Researchers from Princeton have found significant privacy and security risks from recycled phone numbers available through two major US mobile carriers, T-Mobile and Verizon.
A recycled phone number is simply a disconnected number that’s been reassigned to a new subscriber. Recycling numbers is a regulated industry practice for maintaining the availability of 10-digit numbers. Since the Federal Communications Commission estimates 35 million phone numbers are disconnected each year, it’s a big pool.
But the researchers found a lack of query limits by both carriers made it possible for bad actors to do a reverse lookup on the recycled numbers offered and locate accounts that are still linked to the previous owner, including bank and social media accounts.
“An attacker can cycle through the available numbers shown on online number change interfaces and check if any of them are associated with online accounts of previous owners. If so, the attacker can then obtain these numbers and reset the password on the accounts, and receive and correctly enter the OTP sent via SMS upon login,” the researchers said.
The research sampled 259 numbers and found 215 of them were recycled and vulnerable to at least one of three attack types:
- PII indexing – 171 of the 259 sampled numbers could be used to locate personally identifiable information (PII) on previous owners on people search services
- Account hijackings via recovery – 171 of 259 sampled numbers were vulnerable to account hijackings at Amazon, AOL, Facebook, Google, PayPal, and Yahoo
- Account hijackings without password reset – 100 of the 259 numbers could be linked to leaked login credentials on the web, making it possible for the bad actor to defeat the multi-factor authentication and hijack the account.
It also found five other exploits that could put past and future owners of recycled phone numbers at risk: targeted takeovers, phishing scams, persuasive takeovers, spam and denial of service.
Both carriers have since rectified the issue. You can read the study findings and the telecoms’ responses here.
Commentators point out the Princeton study is more evidence of why SMS-based authentication is unsatisfactory, since the bad actors could hijack an SMS two-factor enabled account without the password.
Princeton Professor Arvind Narayanan, who co-conducted the study and is an executive committee member at the Center for Information Technology Policy, advises users to unlink accounts from any number they’re giving up, use low-cost number parking services, and employ more secure alternatives to SMS two-factor authentication.
We add another strategy: use MySudo.
MySudo is the world’s only all-in-one privacy app. It’s the only app on the market that offers private and secure phone, email, browsing and payments all in one place, accessed via Sudos—secure digital profiles that work as real alternatives to your personal identity.
MySudo protects your personal data but still allows you to access web sites and services. We all manage many online accounts, and when we use the same user information, like name, email, and phone number, to access those accounts, they become linked together. If one of those accounts is breached, all the other accounts and their data are at risk.
And this is the risk you face from a bad actor getting hold of your old phone number, right?
When you use a Sudo profile instead of your personal information, you break the links between your accounts and the PII associated with you. Even if one of your accounts is breached, the rest of your accounts can stay safe.
This categorization and separation of your private data across various Sudos is called compartmentalization and it’s the most powerful data privacy strategy there is.
Our users love the real, working phone numbers in MySudo. You can have up to nine phone numbers, depending on your plan. You select the area code and location for each number.
With your Sudo phone number you can:
- Receive voice calls
- Make voice calls
- Set up voicemail
- Set up custom ringtones
- Add contacts
- Send SMS and MMS texts.
And all voice and videos calls and messaging with other MySudo users are end-to-end encrypted.
Using multiple Sudo profiles spreads your risk and allows you to have different phone numbers for different purposes. The one you assign to your banking won’t be the same as the one you give food delivery services. And the one you use for your doctor and healthcare providers will be different from the one you use when you book and stay at hotels.
This is just another way of proactively protecting your personal data.
Find out how to make best use of your nine Sudos here.