I’m just about finished reading New York Times writer Nicole Perlroth’s fantastic new book, This Is How They Tell Me the World Ends, in which she lifts up and turns over the rock of the global cyberwar arms race to show us all the nasty, wormy hackers and spies underneath who play around in that muck. It’s a gripping read, like some kind of cyber-focused John le Carre thriller — only, you know, real — and I can’t recommend it enough.
However, it’s also important to remember that hackers can cause all sorts of mischief without even needing to resort to the zero-days and the myriad other digital tools that they pay top dollar for, and which nation-states have used to amass frighteningly expansive hacking war chests.
Sometimes, all a hacker needs is your number to pull off something like a nasty yet highly effective phone scam.
What we’re specifically referring to is the practice of mobile carriers to recycle your old phone number whenever you opt for a new number. Carriers will give that old number to a new customer in an effort to postpone the eventual date when we run out of new phone numbers to assign. As you might surmise, however, a new study from Princeton University researchers has detailed many of the security and privacy risks associated with this practice, which is due in part to the fact that phone numbers are so often tied to Two-Factor Authentication protection.
In their paper, the researchers say they sampled 259 phone numbers available to new subscribers at two major carriers, and found that “171 of them were tied to existing accounts at popular websites, potentially allowing those accounts to be hijacked.
“Additionally, a majority of available numbers led to hits on people search services, which provide personally identifiable information on previous owners. Furthermore, a significant fraction (100 of 259) of the numbers were linked to leaked login credentials on the web, which could enable account hijackings that defeat SMS-based multi-factor authentication. We also found design weaknesses in carriers’ online interfaces and number recycling policies that could facilitate attacks involving number recycling.”
35 million U.S. phone numbers are disconnected each year. Most get reassigned to new owners. In a new study, @kvn_l33 and I found 66% of recycled numbers we sampled were still tied to previous owners’ online accounts, possibly allowing account hijacking. https://t.co/Ilj0iPkqXA pic.twitter.com/gXPwoIlwVZ
— Arvind Narayanan (@random_walker) May 3, 2021
Some of the recycled phone numbers, the researchers note, were still getting security- and privacy-related calls and messages, covering things like authentication passcodes and prescription reminders. “New owners who are unknowingly assigned a recycled number may realize the incentives to exploit upon receiving unsolicited sensitive communication, and become opportunistic adversaries.”
So, the big question, what can ordinary people do, in light of this practice?
One thing the researchers recommend that people do is “park” their current phone number when disconnecting their line.
Subscribers can actually park their number at a dedicated parking service like NumberBarn, a mobile virtual network operator, or at a VoIP provider like Google Voice. “This includes subscribers looking to change their number, and those who need to temporarily disconnect their lines beyond the 90-day suspension offered by some carriers (e.g., a worker contracted overseas),” the researchers add. And among the benefits is that subscribers would, at that point, have more time to update their SMS Two-Factor Authentication settings.