If you’ve ever switched to a new phone number, chances are your old number will be reassigned to someone else.
This practice of recycling phone numbers is standard, but it poses a significant privacy and security risk, as a recent study found. Not only are recycled phone numbers incredibly easy to obtain, but they can also be used to stage a myriad of attacks on their previous owners, ranging from account takeovers and phishing and spam attacks, to even preventing new owners from signing up to online services and asking for ransom to release the number.
How the attacks work
The study outlines eight types of attacks, but the simplest and cheapest method to execute is the reverse lookup attack. Here, attackers use the carrier’s online interface to try to identify a recycled phone number, buy it, and use it to access a victim’s account linked to that number.
This can be done if the victim uses SMS for two-factor authentication (2FA) and hasn’t updated their phone number. Out of the 259 phone numbers evaluated, 66% were “vulnerable to account hijackings at six popular websites: Amazon, AOL, Facebook, Google, Paypal, and Yahoo,” and 39% were “linked to leaked login credentials on the web, which could enable account hijackings that defeat SMS multi-factor authentication.”
So if, for example, you were using SMS 2FA on Facebook, and a Facebook leak exposed an old phone number linked to your account, someone could gain access to your account, reset your password, and lock you out of your account.
Even more alarming is that 66% of those phone numbers could also be used to find personally identifiable information like the name and location of the previous owner on people search services like BeenVerified or Intelius.
There are five additional number-recycling exploits also outlined in their study that target both previous and future owners, allowing an attacker to impersonate previous owners, hijack online accounts, and execute denial-of-service attacks.
Millions of old phone numbers, easy to exploit
According to the Federal Communications Commission, 35 millions phone numbers are disconnected in the U.S. every year. These phone numbers then appear on number change interfaces on mobile carrier websites like Verizon and T-Mobile, which not only allow you to cycle through an endless supply of numbers, but also see the entire number before changing too. This allows attackers to find and exploit these numbers before they’re selected by future users.
The study did reach out to U.S. carriers with their findings. T-Mobile and the Cellular Telecommunications Industry Association now remind users to update their contact information on all their accounts linked to the old number when they get a new one. The study also points to several things users can do to protect themselves from such attacks, namely…
Stop using your phone number for 2FA
This study is further evidence to show how risky SMS-based authentication can be, especially as attackers don’t even need to know your password to reset and access your account when using your phone number.
If you do need to change your phone number, the study recommends you do the following:
- Unlink your phone number from online services first.
- Use a secure alternative to SMS, like authenticator apps or even hardware keys if possible.
- Consider using a low-cost number “parking” service that allows you to keep your old number.
[Get more security tips and tricks. Subscribe to the ExpressVPN Blog Newsletter.]
Data leaks are increasing in scale and frequency, exposing details of hundreds of millions of people connected to social media platforms and other online services. With leaks aiding malicious actors in exploiting this information for personal gain, it is even more important now to maintain control over the security and privacy of your accounts.
Use a 2FA app, opt out of online services and databases that share your personal information publicly, check your privacy and security settings on your devices, and reconsider the services you currently use.
Read more: How to delete your online accounts
Take the first step to protect yourself online
30-day money-back guarantee
Comments
I have my cell number for more than 10 years but find other people using my number including one place that posts it online as their fax number. I confront but it doesn’t stop the behavior. I have an ID monitoring service and feel like someone is up to no good but I don’t know what they’re doing. It’s gone on for years and I thought it would be regulated somehow that the number cannot be issued concurrently to more than one user
The article “Your old phone number is putting you at risk” seems to be about mobile phones that have ever been used for SMS. How much of this applies to landlines? Or to an old mobile number that was never used for SMS? — I get expiring-shortly logon codes by email for some sites and on my landline for others, but never on my mobile phone, not SMS and not voice. Some sites offer use of a token, but with no explanation of what a token is. Perhaps you could address 2FA more broadly in another article.
Here is a thorough article on 2FA: https://www.expressvpn.com/blog/best-two-factor-authentication/
My biggest security issue that needs to be solved is windows 10 NT AUTHORITY Special Logon user privilege ” assume system ownership” the user logons and immediately changes group policy security policy access policy turns my home computer into an organization workgroup with an administrator that can monitor everything and can also use the python , panther, visual studio C+ to create a landing page to my brokerage account this user never logs off. I noticed one day that the hours till Market close never changes I was on a virtual desktop in a virtual account of my online brokerage account. I’ve reset my PC, the firewall does not stop a special logon from changing the whole system and interfering with my ability to place and order to buy or sell a stock. How do I stop it.
How secure is this for my IPad?? Recommended by Dan Bongino!!
ExpressVPN encryption is very secure (for iPad and otherwise). Here is info on it: https://www.expressvpn.com/what-is-vpn/vpn-encryption
When it asked how you want to be notified to reset password its not letting me flag email address.