20.5k unique visitors in the last 3 days

Research Shows Recycling Phone Numbers Threatens Privacy

Academics from Princeton found more than half the numbers they obtained could be linked to personal data about former users.

A recent paper by Kevin Lee and Arvind Narayanan of Princeton University concluded that “online services should no longer equate a correctly-entered SMS passcode with successful user authentication” after they examined the ease with which the previous user of a phone number could have their identity hijacked after their number had been recycled. The academics acquired a sample of 259 phone numbers from two US mobile operators, Verizon and T-Mobile, and found that 171 were already tied to the online accounts of former users, meaning they could potentially be used for the receipt of one time passwords and other kinds of identity checks. Personal information about most of the users could be found by doing an online search using the phone number, and 100 of the numbers were associated with login credentials that had been breached and which could also be found online.

The researchers illustrated the issues by observing how many people receive calls intended for the former users of a number. Most of us would consider this an annoyance, but it also represents a privacy threat because the new user is inadvertently being given information about the behaviors and purchases of the former user. The study found that 10 percent of numbers received sensitive information through calls or text messages intended for the former user. The dangers appeared not to be properly understood by either Verizon or T-Mobile, as their customer service staff provided many contradictory answers when researchers posed as customers enquiring about their policies on recycling numbers. To their credit, both firms updated their approach when they saw the results of the study.

The risk that a specific individual could be targeted is heightened by the observation that data breaches and lax security often mean a person’s phone number can be found online. Two notorious recent examples involve a Facebook data breach that divulged the phone number of CEO Mark Zuckerberg amongst many others, and the personal mobile phone number of UK Prime Minister Boris Johnson being openly shared online for 15 years. Neither the Verizon nor the T-Mobile US self-service portals allowed customers to choose a specific new number, but determined individuals could submit repeated queries into the Verizon portal until they were offered the number they wanted, aided by the fact that the interface was designed to avoid presenting a number if it had previously been rejected. The researchers considered that there was particular danger to victims of domestic abuse, as their abusers are more likely to exhibit the persistence required to take control of their victim’s past phone number.

The academics identified eight ways that a bad actor could utilize a recycled number to infringe the privacy or security of their target. They made a series of recommendations to reduce the risk, including telcos placing limits on how many times a customer can query available numbers, how many times they can change number, and giving inactive customers the option to ‘park’ their unused phone number for a period of time.

The draft of Lee and Narayanan’s paper, entitled “Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States” can be freely obtained from here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email