By Paul Wagenseil
Recycled phone numbers open up previous owners to attack
If you've ever changed your mobile phone number, especially in the past few years, then you may have created a huge security and privacy risk for yourself.
That's because your old phone number creates a gateway for hackers, crooks and stalkers to take over your Google, Facebook, Amazon or Yahoo accounts, break into your online bank accounts and even stalk or blackmail you, Princeton researchers detailed in a new academic paper (opens in new tab) and related website (opens in new tab).
- Serious Android flaw threatens hundreds of millions — what to do
- The best Android antivirus software
- Plus: Samsung just reminded the world why iPhones are better
This happens because many websites let you log in with a phone number instead of a user name, then let you reset the password by sending a text to the phone number.
In other cases, banks or other financial services send two-factor-authentication (2FA) codes to the mobile number, letting crooks who've obtained your email address and password from data breaches get into the account.
All told, this is yet more evidence that the use of mobile phone numbers for account and identity verification is creating a slow-motion privacy and security catastrophe.
How to prevent your old phone number from hacking you
To guard against this, the Princeton researchers, Kevin Lee and Arvind Narayanan, advise persons changing their numbers to not release the old numbers to the carriers, but to use a "number parking" service that will hold the number for you at a reasonable cost.
They also advise that anyone changing their number realize that you have only 45 days before the old number is put back into circulation, during which time you need to unlink the old number from all your online accounts. (This story was earlier reported by Vice Motherboard.)
Only so many numbers to go around
Lee and Narayanan explained in their research paper and website that discovered that of the three major U.S. carriers, Verizon and T-Mobile both let you go online to choose a new mobile number and present you with a list of available possibilities. (AT&T does not.)
"In the United States," they wrote in their research paper, "when a subscriber gives up their 10-digit phone number, it eventually gets reassigned to someone else."
The "aging" period for a previously used number to go unused is 45 days, as mandated by the FCC. After then, it is made available for reuse, and if it's one controlled by Verizon or T-Mobile, it will be listed on their websites.
At any given time, Lee and Narayanan figured, about 1 million recycled numbers are up for grabs, and "we estimate that an available number gets taken after 1.2 months."
Looking at the Verizon and T-Mobile websites, the researchers found it easy to distinguish between "new" numbers that had never been used and "recycled" numbers that had been.
New numbers were presented in a consecutive sequence that could look like this:
- (212) 555-1234
- (212) 555-1236
- (212) 555-1243
- (212) 555-1249
- (212) 555-1253
- (212) 555-1260
Previously used numbers would present their last four digits randomly:
- (212) 555-1234
- (212) 555-9249
- (212) 555-2096
- (212) 555-5884
- (212) 555-3587
- (212) 555-5841
(Area codes are tied to the prospective customer's location, and the middle three digits are exchange prefixes that are assigned to carriers in blocks.)
Lee and Narayanan looked at 259 available numbers from Verizon and T-Mobile, established that 215 had been previously used, and then tried to see what they could do with them.
Pandora's phone number
The researchers found that 171 of the recycled numbers, or 83%, were tied to at least one existing account with Amazon, AOL, Facebook, Google, Paypal or Yahoo. Each of those services lets you log in using your mobile phone number instead of your email address or username.
Worse, Amazon, AOL, Paypal and Yahoo also let you reset the password for an account by sending a verification text containing a one-time passcode (OTP) to the associated mobile number — a situation that Lee and Narayan called "doubly insecure."
In other words, Lee and Narayanan could have hijacked the accounts of 171 different people simply by using their old phone numbers.
"Accounts with this doubly insecure configuration... are at immediate risk of takeover," they wrote in their paper.
Facebook and Google were better about this, as "SMS [account] recovery is allowed only if SMS 2FA is not enabled."
Otherwise, you'd have to present a separate form of verification before getting that account-reset OTP, or have the OTP sent to a backup email account.(It's dangerous to use SMS text messages in two-factor authentication — other 2FA methods are much better.)
