Has Scareware Gone Mainstream?

Mobile phone message prompt

If you’re an averagely engaged Internet user, the number of times you’ll have been asked for your phone number in the name of security has probably run beyond count. And yet some of the online providers who ask for this additional data, have been hacked.

However instrumental you make a phone number in the login process, it does not in itself stop large scale data hacks and thefts from arising. And when such hacks or thefts do arise, that huge collection of phone data ceases to be ‘protective’, and instead becomes an unmitigated threat to users. Should an online business really be demanding unnecessary personal data on security grounds, when it’s well known for emailing its users bombshells like this?…


Dear Bob,

We are writing to inform you about a data security issue that may involve your Yahoo account information.

What happened?

A recent investigation by Yahoo has confirmed that a copy of certain user account information was stolen from our systems in late 2014 by what we believe is a state-sponsored actor. We are closely coordinating with law enforcement on this matter and working diligently to protect you.

What information was involved?

The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers…”

There then follows a series of recommendations as to what users should do to protect themselves. Change their password, be careful… Did I mention change their password and be careful?… Yep, they don’t say what users should do to make their phone data private once more, because within the realms of reasonable convenience, there is nothing users can do.

Social Media Worsens Our Behaviour
Five ways in which social media leads our behaviour astray…

It was also notable that whilst Yahoo cited this data theft (not their first, I should add) as occurring in late 2014, it took them until late September 2016 to find out it had happened and notify users. And this is a company that expects account holders to provide phone data by default, on grounds of security? It’s like the comedy spoof version of Nineteen Eighty Four.


You may have noticed that if you’re dealing with government organisations online, and they need to verify you, they’ll send a code to your landline. This is much more reliable than sending to a mobile, because a landline is far less likely to be stolen or lost, and it’s irrefutably linked with a home or business address. It has to be installed at the premises. Google has also notably included a landline option when setting up sensitive processes for payment.

So why do most online ‘security’ processes exclude landlines, and only offer a mobile option? Especially given the number of mobile phones stolen and lost each year, how could a mobile ever be considered the most appropriate means of user protection?

It’s not, obviously. The only people who suggest it is, are cyber data companies who gain from harvesting mobile phone numbers, and those who’ve been brainwashed by their pseudo-scareware rhetoric.

Yahoo had very low commitment to data security, as was evidenced by their long-time blindness to sitewide breaches. And worse, the company twiddled its thumbs for about two months after a mountain of stolen data was offered for sale online, before finally informing users it might be an idea to change their passwords. Talk about locking the stable door after the horse has bolted!… For a business like that to claim any kind of concern about user login protection is farcical. They want phone numbers for one reason and one reason only. Phone data has value to them.

First Tweet on Twitter
Was Twitter’s acknowledged first tweet really the first, and if not, what was?…

We’re seeing an insistence or heavy recommendation that users hand over mobile numbers for the sake of their login security, from providers who have for years permitted four and five digit passwords. Seriously. One moment it’s:

“Yeah fine, ‘cat12’, if you’re stupid enough to enter a password that short, on your own head be it.”

Then the provider suddenly realises the value of mobile phone data, and it’s:

“OMG, we care so incredibly much about protecting your account from unauthorised logins that we simply have to text your personal phone every time you want access!”

No. You’ve proved you don’t care. You just want.

Is it time online businesses were forced to stop playing this “security” ruse, and be clear about the fact that mobile phone and other unnecessary personal data can compromise as well as enhance security? Two-factor authentication has locked many people out of their online accounts for good – businesses included. And it’s nothing like as popular as we’re led to believe. Google recently confirmed that less than 10% of their account holders use it, and the organisation still manages to keep the system secure. Elsewhere, it’s been proved that two-factor is easy to hack, and that the real weakness in all online security is a careless user.

Is it also time that we, the public, began to analogise today’s security scaremongering with the reviled scareware of old?


Back in the Internet’s earlier days, scareware was very easy to categorise. You web-searched your way onto some dodgy site, then a fake OS message box popped up telling you your computer was at dire security risk, and advised you to take a course of action that would really only benefit the party behind the ruse. Taking the action could actually compromise your security further.

The problem is, if you take away the fake OS message box, much of the “secure your account!” fanfare we’re seeing in today’s Internet mainstream can be described in exactly the same way. The fact that mainstream online providers are not pretending their scaremongering taglines come from the belly of Microsoft Windows, doesn’t really make them much better. If you want phone numbers, say you want phone numbers. Don’t say you’re trying to protect us, when it’s patently bleedin’ obvious that you’re not.