I don't understand how this "trusted partner" thing would work. It's HTTP and phone numbers are not secret. Can I send an HTTP header with a "friend's" phone number in it and have their account charged.
Sending your name in clear text is not a digital signature.
(There are so many good ways to authenticate users of a network that it makes me sad to see "tack on a phone number" was even considered, much less implemented, pushed to production, and accidentally turned on for the Entire Internet. Doh.)
If it's anything like the systems I've come across, there is a proxy server on the mobile data network with a whitelist of either IPs or URL patterns that will have the number added as a HTTP header ("header enrichment"), then the endpoints (so the third party systems) must be configured to only accept this header from the IP range of the proxies, so that should avoid spoofing if correctly configured. I'd have thought this IP restriction requirement would be part of the contract they'd have to sign to get the data.
The man-in-the-middle proxy adds the phone number based on your IMEI. You could probably send someone else's number down and it'd change the header back to yours in the proxy.
The SMS spoofing issue (which has been around forever) is far worse as it's not proxied anywhere. Some SMS-controlled devices use the SMS from number as an authentication scheme which is much much more dangerous as that can be spoofed easily.
It's all about trust and it appears that trusting proprietary networks is an issue.
Sending your name in clear text is not a digital signature.
(There are so many good ways to authenticate users of a network that it makes me sad to see "tack on a phone number" was even considered, much less implemented, pushed to production, and accidentally turned on for the Entire Internet. Doh.)