Around 66% of recycled numbers still had connections to the online accounts of their previous users while 9% of the recycled numbers still received the private messages and sensitive calls intended for their previous owners.
If you’re a mobile app developer, chances are you’ve already had to deal with security issues caused by recycled phone numbers. And if you’re one of the lucky ones who haven’t yet had one and don’t really know how it happens, it’s because people leave or lose their phone numbers (for a variety of reasons).
When they switch to a new carrier, cancel service due to move-out or work phone, or switch to a more “desirable” number, they leave their current phone number. When they miss payments, violate service terms, or simply don’t use the phone number for a while, they lose their current phone number.
After a while, mobile network operators will recycle this number.
Phone Number Recycling As a Telecom Industry Regulated Practice
When customers leave or lose phone numbers, and a certain time passes, mobile network operators will give that number to a new subscriber in the practice known as MSISDN Recycle.
The premise is simple: phone numbers are finite, while the number of subscribers increases every day. To prevent “number exhaustion”, telecoms recycle old phone numbers and assign them to new customers – most typically after three months.
However, it’s important to note that this recycling process is causing severe security and privacy issues.
Recycled Phone Number Security Issues
At least eight fraud use cases exist that you could encounter with recycled phone numbers, so let me briefly describe each.
To start with, we have Personally Identifiable Information (PII) Indexing where cyber attackers look through available phone numbers on carrier websites and then find previous owners’ PII on various search services. This enables the attacker to impersonate the previous owner and try phishing attacks or commit other fraud.
Similarly, in Account Hijacking Without Password Reset the attacker tries to buy the leaked or breached account credentials from one of the cybercriminal marketplaces. If they’re lucky, they can gain access to the online account regardless of whether SMS 2FA is active.
For classic Phishing attacks, the attacker monitors the recycled numbers and waits until someone owns the numbers. Then the attacker tries to phish the subscriber through SMS
(e.g., “Welcome to your new service. Click here to enable high-speed data for your account”). It is easy to fool the victims with a welcome offer. While previous owners are safe from these attacks, new subscribers are likely to fall into the trap.
In Persuasive Takeover strategy, the attacker monitors available numbers, waits until they’re owned by someone, and then poses as the carrier service letting the user know that “This phone number is part of an ongoing investigation, needs to be reclaimed. Please change this number”. When the subscriber releases the number, the attacker buys the number after aging time which lets them commit SMS authentication attacks on the previous owner’s online account and hijack it.
When a user forgets to unlink their old phone number from online accounts, fraudsters can find out, buy the recycled numbers, and Hijack the Account via Recovery by easily resetting passwords through SMS authentication or SMS password recovery.
For Targeted Takeover, the attacker keeps note of all the number change messages and notifications which were shared by their friends, colleagues, partners, clients. They later try
to get ownership of the number when it becomes available after a long period of waiting time. This allows them to try SMS authentication attacks and hijack the online accounts in order to conduct impersonation, fraud, steal personal information, and anything they wish.
Users who buy recycled phone numbers could be a victim of Spam attacks. In this case, the attacker intentionally buys a phone number and subscribes to multiple services like newsletters, campaigns, and robocalls and surrenders the number for the recycling process. The victim will be folded with a lot of unwanted messages and calls.
Similarly, we have Denial of Service. Attackers buy phone numbers and register with all popular online services that ask for a unique identity. The attacker releases the phone number for the recycling process. When another subscriber buys the number and tries to register the same online service, the service denies it as the number is already registered with them. The attacker can contact the owner of the number and can ask for a ransom to release the number.
So, how can you prevent this? Allow me to introduce you to the IPification Phone Number Recycle API!
Using IPification Phone Number Recycle API to Prevent Account Takeover Fraud
We’ve designed a simple mobile network-based Phone Number Recycle API to prevent account takeover when number recycling happens, to go along with our one-click mobile authentication solution or even be implemented on its own.
The Phone Number Recycle API takes note of the date of the last phone number activation or verification on the platform after which it can track whether number recycling has happened or not.
If the recycling has happened in the period after the date provided in the input, the API will provide a “true” output or the “false” output if the recycling has NOT happened in the period after the date.
Quite simple, extremely effective.
With mobile phone recycling, the attack surface is just too large. And in the ever-increasing cyberattacks, it’s imperative for companies to ensure they’re doing everything to keep their users’ accounts secure, their data private, and their user experience stellar.
It’s a huge competitive advantage that helps further the user trust, the brand image, and with that, accelerated user growth.
Would you like to know more? Let’s talk, schedule a call!
