If you've ever changed your mobile phone number, especially in the past few years, then you may have created a huge security and privacy risk for yourself.
That's because your old phone number creates a gateway for hackers, crooks and stalkers to take over your Google, Facebook, Amazon or Yahoo accounts, break into your online bank accounts and even stalk or blackmail you, Princeton researchers detailed in a new academic paper (opens in new tab) and related website (opens in new tab).
- Serious Android flaw threatens hundreds of millions — what to do
- The best Android antivirus software
- Plus: Samsung just reminded the world why iPhones are better
This happens because many websites let you log in with a phone number instead of a user name, then let you reset the password by sending a text to the phone number.
In other cases, banks or other financial services send two-factor-authentication (2FA) codes to the mobile number, letting crooks who've obtained your email address and password from data breaches get into the account.
All told, this is yet more evidence that the use of mobile phone numbers for account and identity verification is creating a slow-motion privacy and security catastrophe.
How to prevent your old phone number from hacking you
To guard against this, the Princeton researchers, Kevin Lee and Arvind Narayanan, advise persons changing their numbers to not release the old numbers to the carriers, but to use a "number parking" service that will hold the number for you at a reasonable cost.
They also advise that anyone changing their number realize that you have only 45 days before the old number is put back into circulation, during which time you need to unlink the old number from all your online accounts. (This story was earlier reported by Vice Motherboard.)
Only so many numbers to go around
Lee and Narayanan explained in their research paper and website that discovered that of the three major U.S. carriers, Verizon and T-Mobile both let you go online to choose a new mobile number and present you with a list of available possibilities. (AT&T does not.)
"In the United States," they wrote in their research paper, "when a subscriber gives up their 10-digit phone number, it eventually gets reassigned to someone else."
The "aging" period for a previously used number to go unused is 45 days, as mandated by the FCC. After then, it is made available for reuse, and if it's one controlled by Verizon or T-Mobile, it will be listed on their websites.
At any given time, Lee and Narayanan figured, about 1 million recycled numbers are up for grabs, and "we estimate that an available number gets taken after 1.2 months."
Looking at the Verizon and T-Mobile websites, the researchers found it easy to distinguish between "new" numbers that had never been used and "recycled" numbers that had been.
New numbers were presented in a consecutive sequence that could look like this:
- (212) 555-1234
- (212) 555-1236
- (212) 555-1243
- (212) 555-1249
- (212) 555-1253
- (212) 555-1260
Previously used numbers would present their last four digits randomly:
- (212) 555-1234
- (212) 555-9249
- (212) 555-2096
- (212) 555-5884
- (212) 555-3587
- (212) 555-5841
(Area codes are tied to the prospective customer's location, and the middle three digits are exchange prefixes that are assigned to carriers in blocks.)
Lee and Narayanan looked at 259 available numbers from Verizon and T-Mobile, established that 215 had been previously used, and then tried to see what they could do with them.
Pandora's phone number
The researchers found that 171 of the recycled numbers, or 83%, were tied to at least one existing account with Amazon, AOL, Facebook, Google, Paypal or Yahoo. Each of those services lets you log in using your mobile phone number instead of your email address or username.
Worse, Amazon, AOL, Paypal and Yahoo also let you reset the password for an account by sending a verification text containing a one-time passcode (OTP) to the associated mobile number — a situation that Lee and Narayan called "doubly insecure."
In other words, Lee and Narayanan could have hijacked the accounts of 171 different people simply by using their old phone numbers.
"Accounts with this doubly insecure configuration... are at immediate risk of takeover," they wrote in their paper.
Facebook and Google were better about this, as "SMS [account] recovery is allowed only if SMS 2FA is not enabled."
Otherwise, you'd have to present a separate form of verification before getting that account-reset OTP, or have the OTP sent to a backup email account. (It's dangerous to use SMS text messages in two-factor authentication — other 2FA methods are much better.)
Pre-screening vulnerable numbers
Lee and Narayan didn't even need to "claim" these numbers from T-Mobile or Verizon to do this. They just had to see the available numbers on the carriers' websites. That would let systematic attackers pre-screen available numbers for linked accounts.
"The attacker can then obtain these numbers and reset the password on the accounts, and receive and correctly enter the OTP sent via SMS upon login," they wrote.
It gets worse, though. Lee and Narayan plugged their recycled phone numbers into used two "people search" websites, BeenVerified and Intelius, to gather information about the numbers' previous owners.
Again, 171 of those numbers yielded results — full names, email addresses, locations, street addresses, workplace information and social media accounts. An attacker would get a good head start on stealing those persons' identities, all from just having their old phone numbers.
Defeating two-factor authentication
Lee and Narayan also plugged the phone numbers into HaveIBeenPwned (opens in new tab), an online database that lets you check whether your email addresses, passwords and phone numbers have been exposed in data breaches, data leaks and phishing attacks.
They found that 100 of the 259 numbers "were linked to leaked login credentials on the web, which could enable account hijackings that defeat SMS multi-factor authentication."
In other words, those numbers were associated with username-password combinations that had already been compromised and were available somewhere online.
With the login credentials plus the phone number, an attacker could log into accounts that were protected by SMS-based 2FA, then get the verification text with the one-time-password — and completely take over the old number holder's email, bank or other online account.
Stalker, spammer and blackmailers
Lee and Narayanan outlined possibly more dire scenarios, some of which are pretty horrifying to imagine. A person being stalked or harassed could change their number to escape their tormentor, only to have the stalker claim the old number once it became available after the required 45-day "aging" period.
Phishers and spammers could write down available numbers, then text-spam the new number owners after the numbers are claimed. Crafty crooks could temporarily hold numbers, sign up for Google, Facebook or Amazon, then release the numbers — and demand money from the next number owners who find they can't properly set up accounts on those services.
Fortunately, this research, which was presented to T-Mobile and Verizon in advance, is already yielding some results.
Both carriers added reminders to their number-change pages to remind subscribers that they had 45 days to unlink their old numbers from online accounts. Verizon also altered its number-change pages so that you couldn't keep looking at available numbers endlessly.
Still, this all serves as a reminder that phone numbers should not be used as login credentials, as account verification or as proof of identity — period.