A new academic study has highlighted a number of privacy and security pitfalls associated with recycling mobile phone numbers that could be abused to stage a variety of exploits, including account takeovers, conduct phishing and spam attacks, and even prevent victims from signing up for online services.
Nearly 66% of the recycled numbers that were sampled were found to be tied to previous owners’ online accounts at popular websites, potentially enabling account hijacks by simply recovering the accounts tied to those numbers.
“An attacker can cycle through the available numbers shown on online number change interfaces and check if any of them are associated with online accounts of previous owners,” the researchers said. If so, the attacker can then obtain these numbers and reset the password on the accounts, and receive and correctly enter the OTP sent via SMS upon login.”
The findings are part of an analysis of a sample of 259 phone numbers available to new subscribers of U.S. telecom majors T-Mobile and Verizon Wireless. The study was undertaken by Princeton University’s Kevin Lee and Prof. Arvind Narayanan, who is one of the executive committee members at the Center for…