Security Threats linked with recycled phone numbers in the US
According to a recent study conducted by Kevin Lee from Princeton University and Professor Arvind Narayanan, member of the Center from the Information Technology Policy’s executive committee, revealed a number of privacy and security risks being associated with recycled mobile phone numbers that could have been used in staging a range of fraudulent activities such as taking over accounts, spam attacks and phishing.
66% of the tested recycled mobile phone numbers were found
to be linked with their previous owner’s online accounts (such as Facebook and
other social media platforms) on some well-known websites. This link would
potentially allow access for the account to get hacked by just recovering the
profile that were associated with those numbers. The researchers also said that
the hacker is able to cycle through the available phone numbers available on
the online number change interfaces to check if any one of those numbers are
still associated with online accounts of their previous owners. In simple words
the hacker can get hold of the numbers and can use them to reset the passwords
on existing accounts through the one time password (OTP) , when sent via SMS
and entered correctly.
The recycling of phone numbers is actually a method where
disconnected phone numbers are assigned to a new customer of the same provider.
An estimated 35 million phone numbers in the United States are disconnected
every year according to the Federal Communication Commission (FCC).
A reverse lookup is performed by the hacker by entering
random numbers in the online interface being provided by the two carriers. Once
the hacker finds a recycled number, it can be bought and later be used to
access its previous owner’s account to which the number is found to be linked.
These attacks are possible because of lack of restrictions for queries related
to the available numbers set by the carriers on their prepaid interfaces. This
can enable the hacker to discover recycled phone numbers before the
verification for changing number. This study is a proof that verification
method based on SMS is risky as the above described attacks may allow the
hacker to hack in an SMS 2FA enabled account without even knowing the password.
According to the tweeted posted by Narayan, if someone wants
to giveup their phone number, they need to unlink it from all the online
services. They should consider low cost phone numbers parking services. And
should use more secure alternatives such as authenticator apps.
Comments
Post a Comment