Recycled Phone Numbers Threaten Digital Privacy and Safety, Study Shows

A study from the Department of Computer Science and Center for Information Technology Policy at Princeton University draws attention to security and privacy risks that stem from recycling mobile phone numbers.

Researchers point out how threat actors can abuse this practice to carry out account takeover, phishing and spam attacks or restrict targets from signing up to online platforms.

The study examined 259 phone numbers available for new subscribers at two major carriers in the US. The findings show that 66% of the mobile phone numbers (171) were still linked to various online platforms, making them susceptible to account hijacking.

“An attacker can use a recycled number—that they have obtained by signing up for service—to look up information on the number’s previous owner on the web or through data aggregation services, which are available to anyone at low cost,” the researchers said.

Most of the available numbers led to hits on people search services, which provide personally identifiable information on previous owners. Once a threat actor has gathered the data, they can perform impersonation attacks and commit fraud.

“Furthermore, a significant fraction (100 of 259) of the numbers were linked to leaked login credentials on the web, which could enable account hijackings that defeat SMS-based multi-factor authentication,” the researcher added.

On top of the previously mentioned attack vectors, the study shows five additional number recycling threats targeting previous and future owners, including:

• Targeted takeover attacks - attackers learn that the victim has changed his phone number. Once the number becomes available, they can obtain it to hijack online accounts and impersonate or stalk the previous owner
• Smishing attacks - Once a previously used phone number is assigned to a new subscriber, threat actors can send a fake SMS to hijack online phone accounts and numbers
• Persuasive takeover attacks - Scammers can hijack linked online accounts, impersonate the victim or read new messages intended for the victim by spoofing a carrier message. “Your number is part of an ongoing investigation on the previous owner and needs to be reclaimed. Please change your number online,” is just one of the fake messages an attacker could send
• Spam - Victims can be harassed with unwanted texts and calls. The attacker obtains the number and signs up for alerts, newsletters and robocalls, then releases the number for recycling
• Denial of service – In this type of attack, the threat actors obtain a number and sign up for an online service that requires a valid phone number, then immediately release it. The next owner of the number who signs up for the same service will be denied since an account associated with the number already exists in the system. The attacker can then contact the victim via SMS and demand a payment to release the number from the platform.

The best way to protect against such attacks is to unlink your phone number from all online services before changing it. Additionally, users can opt for an authenticator app to make sure that their online accounts remain secure.

Protecting online privacy is a tedious undertaking. Start by checking if your personal information has been stolen or made public on the internet with Bitdefender’s Digital Identity Protection tool.