Security Threats linked with recycled phone numbers in the United States

According to a recent study conducted by Kevin Lee from Princeton University and Professor Arvind Narayanan, member of the Center from the Information Technology Policy’s executive committee, revealed a number of privacy and security risks being associated with recycled mobile phone numbers that could have been used in staging a range of fraudulent activities such as taking over accounts, spam attacks and phishing.

66% of the tested recycled mobile phone numbers were found to be linked with their previous owner’s online accounts (such as Facebook and other social media platforms) on some well-known websites. This link would potentially allow access for the account to get hacked by just recovering the profile that were associated with those numbers. The researchers also said that the hacker is able to cycle through the available phone numbers available on the online number change interfaces to check if any one of those numbers are still associated with online accounts of their previous owners. In simple words the hacker can get hold of the numbers and can use them to reset the passwords on existing accounts through the one time password (OTP) , when sent via SMS and entered correctly.

The recycling of phone numbers is actually a method where disconnected phone numbers are assigned to a new customer of the same provider. An estimated 35 million phone numbers in the United States are disconnected every year according to the Federal Communication Commission (FCC).

A reverse lookup is performed by the hacker by entering random numbers in the online interface being provided by the two carriers. Once the hacker finds a recycled number, it can be bought and later be used to access its previous owner’s account to which the number is found to be linked. These attacks are possible because of lack of restrictions for queries related to the available numbers set by the carriers on their prepaid interfaces. This can enable the hacker to discover recycled phone numbers before the verification for changing number. This study is a proof that verification method based on SMS is risky as the above described attacks may allow the hacker to hack in an SMS 2FA enabled account without even knowing the password.

According to the tweeted posted by Narayan, if someone wants to giveup their phone number, they need to unlink it from all the online services. They should consider low cost phone numbers parking services. And should use more secure alternatives such as authenticator apps


Read next: Researchers warns that millions of UK users having older routers from their broadband provider that have security flaws, could be at risk of getting attacked by the hackers
Previous Post Next Post