Pre-screening vulnerable numbers
Lee and Narayan didn't even need to "claim" these numbers from T-Mobile or Verizon to do this. They just had to see the available numbers on the carriers' websites. That would let systematic attackers pre-screen available numbers for linked accounts.
"The attacker can then obtain these numbers and reset the password on the accounts, and receive and correctly enter the OTP sent via SMS upon login," they wrote.
It gets worse, though. Lee and Narayan plugged their recycled phone numbers into used two "people search" websites, BeenVerified and Intelius, to gather information about the numbers' previous owners.
Again, 171 of those numbers yielded results — full names, email addresses, locations, street addresses, workplace information and social media accounts. An attacker would get a good head start on stealing those persons' identities, all from just having their old phone numbers.
Defeating two-factor authentication
Lee and Narayan also plugged the phone numbers into HaveIBeenPwned (opens in new tab), an online database that lets you check whether your email addresses, passwords and phone numbers have been exposed in data breaches, data leaks and phishing attacks.
They found that 100 of the 259 numbers "were linked to leaked login credentials on the web, which could enable account hijackings that defeat SMS multi-factor authentication."
In other words, those numbers were associated with username-password combinations that had already been compromised and were available somewhere online.
With the login credentials plus the phone number, an attacker could log into accounts that were protected by SMS-based 2FA, then get the verification text with the one-time-password — and completely take over the old number holder's email, bank or other online account.
Stalker, spammer and blackmailers
Lee and Narayanan outlined possibly more dire scenarios, some of which are pretty horrifying to imagine. A person being stalked or harassed could change their number to escape their tormentor, only to have the stalker claim the old number once it became available after the required 45-day "aging" period.
Phishers and spammers could write down available numbers, then text-spam the new number owners after the numbers are claimed. Crafty crooks could temporarily hold numbers, sign up for Google, Facebook or Amazon, then release the numbers — and demand money from the next number owners who find they can't properly set up accounts on those services.
Fortunately, this research, which was presented to T-Mobile and Verizon in advance, is already yielding some results.
Both carriers added reminders to their number-change pages to remind subscribers that they had 45 days to unlink their old numbers from online accounts. Verizon also altered its number-change pages so that you couldn't keep looking at available numbers endlessly.
Still, this all serves as a reminder that phone numbers should not be used as login credentials, as account verification or as proof of identity — period.
- More: The best identity theft protection services
Be In the Know
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.
No comments yetComment from the forums
Can someone hack your phone with your phone number? ›
It's important to reiterate that it's not possible for someone to simply type your number into some form of malicious software and click “Hack.” There is usually a process of convincing you to reveal personal information voluntarily or downloading a malicious app onto your phone.What if a hacker knows my phone number? ›
Your phone number is an easy access point for scammers and identity thieves. Once they know your number, they can use it to send you phishing texts, trick you into installing malware and spyware, or use social engineering attacks to get you to hand over your personal identifying information (PII).What can a hacker do with your phone number and name? ›
If someone steals your phone number, they become you — for all intents and purposes. With your phone number, a hacker can start hijacking your accounts one by one by having a password reset sent to your phone. They can trick automated systems — like your bank — into thinking they're you when you call customer service.Should I change my phone number if a scammer has it? ›
What Can Scammers Do With Your Phone Number? If you've experienced identity theft, you should probably change your phone number. It's a massive inconvenience, but the pros will outweigh the cons.How do you know if someone is using your phone number? ›
If you get calls from people saying your number is showing up on their caller ID, it's likely that your number has been spoofed. We suggest first that you do not answer any calls from unknown numbers, but if you do, explain that your telephone number is being spoofed and that you did not actually make any calls.Can someone hack my phone by texting me? ›
Can your phone be hacked through a text? Android phones can get infected by merely receiving a picture via text message, according to research published Monday. This is likely the biggest smartphone flaw ever discovered.Can a scammer hack my phone through text? ›
So to answer the question, “Can someone hack my phone by texting me?” No, your phone cannot be hacked by anyone just by receiving or opening the message. If you further follow the instructions of the text and click on the malicious link, then hacking might happen.Can someone hack my iPhone through text messages? ›
Phishing emails and smishing texts via SMS or WhatsApp are among the most common types of fraud. Your iPhone could be hacked if you reply, call the numbers, or click on any malicious links. Enable the “Find My iPhone” app. This feature allows you to track your phone using any device with the “Find My” app installed.Can you stop someone from using your phone number? ›
Install an anti-spoofing app on your smartphone
You can protect your phone calls and text messages with an anti-spoofing app. These services typically focus on reducing access to your actual phone number by masking it with a secondary number (that you can often specify).
