Upgrading a New phone is always a satisfying feeling, but experts have warned that changing your phone number can be more of a security risk than previously thought.
A report The Department of Computer Science and the Center for Information Policy at Princeton University have found that old phone numbers often stay in touch with the previous owner.
This can potentially open up the user to multiple attacks, especially if he or she has stored personal credentials or logins linked to an old phone number.
Recycled numbers
The researchers examined 259 phone numbers available to new subscribers at two major U.S. wireless operators and found that 171 of them were still linked to existing user accounts on several commonly used websites.
The 100 numbers were also linked to previously leaked online credentials, meaning that users had been involved in previous data breaches and that their accounts could be easily hijacked by circumventing typical SMS-based multi-factor authentication.
The team also pointed out that most of the numbers available also showed results on people search services that provide personal information about previous owners, which in turn puts users at risk.
The report highlighted several potential attack vectors, including phishing attacks, DDoS attacks, and account takeovers without knowing passwords.
However, it also noted that some operators allowed whole numbers to be previewed during either registration or number switching, meaning the attacker could ‘find out’ the number by searching for linked accounts and owner history before obtaining a recycled number.
“Recycled phone numbers can cause problems for everyone involved,” the report said. “Subscribers who have been assigned a previously dedicated phone number often receive a message from previous owners about threatening phone calls to personal text messages.”
“According to industry-regulated practice, telephone number recycling is unlikely to end,” they add, (and) all stakeholders can do more work to shed light and mitigate things. In particular, online services should no longer equate a correctly entered SMS password with successful user authentication. “
To ensure security, the researchers noted that users should try to port their current numbers when changing devices or take advantage of “number parking” services that close previous accounts.
