. This way businesses can require additional identity authentication for carriers associated with higher fraud instances for $0.005 per lookup.

They may also be using a local search, and if the same number is used for multiple accounts they may be flagging it, so if a fraudster uses the same number to try to access different accounts they can be caught, Amazon has been known to do a similar thing but with credit card numbers.

Answer 3

A high risk call might get flagged for additional verification, and a score calculated from a 3rd party service that knows all about you.

Here's one... https://risk.lexisnexis.com/products/phone-finder

Answer 4

Ignoring the obvious two factor (i.e. that the number is in your possesion), there are databases they use for prooving your identity. The big ones are people like Experian who look like Credit score agencies when they're not doing identity checks, and because most phone contracts are a source of credit, its a good way of finding out.

Basically there are companies out there who buy data from other companies and cross reference. So you say to someone "I am Joe Smith living at 123 Main street and a phone number of +0011231234567" and it gives you back a probability of being right.

Have a look at (for example): https://developer.experian.com/real-time-contact-data-validation/apis/post/sync/QueryResult/PhoneValidate/3.0 (bearing in mind this is on a sandbox, so might be random answers rather then real).

Basically the Banks and other financial institutions (including insurance etc) share information on you which can then be used to reduce fraud across the entire industry.