35 million phone numbers are disconnected in the U.S. every year. Standard industry practice is to reassign those numbers to other subscribers. But this leads to many types of security and privacy risks, which our study analyzes rigorously.
171 of the 259 available numbers we sampled led to hits on people search services, which provide personally identifiable information (PII) on previous owners.
The adversary can leverage people search services—which aggregate information on the web about individuals—to gather PII on previous owners and associates. Once they obtain the previous owner's number, they can perform impersonation attacks to commit fraud or amass even more PII on previous owners.
For the 259 numbers we analyzed, 171 produced a hit at either BeenVerified or Intelius.
171 of 259 numbers we sampled were vulnerable to account hijackings at six popular websites: Amazon, AOL, Facebook, Google, Paypal, and Yahoo.
An attacker can cycle through the available numbers shown on online number change interfaces and check if any of them are associated with online accounts of previous owners. If so, the attacker can then obtain these numbers and reset the password on the accounts, and receive and correctly enter the OTP sent via SMS upon login.
Of the 259 numbers in our sample, 171 had a linked account on at least one of the six websites.
100 of the 259 numbers were linked to leaked login credentials on the web, which could enable account hijackings that defeat SMS multi-factor authentication.
An attacker can use people search services to look up previous owners' email address(es), then check if the email addresses have been involved in data breaches. If the breaches involve passwords, the attacker can obtain the password on cybercriminal marketplaces and break into SMS 2FA-enabled accounts without having to reset the password. For the email addresses found on people search services, we checked for involved data breaches on Have I Been Pwned? (HIBP)—an online service that allows users to check whether their credentials and other identifying information have been compromised in data breaches.
In total, we found 100 phone numbers with associated email addresses that had been involved in a password breach and had linked profiles on at least one of the six websites.
Along with the three low-cost reverse lookup attacks, we present five additional number recycling exploits that can target both previous and future owners.
|Targeted takeover. Attacker learns that an acquaintance's contact has changed (e.g., stalker calls and gets a cancelled number intercept message, friend changes their number and tells everyone). They keep track of the aging period, and obtain the number once it becomes available.||Hijack online accounts; impersonate/stalk previous owner; read new messages intended forthe previous owner||Previous owners, especially intimate partner violence (IPV) survivors changing their numbers to escape abusers|
|Phishing. Attacker logs available numbers but does not obtain them. Later, they keep checking whether the numbers are still available. Once a number is assigned to a new subscriber, they can phish the subscriber through SMS (e.g., "Welcome to your new service. Click here to enable high-speed data for your account"). Subscribers are more likely to fall for phishing attacks when the message sounds believable.||Hijack victims' online phone account; potentially hijack victim's phone number||Subscribers who have been assigned a new number, whether fresh or recycled|
|Persuasive takeover. Attacker logs available numbers but does not obtain them. After the number is assigned, they can spoof a carrier message (e.g., "Your number is part of an ongoing investigation on the previous owner and needs to be reclaimed. Please change your number online") and obtain the number for himself after the aging period.||Hijack linked online accounts; impersonate victim; read new messages intended for the victim||Subscribers who have been assigned a new number, whether fresh or recycled|
|Spam. Attacker obtains a number, intentionally sign up for various alerts, newsletters, campaigns, and robocalls, and then release the number for recycling||Victim harassed with unwanted texts and calls; account calling balance depleted||Subscribers who have been assigned a recycled number|
|Denial of service. Attacker obtains a number, signs up for an online service that requires a phone number, and releases the number. When a victim obtains the number and tries to sign up for the same service, they will be denied due to an existing account. The attacker can contact the victim through SMS and demand payment to free up the number on the platform.||Denial of service; victim needs to pay ransom to use platform||Subscribers who have been assigned a recycled number and are new users of online services that require a unique phone number|
At both carriers, available numbers are fully visible and grouped by NPA-NXX (their first six digits, which are usually unique to each carrier). We developed a strategy to focus on recycled numbers: if no two available numbers are within 10 of each other, then all the numbers in the NPA-NXX are likely recycled. Otherwise, the NPA-NXX is possibly fresh, and its numbers possibly unused (never previously assigned). The adversary can use this strategy to focus their attention on NPA-NXX blocks that contain primarily recycled numbers, while ignoring blocks that contain primarily fresh numbers.
We used the reverse phone lookup tools at BeenVerified and Intelius to validate our strategy. We did so by randomly sampling 159 and 100 numbers from Verizon's and T-Mobile's possibly unused groups respectively and looking for people search hits. We found that 53/159 and 44/100 of the sampled possibly unused numbers returned hits, compared to 96/159 and 75/100 of the sampled likely recycled numbers.