Many online services allow users to reset their passwords by clicking on a link sent by text message, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control of a person through divorce, layoff, or financial crisis can be devastating.
Even so, many people voluntarily give up a cell phone number without considering the potential impact on their digital identity when those digits are invariably reassigned to someone else. New research shows how scammers can abuse the websites of wireless service providers to identify available and recycled mobile phone numbers that enable password resets at a range of email providers and online financial services.
Researchers from the IT department of Princeton University claim to have sampled 259 phone numbers from two major mobile carriers and found that 171 of them were linked to existing accounts on popular websites, potentially allowing those accounts to be hacked.
The Princeton team further discovered that 100 of those 259 numbers were linked to login information leaked on the web, which could allow account hijackings that thwart SMS multi-factor authentication.
“Our main finding is that attackers can take advantage of number recycling to target previous owners and their accounts,” the researchers wrote. “The moderate to high success rates of our testing methods indicate that most recycled numbers are vulnerable to these attacks. Additionally, by focusing on probable recycled number blocks, an attacker can easily discover the available recycled numbers, each of which then becomes a potential target. “
Researchers located newly recycled mobile numbers by browsing through the numbers made available to customers wishing to open a prepaid account at T Mobile or Verizon (Apparently AT&T does not provide a similar interface). They said they were able to identify and ignore large blocks of unused new numbers, as those blocks tend to be made available consecutively – much like newly printed money is numbered consecutively in stacks.
The Princeton team made a number of recommendations for T-Mobile and Verizon, noting that both operators allow unlimited requests on their online prepaid customer platforms – meaning nothing is stopping attackers from automate this type of number recognition.
“On postpaid interfaces, Verizon already has guarantees and T-Mobile doesn’t even support changing numbers online,” the researchers wrote. “However, the number pool is shared between postpaid and prepaid services, making all subscribers vulnerable to attacks.”
They also recommend that operators train their support workers to remind customers of the risks of giving up a mobile number without first disconnecting it from other identities and online sites, advice they usually haven’t found. been offered when interacting with customer support regarding number changes.
Additionally, carriers could offer their own “number parking” service to customers who know they won’t need phone service for an extended period of time, or to those who just don’t know what they want. do with a number. Such services are already offered by companies like NumberBarn and Park my phone, and they usually cost between $ 2 and $ 5 per month.
The Princeton study recommends that consumers who are considering changing their number store the digits in an existing number parking service or “port” the number to something like the voice of google. For a one-time fee of $ 20, Google Voice will allow you to forward the number, and then you can continue to receive texts and calls to that number through Google Voice, or you can forward them to another number.
Carrying seems less complicated and potentially safer given the average user has around 150 online accounts, and a significant number of these accounts will be linked to his mobile number.
While you’re at it, consider removing your phone number as a primary or secondary authentication mechanism whenever possible. Many online services require you to provide a phone number when registering for an account, but in many cases that number can be removed from your profile later.
It’s also important that people use something other than text messages for two-factor authentication on their email accounts when stronger authentication options are available. Consider using a mobile app like Authy, Duo, or Google Authenticator to generate the one-time code. Or better yet, a physical security key if that’s an option.
Princeton’s full study is available here (PDF).