According to FCC data, roughly 35 million phone numbers are disconnected every year. A new study has found that the majority of those numbers remain tied to the previous owner, opening the door to a variety of attacks that can put their former user at significant risk.
The new study by researchers at the Department of Computer Science and Center for Information Technology Policy at Princeton University sampled 259 phone numbers available to new subscribers at two major wireless carriers, and found that 171 were still tied to existing accounts at popular websites, creating significant privacy issues. Because of the way many online accounts are set up, it can be possible to hack an account as long as you have access to a phone number associated with it.
Number recycling is a regulated telecom industry practice that maintains consistent availability of new ten-digit phone numbers as users switch phones and phone numbers, or discontinue accounts that are no longer needed.
Studies had already found that switching numbers opens the door to harassment, privacy abuses, and unwanted marketing. But the Princeton study found that carriers aren’t doing enough at the point of sale to limit potentially significant abuse by third parties, and often provide inconsistent information to users about how the process works.
“At carriers that allow for full numbers to be previewed—either during signup or number change—an attacker can ‘scout out’ a number by looking for linked accounts and owner history, all before obtaining the recycled number,” the paper found.
The study found there were up to eight different attacks that could then be used to exploit phone number recycling, including personal identifiable information indexing (the use of people search services and phone numbers to gather additional personal information), phishing attacks, denial of service attacks, and account takeovers with or without authorized password reset.
Researchers found that hackers don’t even have to exploit software vulnerabilities, they simply have to peruse mobile carrier prepaid websites to go shopping for a phone number they’re hoping to target. At Verizon, they found roughly a million phone numbers freely available for perusal online, with new numbers becoming available each month.
“We found that the online interfaces in question imposed few restrictions on the adversary’s ability to browse and obtain previously owned numbers for exploitation,” they said.
Researchers Arvind Narayanan and Kevin Lee also found that 100 of the 259 of the numbers examined in their sample set were associated with already-leaked login credentials circulating online, opening the door to attacks bypassing SMS-based multi-factor authentication.
The researchers state that after being contacted, both Verizon and T-Mobile updated their customer support materials to remind customers that unused phone numbers may still be tied to online accounts, opening the door to abuse.
“Unfortunately, carriers imposed few restrictions on the adversary’s ability to browse available numbers and acquire vulnerable ones,” Narayanan said on Twitter. “After we disclosed the issue to them a few months ago, Verizon and T-mobile improved their documentation but have not made the attack harder.”
The researchers found that carriers could further mitigate the threat by restricting unlimited phone number queries at their prepaid service websites, and forcing users to contact customer service instead of allowing the perusal of full phone numbers online.
Narayanan and Lee noted that users looking to protect themselves should port their existing phone number over when switching devices, or store numbers they’re no longer interested in using at number parking services like NumberBarn or an internet voice service like Google Voice.
The failure to adequately police the abuse of recycled phone numbers is playing a role in an ongoing privacy lawsuit against Apple, which alleges that a iOS flaw, combined with recycled T-Mobile phone numbers, provided third parties unauthorized access to users’ communications, including both iMessages and Facetime calls.
The study comes on the heels of a growing volume of research showing that text-message two-factor authentication simply isn’t secure. Whether it’s SIM hijacking or the exploitation of existing SMS flaws to redirect sensitive text messages to third parties, researchers say consumers are better off using email-based two-factor verification or authentication apps.