If you have ever changed your cell phone number, especially in the last few years, you could be putting yourself at great risk in terms of security and privacy
Because your old phone number can create an opening for hackers, crooks, and stalkers to take over your Google, Facebook, Amazon, and Yahoo accounts, break into your online bank accounts, and even stalk and threaten you Because they create a gateway, Princeton University researchers detail in a new academic paper and related website
This happens because many websites let you log in with a phone number instead of a username, and then send a text to that phone number to reset your password
In other cases, banks and other financial services send two-factor authentication (2FA) codes to cell phone numbers, and fraudsters who obtain email addresses and passwords through data leakage can break into accounts
In short, the use of cell phone numbers for account and identity verification is a privacy and security catastrophe that is slowly progressing
To prevent this from happening, Princeton University researchers Kevin Lee and Arvind Narayanan advise anyone who changes numbers to use a "number parking" service that will keep the number for a reasonable fee and not release the old number to the carrier
They also advise those who change their numbers to be aware that they have only 45 days before their old numbers become circulating again, and to understand that they must unlink their old numbers from all online accounts during that time (This story was previously reported by Vice Motherboard)
Lee and Narayanan note in their research paper and on their website that of the three major US carriers, Verizon and T-Mobile both offer online new cell phone number selection They explain that they have found that they can do so and present a list of available numbers (AT&T does not)
"In the US, when a subscriber gives up a 10-digit phone number, that number is eventually assigned to someone else," they wrote in their research paper
The "aging" period during which a previously used number is no longer in use is 45 days, as mandated by the FCC After that, they can be reused, and if the numbers are managed by Verizon or T-Mobile, they will be listed on their respective websites
Lee and Narayanan said that about 1 million numbers are available for reuse at any given time and "estimate that available numbers will be taken after 12 months"
A look at the Verizon and T-Mobile websites reveals that it is easy to distinguish between "new" numbers that have never been used and "recycled" numbers that have been used
New numbers appear consecutively as follows:
Previously used numbers appear with the last four digits randomized:
(the area code is associated with the prospective customer's location, and the middle three digits are the exchange prefix assigned to the carrier on a block basis
(the area code is the exchange prefix assigned to the carrier in blocks)
Lee and Narayanan examined 259 available numbers from Verizon and T-Mobile and found that 215 had been used previously
The researchers found that 171, or 83%, of the recycled numbers were tied to at least one existing account with Amazon, AOL, Facebook, Google, PayPal, or Yahoo Each of these services allows users to log in using their cell phone number instead of an email address or user name
Worse, Amazon, AOL, PayPal, and Yahoo also allow users to reset their account passwords by sending an authentication text containing a one-time passcode (OTP) to the associated cell phone number
In other words, Lee and Narayan were able to hijack the accounts of 171 different people by simply using their old phone numbers
"Accounts with such a doubly insecure setup are in immediate danger of being hijacked," they wrote in their paper
Facebook and Google have improved on this point, as "account recovery by SMS is only possible if SMS 2FA is not enabled"
Otherwise, you will need to present another authentication form or have an OTP sent to your backup email account before getting an account reset OTP (Using SMS text messages for 2-factor authentication is dangerous Other 2FA methods are much better)
Lee and Narayan did not even have to "request" these numbers from T-Mobile or Verizon to do this All they had to do was look at the available numbers on the carriers' websites That way, an organized attacker could pre-screen the numbers available on the linked accounts
"An attacker could obtain these numbers, reset the account password, and receive and correctly enter the OTP sent via SMS at login," they wrote
But there is something even worse Lee and Narayan connected the recycled phone numbers to two "people search" sites, BeenVerified and Intelius, to gather information about the numbers' previous owners
Again, the 171 phone numbers provided information such as full name, email address, location, address, work information, and social media accounts Just having an old phone number is a good start for an attacker to steal the person's identity
Lee and Narayan also plugged the phone number into HaveIBeenPwned, an online database
They found that 100 of the 259 numbers were "linked to leaked login credentials on the web, potentially allowing account hijacking to defeat SMS multi-factor authentication"
In other words, these numbers were associated with username/password combinations that had already been compromised and were available somewhere online
With the login credentials and phone numbers, an attacker could log into an SMS-based, 2FA-protected account, obtain authentication text containing a one-time password, and completely take over the old number owner's email, banking, and other online accounts
Lee and Narayanan paint a more dire scenario A person being stalked or harassed may change his or her number to escape torment, and after a 45-day "aging" period, the stalker may demand the old number
Phishers and spammers can write down available numbers and send text spam to the new number owner after the number has been claimed Cunning scammers can hold the number temporarily, register it with Google, Facebook, or Amazon, and then release the number
Fortunately, this research, presented in advance to T-Mobile and Verizon, has already had some success
Both carriers have added reminders to their number change pages reminding subscribers that they have 45 days to unlink their old numbers from their online accounts Verizon also changed its renumbering page to prevent subscribers from endlessly looking at available numbers
Still, this all serves as a reminder that phone numbers should not be used as login credentials, account verification, or proof of identity
Comments