When you get new mobile phones for your employees or yourself, there are many things to consider: plans, hardware, and cost. Number recycling is a common practice among service providers that many people neglect to consider. It allows for some lesser-known cyberattacks on cell phones.
Many people have heard of SIM swap scams. This is a social engineering scam in which a malicious actor attempts to seize control over a victim’s mobile number. They pretend to be the victim by calling a mobile phone company. After connecting to customer service representatives, they tell a pathetic story about a broken or lost phone. They wanted to trick the company into moving the victim’s number onto another device. The attacker is now able to receive texts and calls, as well as two-factor authentication (2FA), codes via text message for their victims.
However, success is not guaranteed. Customers are required to use a PIN to secure their accounts by many mobile phone companies. Customers will need their PIN to make any changes to their accounts. An attacker will find it very difficult to use this authentication method. They will not be able to know the customer’s PIN so they can convince another person to ignore protocol and not require a PIN.
So What is Number Recycling?
What if attackers didn’t have to put in all that effort? Number recycling attacks do not rely on social engineering to gain access within the target’s number. Let’s have a look.
Number recycling is when a user switches from one mobile number to another. This happens most often when a customer buys a new phone and decides to get a new number. This is because the customer never actually ‘owned’ their mobile number. They leased it. Many carriers have the option to transfer the customer’s old mobile number to another customer at any time, even though the new owner may not be able to receive text messages, calls, or other communication based on the phone.
Recycled phone numbers are valuable to attackers. They can use mobile phone carrier websites to steal recycled phone numbers. They could use those numbers to steal a victim’s personally identifiable information (PII), intercept access code, phishing attacks and other purposes.
What about on the Carrier’s Side
Researchers at Princeton compared the online number change forms for two mobile carriers. They discovered that both mobile carriers didn’t notify customers about their number recycling policies. They also were inconsistent in how long they kept disconnected numbers unusable before using them again.
The researchers monitored 259 telephone numbers by interacting with the carriers. The majority of the numbers (83%) were old phone numbers. They found out that 10 percent of the recycled numbers had received privacy- and security-focused communications from their former owners after a week.
At the time of analysis, there were approximately one million available recycled phone numbers at each carrier. In the meantime, recycled phone numbers are becoming more available each month.
These threats are not theoretical. Numerous users have been exposed to number recycling, which has led to them being hijacked by unknown numbers. The Los Angeles Times reported in 2016 that a U.S. A congressman changed his phone number, only to find that the person who received it likely received log-in prompts to his web accounts. A security enthusiast discovered that number recycling allowed some Airbnb members to gain access to other users’ accounts in 2020.
Security and Privacy Risks
The same Princeton University researchers looked into the privacy and security risks that recycled phone numbers could pose to individuals. Number recycling allows malicious actors to carry out up to eight attacks. The most popular attacks are three low-cost ones. A malicious actor can use the online number change form to scan for available phone numbers and then hijack accounts with text-based password recovery. Recycled phone numbers can be used to get passwords from data leaks, and then they can use these passwords to hack into users’ accounts.
These attacks are very low-cost as attackers only need to use an online form to change a carrier’s number. They don’t have to exploit any software vulnerabilities. Because the forms don’t have any restrictions on attackers trying to access phone numbers of previous owners, this is why they aren’t required to exploit them.
Stop Number Recycling
The risks of number recycling can’t be addressed by one individual or entity alone. Mobile phone companies can do more to warn their users about the dangers associated with number recycling. They need to be explicit about how long they keep disconnected numbers unavailable for reuse. They might also consider offering a number “parking” option. This would allow users the option to keep their old phones out of the recycling pools for a certain period.
Both mobile users and businesses can do their part to protect accounts from hijacking attempts. Employers can use a 2FA system to ensure that users don’t use their phone’s number to get login codes. Instead, they can require employees to use an app on their phones or a physical security code. This combination, along with network monitoring and access controls, can help protect the corporate network from number recycling attacks.
Organizations can also work with employees to teach them account security best practices. For example, they can provide ongoing security awareness training that teaches their users the dangers of sharing too many PII online. This will limit the amount of information account hijackers can access about them. This will reduce the chance of attackers using number-recycling to target them.