Upgrading to a new phone is always a satisfying feeling, but experts have warned that changing your phone number could be more of a security risk than previously thought.
A report from the Department of Computer Science and Center for Information Technology Policy at Princeton University has found that old phone numbers often remain linked to a previous owner.
This could potentially open the user to a variety of attacks, particularly if they stored personally-identifiable information or account logins linked to the old phone number.
The researchers examined 259 phone numbers that were available to new subscribers at two major US wireless carriers, discovering 171 of them were still linked to existing user accounts at a number of commonly-used websites.
100 of the numbers were also linked to previously leaked online credentials, meaning the users had been involved in past data breaches, and that their account could easily be hijacked by getting around typical SMS-based multi-factor authentication.
The team also noted that a majority of the available numbers also ended up displaying results on people search services, which provide personally identifiable information on previous owners, again putting the users at risk.
The report highlighted a number of possible attack vectors it had encountered, including phishing attacks, DDoS assaults, and account takeovers even without knowing the passwords.
However it also noted that some carriers allowed full numbers to previewed either during signup or number change, meaning an attacker could ‘scout out’ a number by looking for linked accounts and owner history, all before obtaining the recycled number.
“Recycled phone numbers can cause trouble for all those involved,” the report noted. “Subscribers who are assigned a previously owned phone number often end up receiving communication meant for the previous owners, from threatening robocalls to personal text messages.”
“As a regulated industry practice, phone number recycling is unlikely to cease,” they added, “(and) more work can be done by all stakeholders to illuminate and mitigate the issues. In particular, online services should no longer equate a correctly-entered SMS passcode with successful user authentication.”
In order to stay safe, the researchers noted that users should try and port over their existing numbers when switching devices, or take advantage of “number parking” services that shutter off past accounts.