Your old phone number is a hacker's dream — what you need to know

Your old phone number is a hacker's dream — what you lot need to know

A hand dialing a phone number on an iPhone.

(Epitome credit: Africa Studio/Shutterstock)

If you've ever changed your mobile phone number, especially in the past few years, and then you may accept created a huge security and privacy risk for yourself.

That'due south because your old phone number creates a gateway for hackers, crooks and stalkers to accept over your Google, Facebook, Amazon or Yahoo accounts, break into your online bank accounts and even stem or bribery you, Princeton researchers detailed in a new bookish paper and related website.

Serious Android flaw threatens hundreds of millions — what to do
The all-time Android antivirus software
Plus: Samsung only reminded the world why iPhones are ameliorate

This happens considering many websites permit you log in with a phone number instead of a user name, so let you reset the password past sending a text to the phone number.

In other cases, banks or other financial services send two-factor-hallmark (2FA) codes to the mobile number, letting crooks who've obtained your email address and password from information breaches get into the account.

All told, this is yet more evidence that the use of mobile phone numbers for business relationship and identity verification is creating a slow-motion privacy and security catastrophe.

How to prevent your erstwhile telephone number from hacking yous

To guard confronting this, the Princeton researchers, Kevin Lee and Arvind Narayanan, advise persons irresolute their numbers to not release the former numbers to the carriers, but to utilise a "number parking" service that volition concur the number for you lot at a reasonable cost.

They also advise that anyone changing their number realize that you lot have but 45 days before the old number is put back into circulation, during which time you demand to unlink the quondam number from all your online accounts. (This story was earlier reported past Vice Motherboard.)

Merely so many numbers to go around

Lee and Narayanan explained in their inquiry paper and website that discovered that of the iii major U.S. carriers, Verizon and T-Mobile both let you get online to choose a new mobile number and nowadays you with a listing of available possibilities. (AT&T does non.)

"In the United states," they wrote in their inquiry paper, "when a subscriber gives upward their 10-digit phone number, it somewhen gets reassigned to someone else."

The "crumbling" period for a previously used number to go unused is 45 days, equally mandated by the FCC. Afterwards and then, it is made available for reuse, and if it's ane controlled by Verizon or T-Mobile, information technology volition be listed on their websites.

At any given time, Lee and Narayanan figured, about 1 million recycled numbers are up for grabs, and "we judge that an available number gets taken later on i.2 months."

Looking at the Verizon and T-Mobile websites, the researchers found it piece of cake to distinguish between "new" numbers that had never been used and "recycled" numbers that had been.

New numbers were presented in a consecutive sequence that could wait similar this:

(212) 555-1234
(212) 555-1236
(212) 555-1243
(212) 555-1249
(212) 555-1253
(212) 555-1260

Previously used numbers would nowadays their last four digits randomly:

(212) 555-1234
(212) 555-9249
(212) 555-2096
(212) 555-5884
(212) 555-3587
(212) 555-5841

(Area codes are tied to the prospective customer'southward location, and the middle iii digits are exchange prefixes that are assigned to carriers in blocks.)

Lee and Narayanan looked at 259 available numbers from Verizon and T-Mobile, established that 215 had been previously used, and then tried to see what they could do with them.

Pandora's phone number

The researchers found that 171 of the recycled numbers, or 83%, were tied to at to the lowest degree one existing account with Amazon, AOL, Facebook, Google, Paypal or Yahoo. Each of those services lets you log in using your mobile phone number instead of your electronic mail accost or username.

Worse, Amazon, AOL, Paypal and Yahoo also let you reset the countersign for an account past sending a verification text containing a i-time passcode (OTP) to the associated mobile number — a situation that Lee and Narayan chosen "doubly insecure."

In other words, Lee and Narayanan could have hijacked the accounts of 171 different people simply by using their sometime phone numbers.

"Accounts with this doubly insecure configuration... are at immediate hazard of takeover," they wrote in their paper.

Facebook and Google were better about this, as "SMS [account] recovery is immune only if SMS 2FA is not enabled."

Otherwise, yous'd have to present a separate form of verification before getting that account-reset OTP, or take the OTP sent to a backup email account. (It's dangerous to apply SMS text letters in 2-factor hallmark — other 2FA methods are much better.)

Pre-screening vulnerable numbers

Lee and Narayan didn't even demand to "merits" these numbers from T-Mobile or Verizon to do this. They just had to see the bachelor numbers on the carriers' websites. That would permit systematic attackers pre-screen available numbers for linked accounts.

"The attacker can and so obtain these numbers and reset the password on the accounts, and receive and correctly enter the OTP sent via SMS upon login," they wrote.

It gets worse, though. Lee and Narayan plugged their recycled phone numbers into used 2 "people search" websites, BeenVerified and Intelius, to get together information about the numbers' previous owners.

Once more, 171 of those numbers yielded results — full names, e-mail addresses, locations, street addresses, workplace information and social media accounts. An attacker would get a good head start on stealing those persons' identities, all from just having their quondam phone numbers.

Defeating ii-factor authentication

Lee and Narayan too plugged the phone numbers into HaveIBeenPwned, an online database that lets you cheque whether your email addresses, passwords and phone numbers have been exposed in data breaches, data leaks and phishing attacks.

They found that 100 of the 259 numbers "were linked to leaked login credentials on the web, which could enable account hijackings that defeat SMS multi-factor hallmark."

In other words, those numbers were associated with username-countersign combinations that had already been compromised and were available somewhere online.

With the login credentials plus the phone number, an assaulter could log into accounts that were protected by SMS-based 2FA, then go the verification text with the erstwhile-password — and completely take over the old number holder's e-mail, depository financial institution or other online account.

Stalker, spammer and blackmailers

Lee and Narayanan outlined possibly more dire scenarios, some of which are pretty horrifying to imagine. A person being stalked or harassed could change their number to escape their tormentor, only to accept the stalker claim the former number one time it became bachelor after the required 45-day "aging" period.

Phishers and spammers could write down available numbers, and so text-spam the new number owners after the numbers are claimed. Crafty crooks could temporarily hold numbers, sign upwards for Google, Facebook or Amazon, then release the numbers — and demand money from the next number owners who find they can't properly set up accounts on those services.

Fortunately, this research, which was presented to T-Mobile and Verizon in accelerate, is already yielding some results.

Both carriers added reminders to their number-change pages to remind subscribers that they had 45 days to unlink their old numbers from online accounts. Verizon besides altered its number-change pages so that y'all couldn't keep looking at available numbers endlessly.

Still, this all serves every bit a reminder that phone numbers should non be used as login credentials, as business relationship verification or every bit proof of identity — menstruation.

More: The all-time identity theft protection services

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has too been a dishwasher, fry cook, long-booty driver, code monkey and video editor. He's been rooting around in the information-security space for more than than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom'south Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and fifty-fifty moderated a console give-and-take at the CEDIA dwelling house-applied science conference. You can follow his rants on Twitter at @snd_wagenseil.