14 DAY TRIAL // A recent academic study identified several privacy and security risks associated with recycling mobile phone numbers that could be used to stage a range of attacks, such as account takeovers, phishing, and spam attacks. This can go as far as denial of service, as it discourages victims to sign up for online services that require a unique number.
66% of the recycled phone numbers tested were found to be linked to previous owners' online accounts at famous websites, potentially allowing account hijacking by simply retrieving the accounts associated with those numbers.
According to the researcher, "An attacker can cycle through the available numbers shown on online number change interfaces and check if any of them are associated with online accounts of previous owners,"
Simply put, an attacker can get the numbers and use them to reset the passwords on existing accounts, as the OTP sent via SMS can be received and entered correctly.
The results are based on a survey of 259 phone numbers available to new T-Mobile and Verizon Wireless subscribers in the United States.
The study was conducted by Kevin Lee of Princeton University and Prof. Arvind Narayanan, a member of the Center for Information Technology Policy's executive committee.
Phone number recycling refers to a method of reassigning disconnected phone numbers to new customers of the provider. Every year, an estimated 35 million phone numbers in the U.S. are disconnected, according to the Federal Communications Commission (FCC).
Attackers perform a reverse lookup by randomly entering certain numbers in the online interfaces provided by the two carriers. Once a recycled number is found, it can be bought and used to access victims' account to which the number is linked.
The attacks are possible due to a lack of query restrictions for available numbers set by carriers on their prepaid interfaces to change numbers along with showing "full numbers". This alone gives a bad actor the opportunity to discover recycled numbers before verifying a number change.
The study is another proof that SMS-based authentication is a risky method, as the attacks described above may allow a bad actor to hijack an SMS 2FA-enabled account without knowing the password.
According to Narayan’s tweet, "If you need to give up your number, unlink it from online services first. "Consider low-cost number 'parking' services. Use more secure alternatives to SMS-2FA such as authenticator apps."