When you get a new phone number, mobile carriers will often “recycle” your old one—assigning it to a new phone and, therefore, a new customer. Carriers say the reason they do this is to stave off a hypothetical future of “number exhaustion”—a sort of “peak oil” for phone numbers, when every possible number that could be assigned to a phone has been taken.
However, the act of number recycling actually brings with it a host of security and privacy risks, a new study conducted by Princeton University researchers shows. More often than not, recycled numbers allow new customers access to old customer information, opening up opportunities for a variety of invasive, potentially exploitative encounters.
For one thing, new number owners will often continue to get personalized updates meant for the former owner. This can be quite invasive—for both parties: The study relates one particular incident in which a user of a new number was “bombarded with texts containing blood test results and spa appointment reservations” that were obviously meant for someone else. While this may sound more comical than concerning, the access presented by a phone number can obviously be a lot more dire.
Despite the fact that phone numbers are typically used in two-factor authentication or for other security purposes, people often fail to immediately update all of their online accounts when they change numbers, and old numbers can linger as methods for SMS-authenticated password resets. This means that they could be used to connect to social media, email, or consumer accounts. Researchers say other personal information could easily be collected to augment such account takeovers, typically from online “people search sites” like BeenVerified or Intelius (these sites don’t always have the most accurate, up-to-date information, however). Phone numbers could also be paired with passwords culled from large data breaches. In these ways, a bad actor could potentially commit fraud and/or hijack accounts to steal more personal data—or for other nefarious purposes.
If these scenarios may sound a bit far fetched, there nevertheless seem to be plenty of opportunities to commit them. One of the researchers, Arvind Narayanan, said that 66% of recycled numbers they sampled were still tied to previous owners’ online accounts, and, as a result, were potentially vulnerable to account hijacking. The researchers surveyed 259 phone numbers and, of those, 215 were “recycled and also vulnerable to at least one of the three attacks,” the study says. Researchers write:
“We obtained 200 recycled numbers for one week, and found 19 of them were still receiving security/privacy-sensitive calls and messages (e.g., authentication passcodes, prescription refill reminders). New owners who are unknowingly assigned a recycled number may realize the incentives to exploit upon receiving unsolicited sensitive communication, and become opportunistic adversaries.”
Narayanan said that after he and his fellow researcher, Kevin Lee, reached out to carriers about these issues, “Verizon and T-mobile improved their documentation but have not made the attack harder.” The companies essentially made it slightly easier for users to inform themselves about these vulnerabilities, but didn’t ultimately do anything to stop the potential attacks from occurring.
This whole line of inquiry hinges largely on the premise that whoever gets your new number turns out to be a malevolent creep, willing to exploit your personal information for their gain. While that might not be the case 9 times out of 10, the vulnerabilities presented by number recycling are certainly enough to make you worry about its current safeguards.