Armed with this information, they are then tapping into the software resources of the cellular phone networks to extract location and allied data on users' smartphones.
This is possible, Infosecurity notes, because of the APIs that some cellcos offer third-party companies to allow the development of mobile tracking systems and services. According to the LA Times, hackers are subverting these information channels for illegal means.
"Everyone's taught to keep their social security number a secret", one researcher told the paper. "But the phone number seems just as dangerous, if not more so."
According to the newspaper, 21% of US mobile phone users are now toting smartphones around with them.
The two security researchers interviewed by the paper said they were surprised at how easily they could use widely available information and existing techniques to assemble a detailed dossier on a mobile phone user.
"Once [the researchers] have figured out that your name is the one associated with your number, they can query the cellular network to see where your phone is at that moment. After enough time, this bit of digital spycraft will yield a fairly clear picture of where you go and when", says the paper.
"We can do a lot of cool things that we really shouldn't be able to as civilians", said one researcher. "It's like running your own private intelligence company."
It seems that the cellcos are not overly helpful when it comes to answering questions about the holes in their security that the researchers in the feature have been exploiting, as AT&T and T-Mobile "referred questions about the issue to the CTIA, a wireless industry association."
The CTIA reportedly told the paper that US cellcos "are vigilant about protecting subscriber privacy", and questioned whether the researcher's tracking techniques were legal.
The final word on this comes from a poster to the online report, who said: "Whether any security vulnerability is legal to exploit is irrelevant, and no company that is acting in good faith would insult its customers intelligence with that type of response."
"The relevant issue is whether the company has fixed the vulnerability, and if not, when?"