A recent study presents eight attacks that exploit the security and privacy implications of phone number recycling, a regulated industry practice to maintain the availability of ten-digit phone numbers.
Attacks Linked with Recycled Phone Numbers
The analysis says most of the available phone numbers that were sampled (215 of 259) were recycled and also vulnerable to at least one of the three attacks such as PII indexing, account hijackings via recovery, and account hijackings without a password reset.
From 100 of the sampled phone numbers that were identified as associated with email addresses that had been involved in a data breach in the past, thus allowing account hijacks of a second kind that circumvent SMS-based multi-factor authentication.
In a third attack, 171 of the 259 available numbers were listed on people search services like BeenVerified, and in the process, leaked sensitive personal information of prior owners.
“Once they obtain the previous owner’s number, they can perform impersonation attacks to commit fraud or amass even more PII on previous owners,” the researchers explained.
Researchers mention five additional threats enabled by phone number recycling target both previous and future owners, permitting a malicious actor to impersonate past owners, hijack the victims’ online phone account and other linked online accounts, and worse, carry out denial-of-service attacks.
It is estimated that the number of available recycled numbers to be about one million, with a large fresh set of numbers becoming available each month.
Researchers mention “An attacker can cycle through the available numbers shown on online number change interfaces and check if any of them are associated with online accounts of previous owners”.
“If so, the attacker can then obtain these numbers and reset the password on the accounts, and receive and correctly enter the OTP sent via SMS upon login.”
Phone number recycling refers to the standard practice of reassigning disconnected phone numbers to other new subscribers of the carrier.
According to the Federal Communications Commission (FCC), an estimated 35 million phone numbers are disconnected each year in the U.S.
This creates severe dangers when an attacker does a reverse lookup by randomly entering such numbers in the online interfaces offered by the two carriers, and upon encountering a recycled number, buy them and successfully log in to the victim account to which the number is linked.
The main attack strategy is the lack of query limits for available numbers imposed by the carriers on their prepaid interfaces to change numbers, in addition to displaying “full numbers, which gives an attacker the ability to discover recycled numbers before confirming a number change.”
Recycled numbers are Easy to Spot
Researchers did so by randomly sampling 159 and 100 numbers from Verizon’s and T-Mobile’s possibly unused groups respectively and looking for people search hits.
From that, they found that 53/159 and 44/100 of the sampled possibly unused numbers returned hits, compared to 96/159 and 75/100 of the sampled likely recycled numbers.
Final Word
This study is another evidence of why SMS-based authentication is a risky method, as the attacks outlined above could allow an adversary to hijack an SMS 2FA-enabled account without having to know the password. “If you need to give up your number, unlink it from online services first,” Arvind Narayanan, who is one of the executive committee members at the Center for Information Technology Policy said in a tweet. “Consider low-cost number ‘parking’ services. Use more secure alternatives to SMS-2FA such as authenticator apps.”
Also Read
T-Mobile Data Breach – Phone numbers & Call Records Exposed
42 Million Iranian “Telegram” User IDs and Phone Numbers Leaked Online by Hacker Group
.webp "Hackers Exploiting TP-Link Archer Command Injection Vulnerability in the Wild")