Subscriber fraud occurs when a scammer signs up for cellular service with fraudulently obtained customer information or false identification. Criminals can obtain your personal information and use it to set up a cell phone account in your name.
Can a hacker use my phone? ›
Skilled hackers can take over a hacked smartphone and do everything from making overseas phone calls, sending texts, and using your phone's browser to shop on the Internet. Since they're not paying your smartphone bill, they don't care about exceeding your data limits.Can a scammer steal your identity with your phone number? ›
Criminals can take your current cell phone number then transfer it to a fake account in a practice known as porting. It allows identity thieves to use your phone number to access sensitive information, including bank, retirement, and cryptocurrency accounts.How do you get rid of a phone scammer? ›
File a complaint with the FCC if you believe you have received an illegal call or text, or if you think you're the victim of a spoofing scam. Click the tabs below for tips, FAQs and resources. Don't answer calls from unknown numbers. If you answer such a call, hang up immediately.What information can a scammer get from my phone? ›
Scammers use auto-dialers and spoofed area codes to trick people into picking up the phone. From there, it's a numbers game. The scammers want to get as much personal information from the call recipient as possible. That can include anything from names and birth dates to credit card numbers.Is there an app to see if someone is snooping on your phone? ›
The best way to do this is to install an intruder detection app that takes a certain action when someone tries to spy on or tamper with your cell phone. The Certo Mobile Security app for Android devices is the best way to catch someone in the act.How do I know if my phone is synced to another phone? ›
Go to your Google Account. On the left navigation panel, select Security . On the Your devices panel, select Manage all devices. You'll see devices where you're currently signed in to your Google Account or have been in the last few weeks.Can someone track you if you text them? ›
With their GPS radios and constant data connection, smartphones are technically capable of tracking our location and monitoring our activity, which is enough to raise privacy concerns among users. Few people know, however, that phones can be tracked using little more than a text message.Can someone spy on my phone messages? ›
Regardless of whether you use an iPhone or an Android smartphone, it is possible for someone to install spyware onto your phone that secretly tracks and reports on your activity. It's even possible for someone to monitor your cell phone's activity without ever even touching it.What happens if you text a scammer back? ›
What happens if you text a scammer back? Directly replying to a spam text message lets a spammer know that your number is genuine. What happens next They can sell your phone number to other spammers who might bombard you with false promises of free gifts and product offers.Who is reading my text messages? ›
Is someone reading my texts? Look for the checkmarks: A single gray checkmark indicates a successfully sent message. The appearance of a second gray checkmark shows your message was delivered to the recipient's phone. The two checkmarks will turn blue if the recipient has viewed your message.
How can I tell if someone is reading my text messages on iPhone? ›
On an iPhone, Apple's Messages app lets you know if your recipient has read your message — but the sender and recipient must be using iMessages on an iPhone or iPad, too, and have read receipts enabled. To turn this on, open Settings, tap Messages and enable Send Read Receipts by flipping the switch so it is green.Can someone spy on my iPhone? ›
Yes, a partner, parent, or even employer can gain remote, real-time access to your iPhone using spying software. Spyware can track your GPS location, record your keypad inputs such as credit card numbers and passwords, and monitor your calls, texts, app usage, emails, voice, and other personal data.Can someone find your address from your phone number? ›
Doxxing can be incredibly easy — so easy that anyone, not just malicious hackers, can do it. Reverse phone number lookup services let someone type in your phone number and find your real name and physical address.What blocks out your phone number? ›
Enter *67. Enter the number you wish to call (including area code). Tap Call. The words "Private," "Anonymous," or some other indicator will appear on the recipient's phone instead of your mobile number.What to do if your phone number is used for spoofing? ›
File a Complaint with FCC
If you believe that your phone number has been spoofed and you want to stop it, then you can file a complaint with the Federal Communications Commission (FCC) Consumer Complaint Center.
