Moving across state lines or switching network providers can force you to get a new mobile number. It’s annoying to tell all your contacts that your number has changed, but it must be done if you want to remain in communication.
Through the whole process of deactivating your current line and activating your new one, you have probably wondered, “what happens to my old number?” With phone numbers being a finite resource, they are more often than not recycled. Tap or click here to see how hackers can exploit your phone number.
That means your old number isn’t deleted off the network and put out to pasture. Mobile numbers are recycled within the system, being assigned to new users as they sign up. There really isn’t any other way around it, but it can create severe problems. Let’s look at the risks involved.
Here’s the backstory
In a recent study by Princeton University’s Department of Computer Science, the practice of recycling mobile numbers revealed several startling consequences. Sampling 259 numbers from two major carriers, the study found that 171 of them were tied to existing accounts on popular websites.
The implication is that the number’s new owner could, in theory, hijack the old user’s account on the specific website. Most apps and services allow for two-factor authentication from a text message, and since the new owner has access to the number, they could log into the profile.
To make matters worse, some of the numbers from the study were linked to stolen personal data and available online. These numbers can also be used for text message authentication.
“A significant fraction (100 of 259) of the numbers were linked to leaked login credentials on the web, which could enable account hijackings that defeat SMS-based multi-factor authentication,” the study explains.
Different kinds of threats
The university identified eight different methods in which cybercriminals can use a recycled number. Four of the attacks are used against the previous owner, while the remaining four are used on future owners.
One attack is where the criminal cycles through available numbers on a carrier’s online number change form. Once a number has been found, the previous owners’ personally identifiable information (PII) is searched online. This can lead to identity theft or hijacking messages intended for the original owner.
There is another way in which the previous owner can be exploited.
“Alternatively, the attacker can find and use the previous owner’s email addresses to look for password breaches and purchase the stolen password on the Dark Web. With the stolen password, the attacker can log in to most of the previous owner’s accounts without going through recovery, and defeat SMS 2FA by receiving the passcode sent to the recycled number,” the study detailed.
Other methods used by criminals:
- Targeted takeover – This is where the criminal learns of a number change and takes the number once available.
- Phishing – Attackers keep track of available numbers and, once a number has been assigned, launch phishing attempts, pretending to be the mobile carrier.
- Spam – An attacker gets a number and signs it up for alerts, newsletters and premium services. Once it’s released into the recycle pool, the new owner will receive the spam.
What can be done?
Unfortunately, recycling numbers is the norm and is regulated by the FCC. The Commission has several rules in place that actually encourages recycling of numbers. Mobile providers can only withhold a number for 45 days before it must be released. For business numbers, it’s 365 days.
The university calls out the FCC for not being strict enough, implying that the Commission is only concerned with stopping robocalls to new numbers. But no matter which way you look at it, number recycling isn’t going to stop anytime soon.
“As a regulated industry practice, phone number recycling is unlikely to cease. We highlighted different security and privacy threats that are perpetuated by number recycling, and empirically showed the seriousness of those attacks,” the university concludes in the study paper.
There is one thing that you can do to protect your digital life. If you’ve changed phone numbers over the years, make sure you delete any old numbers associated with any accounts. Even accounts that you no longer use like Myspace.