There’s a lot to think about when you or your employees get new mobile phones — plans, hardware, cost. But one thing many people don’t think about is number recycling, a common practice among providers. Take a look at how it enables some of the lesser-known cell phone cyberattacks.
What Can Someone Do with My Phone Number?
Many readers have heard of a SIM swap scam before. It’s a type of social engineering attack where a malicious actor attempts to gain control of a victim’s mobile phone number. They do this by calling up a mobile phone carrier and pretending to be the victim. Once they’ve connected to a customer support representative, they tell a sob story about a lost device or broken phone. Their goal: to trick the company into porting the victim’s phone number onto another device. Success means that the attacker can now receive calls and text messages, including text-based two-factor authentication (2FA) codes for their victims.
But success isn’t guaranteed. Many mobile phone carriers require customers to protect their accounts with a PIN. When a customer tries to make changes to their account, they will need to provide their PIN. That authentication mechanism makes it difficult for an attacker. Without knowing a customer’s PIN, they will need to convince someone to overlook protocol by not requiring a PIN.
But what if attackers didn’t have to go to all this effort? Number recycling attacks don’t rely on social engineering tactics to gain access to the target’s phone number. Let’s take a look at those.
What Is Number Recycling?
The threat of number recycling arises when a user abandons their existing mobile phone number for another. (This commonly happens when a customer purchases a new mobile device and decides to go with a new number as well.) The issue here is that the customer never ‘owned’ the mobile phone number. They just leased it. As such, many carriers can decide to transfer the customer’s old mobile phone number to another one of their customers whenever they want — even if that means the new owner could get text messages, calls and other phone-based communication for the previous owner.
Attackers understand how useful recycled phone numbers can be. As such, they can try to misuse mobile phone carriers’ websites in order to find recycled phone numbers that are up for grabs. They can hoard those numbers to steal victims’ personally identifiable information (PII), intercept access codes, perform phishing attacks and more.
Privacy and Security Risks
A group of Princeton University researchers investigated the potential security and privacy risks of recycled phone numbers. They found number recycling enables malicious actors to perform upwards of eight different attacks. Three low-cost attacks are most common. By cycling through available phone numbers on a carrier’s online number change form, a malicious actor can specifically index previous owners’ PII and hijack accounts using text-based password recovery. They can also use recycled phone numbers to obtain previous owners’ passwords from data leaks and then use those passwords to hijack users’ accounts.
The three attacks described above are low-cost, insofar as attackers just need to interact with a carrier’s online number change form. They don’t need to exploit any particular software vulnerabilities. That’s because the forms already impose few restrictions on attackers’ efforts to browse previous owners’ phone numbers.
What About on the Carrier’s Side?
The researchers studied the online number change forms of two mobile carriers. In the process, they discovered that the carriers did not proactively notify customers about their number recycling policies. They were also inconsistent about how long they kept a disconnected number unusable before using it again.
In interacting with those carriers’ forms, the researchers obtained and monitored 259 phone numbers. They found that the majority (83%) were recycled phone numbers. After a week, they found that 10% of the recycled numbers still received security- and privacy-focused communications for their previous owners.
The total number of available recycled phone numbers at one of the carriers was about one million at the time of analysis. Meanwhile, more recycled phone numbers become available every month.
The threats discussed above aren’t theoretical. Number recycling has already exposed an unknown number of users’ accounts to hijacking attempts. In 2016, for instance, the Los Angeles Times reported that a U.S. Congressman changed his phone number only to discover that whoever received his old phone number likely received log-in prompts for his web accounts. In 2020, a security enthusiast discovered number recycling enabled some Airbnb members to access other users’ accounts.
Putting a Stop to Number Recycling
No one person or entity can address the risks associated with number recycling on their own. For their part, mobile phone carriers can do more to explicitly warn users about the dangers of number recycling. They should be clear about the length of time for which they keep a disconnected number unavailable for reuse. In addition, they might consider offering a number ‘parking’ option. This would allow users to keep their old phone numbers out of the recycling pool for a specified period.
Mobile users and organizations can also do their parts to secure accounts against hijacking attempts. Considering this, employers can implement a 2FA scheme in which a user doesn’t use their phone number to receive login codes. They can instead require their employees to use an authentication app on their phone or a physical security key. This scheme, when paired with access controls and network monitoring, could help to protect the corporate network against number recycling attacks.
Beyond those measures, organizations can work with their employees to learn account security best practices. They can use ongoing security awareness training to educate their users about the risks of sharing too much PII online, for instance. Doing so will help limit the types and amounts of information that account hijackers could learn about them. That, in turn, minimizes the possibility of attackers using number recycling to target them in the first place.