There’s a lot to think about when you or your employees get new mobile phones — plans, hardware, cost. But one thing many people don’t think about is number recycling, a common practice among providers. Take a look at how it enables some of the lesser-known cell phone cyberattacks. 

What Can Someone Do with My Phone Number? 

Many readers have heard of a SIM swap scam before. It’s a type of social engineering attack where a malicious actor attempts to gain control of a victim’s mobile phone number. They do this by calling up a mobile phone carrier and pretending to be the victim. Once they’ve connected to a customer support representative, they tell a sob story about a lost device or broken phone. Their goal: to trick the company into porting the victim’s phone number onto another device. Success means that the attacker can now receive calls and text messages, including text-based two-factor authentication (2FA) codes for their victims.

But success isn’t guaranteed. Many mobile phone carriers require customers to protect their accounts with a PIN. When a customer tries to make changes to their account, they will need to provide their PIN. That authentication mechanism makes it difficult for an attacker. Without knowing a customer’s PIN, they will need to convince someone to overlook protocol by not requiring a PIN.

But what if attackers didn’t have to go to all this effort? Number recycling attacks don’t rely on social engineering tactics to gain access to the target’s phone number. Let’s take a look at those.

What Is Number Recycling?

The threat of number recycling arises when a user abandons their existing mobile phone number for another. (This commonly happens when a customer purchases a new mobile device and decides to go with a new number as well.) The issue here is that the customer never ‘owned’ the mobile phone number. They just leased it. As such, many carriers can decide to transfer the customer’s old mobile phone number to another one of their customers whenever they want — even if that means the new owner could get text messages, calls and other phone-based communication for the previous owner.

Attackers understand how useful recycled phone numbers can be. As such, they can try to misuse mobile phone carriers’ websites in order to find recycled phone numbers that are up for grabs. They can hoard those numbers to steal victims’ personally identifiable information (PII), intercept access codes, perform phishing attacks and more.

Privacy and Security Risks

A group of Princeton University researchers investigated the potential security and privacy risks of recycled phone numbers. They found number recycling enables malicious actors to perform upwards of eight different attacks. Three low-cost attacks are most common. By cycling through available phone numbers on a carrier’s online number change form, a malicious actor can specifically index previous owners’ PII and hijack accounts using text-based password recovery. They can also use recycled phone numbers to obtain previous owners’ passwords from data leaks and then use those passwords to hijack users’ accounts.

The three attacks described above are low-cost, insofar as attackers just need to interact with a carrier’s online number change form. They don’t need to exploit any particular software vulnerabilities. That’s because the forms already impose few restrictions on attackers’ efforts to browse previous owners’ phone numbers.

What About on the Carrier’s Side? 

The researchers studied the online number change forms of two mobile carriers. In the process, they discovered that the carriers did not proactively notify customers about their number recycling policies. They were also inconsistent about how long they kept a disconnected number unusable before using it again.

In interacting with those carriers’ forms, the researchers obtained and monitored 259 phone numbers. They found that the majority (83%) were recycled phone numbers. After a week, they found that 10% of the recycled numbers still received security- and privacy-focused communications for their previous owners.

The total number of available recycled phone numbers at one of the carriers was about one million at the time of analysis. Meanwhile, more recycled phone numbers become available every month.

The threats discussed above aren’t theoretical. Number recycling has already exposed an unknown number of users’ accounts to hijacking attempts. In 2016, for instance, the Los Angeles Times reported that a U.S. Congressman changed his phone number only to discover that whoever received his old phone number likely received log-in prompts for his web accounts. In 2020, a security enthusiast discovered number recycling enabled some Airbnb members to access other users’ accounts.

Putting a Stop to Number Recycling

No one person or entity can address the risks associated with number recycling on their own. For their part, mobile phone carriers can do more to explicitly warn users about the dangers of number recycling. They should be clear about the length of time for which they keep a disconnected number unavailable for reuse. In addition, they might consider offering a number ‘parking’ option. This would allow users to keep their old phone numbers out of the recycling pool for a specified period.

Mobile users and organizations can also do their parts to secure accounts against hijacking attempts. Considering this, employers can implement a 2FA scheme in which a user doesn’t use their phone number to receive login codes. They can instead require their employees to use an authentication app on their phone or a physical security key. This scheme, when paired with access controls and network monitoring, could help to protect the corporate network against number recycling attacks.

Beyond those measures, organizations can work with their employees to learn account security best practices. They can use ongoing security awareness training to educate their users about the risks of sharing too much PII online, for instance. Doing so will help limit the types and amounts of information that account hijackers could learn about them. That, in turn, minimizes the possibility of attackers using number recycling to target them in the first place.

More from Mobile Security

Third-Party App Stores Could Be a Red Flag for iOS Security

4 min read - Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…

4 min read

A View Into Web(View) Attacks in Android

9 min read - James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

9 min read

How the Mac OS X Trojan Flashback Changed Cybersecurity

4 min read - Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

4 min read

Switching to 5G? Know Your Integrated Security Controls

4 min read - 5G is a big leap in mobile technology. It presents enterprises and service providers with capabilities for advanced applications, content delivery and digital engagement anywhere. It enables businesses with new use cases and integrated security needs to have a trusted network and application/data delivery function. How does one build a secure 5G network that provides the level of trust required by users today and in the future? The Benefits of 5G 5G's new use cases come from: Customized network slices…

4 min read