Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States

35 million phone numbers are disconnected in the U.S. every year. Standard industry practice is to reassign those numbers to other subscribers. But this leads to many types of security and privacy risks, which our study analyzes rigorously.

Presented at eCrime 2021
Read the paper (final version) »

Reverse lookup attacks

PII indexing

171 of the 259 available numbers we sampled led to hits on people search services, which provide personally identifiable information (PII) on previous owners.

The adversary can leverage people search services—which aggregate information on the web about individuals—to gather PII on previous owners and associates. Once they obtain the previous owner's number, they can perform impersonation attacks to commit fraud or amass even more PII on previous owners.

For the 259 numbers we analyzed, 171 produced a hit at either BeenVerified or Intelius.

Reverse lookup results on BeenVerified from an available phone number. For this previous owner, information about their other phone numbers, address, work, education, and social media are easily found.
Reverse lookup results on Intelius from the same available phone number.

Account hijackings via recovery

171 of 259 numbers we sampled were vulnerable to account hijackings at six popular websites: Amazon, AOL, Facebook, Google, Paypal, and Yahoo.

An attacker can cycle through the available numbers shown on online number change interfaces and check if any of them are associated with online accounts of previous owners. If so, the attacker can then obtain these numbers and reset the password on the accounts, and receive and correctly enter the OTP sent via SMS upon login.

Of the 259 numbers in our sample, 171 had a linked account on at least one of the six websites.

likelyrecycled
This available number had a linked Facebook account.
possiblyunused
This available number had a linked Yahoo account.
possiblyunused
This available number had a linked Amazon account.

Account hijackings without password reset

100 of the 259 numbers were linked to leaked login credentials on the web, which could enable account hijackings that defeat SMS multi-factor authentication.

An attacker can use people search services to look up previous owners' email address(es), then check if the email addresses have been involved in data breaches. If the breaches involve passwords, the attacker can obtain the password on cybercriminal marketplaces and break into SMS 2FA-enabled accounts without having to reset the password. For the email addresses found on people search services, we checked for involved data breaches on Have I Been Pwned? (HIBP)—an online service that allows users to check whether their credentials and other identifying information have been compromised in data breaches.

In total, we found 100 phone numbers with associated email addresses that had been involved in a password breach and had linked profiles on at least one of the six websites.

likelyrecycled
This available number returned the previous owner's email address.
possiblyunused
The linked email address has been involved in six breaches, all of which compromised passwords.