One of the easiest ways to see if your phone has been cloned is to check your location apps. Life360, Find My iPhone, the Android Device Manager, and Find My Mobile (Samsung) all show the location of your device. If someone is cloning the IMEI or EID number, your phone will show more than one location.Can someone else use my old phone? ›
If your mobile phone is locked to a network, it won't be possible for other people to use it if they're on a different mobile network provider. For this reason, it's strongly recommended you unlock your handset before giving it to someone else so they have maximum flexibility on which mobile network to use.Can someone access your bank account with your name and account number? ›
No one will be able to withdraw money from your personal bank account if all they have is your account number.What is the first thing you do when you get hacked? ›
Change your passwords immediately
If you think you've been hacked, update all your passwords — not just the ones you know were compromised. It may seem like a lot of work, but it's the only way to ensure that hackers can't do any more damage.
Another number you can use to trace a call is *57. This is the number to use if you believe a scam or spam caller is harassing you. *57 gets you the phone number and call information *69 does, but it goes above and beyond. When you dial *57, the information you obtain is passed along to the police.
Does blocking a scammer help? ›
Blocking Unwanted Calls
Scammers can use the internet to make calls from all over the world. They don't care if you're on the National Do Not Call Registry. That's why your best defense against unwanted calls is call blocking.
- Press the three-dot icon at the top right corner of your screen.
- Select “Block Number” or “Details,” then “Block & Report Spam” (depending on your specific device)
- Tap “Block & Report Spam”
- Select “OK”
Open your Phone app, then click on Recents at the bottom of the screen (look for the clock icon). Scroll down to the number you want to block, then tap the information icon—it's an “i” in a circle. Scroll to the bottom of the page, then select Block this Caller.What happens if a scammer gets your info? ›
With your personal information, scammers can: access and drain your bank account. open new bank accounts in your name and take out loans or lines of credit. take out phone plans and other contracts.Is it safe to give out your phone number? ›
Your phone number can provide access to highly sensitive personal information and potentially lead to identity theft. It is important to be very careful about who you share your personal phone number with.What information can be obtained from a phone number? ›
In general, someone who has your phone number may be able to find out your name, address, and other personal information if it is listed in a public directory or database. This could include information from social media profiles, public records, or other online sources.Will my phone be hacked if I answer an unknown call? ›
Can you get hacked by answering a phone call? No, answering a phone call does not lead to being hacked. None of your data, passwords, or other sensitive information can be transmitted through a phone call.How do scammer get your number? ›
Most telemarketers purchase phone numbers from third party data providers. Here's how those providers may have gotten your number, according to the Better Business Bureau: You called an 800, 888, and/or 900 number (they use caller I.D. technology and collect phone numbers).How can I find the owner of a mobile number? ›
- Use a reverse phone number lookup service. Many online services allow you to type in a mobile phone number and find out the name and address of the owner. ...
- Ask your cell phone carrier for help. ...
- Try a reverse directory. ...
- Hire a private investigator.
- Open the Google maps page on your android or tablet.
- Sign in to your Google account.
- Search for the contact number you want to find.
- Choose the number that you wish to track.
- The contact details will be available to you at the bottom of the screen.
How do you find out who a number is registered to? ›
One option is to use reverse lookup services, which will provide you with the owner's name and address. Another option is to use an online search engine, such as Google or Bing, which will allow you to input the phone number and see who owns it.