35 million U.S. phone numbers are disconnected each year. Most get reassigned to new owners. In a new study, and I found 66% of recycled numbers we sampled were still tied to previous owners’ online accounts, possibly allowing account hijacking. recyclednumbers.cs.princeton.edu
Conversation
It’s well known that number recycling is a nuisance, but we studied whether an adversary—even a relatively unskilled one—can exploit it to invade privacy and security. We present 8 attacks affecting both new and previous owners. We estimate that millions of people are affected.
2
3
8
Unfortunately, carriers imposed few restrictions on the adversary’s ability to browse available numbers and acquire vulnerable ones. After we disclosed the issue to them a few months ago, Verizon and T-mobile improved their documentation but have not made the attack harder.
The good news is that you can protect yourself. If you need to give up your number, unlink it from online services first. Consider low-cost number “parking” services. Use more secure alternatives to SMS-2FA such as authenticator apps. More in our paper: recyclednumbers.cs.princeton.edu/assets/recycle
1
3
28
Good question. We address it extensively in our paper. For example, "people search services" like BeenVerified and Intelius return PII for the majority of recycled numbers :( twitter.com/usaidbolt/stat
This Tweet is unavailable.
1
3
16
But the biggest threat isn't from opportunistic adversaries but from attackers that specifically seek out recycled numbers. For example, if someone changes their number to escape a harasser, *the harasser can obtain the number* to impersonate the victim, causing even more damage.
1
6
22