For one reason or another, you will likely change your mobile phone number at some point in your life. But be aware of a new tactic online criminals are taking to steal your identity.
Many apps and websites now allow users to reset their passwords via SMS (text) message to their mobile phone. So, if you no longer have control of an old mobile number, you could lose control over a lot more.
Attackers are leveraging recycled numbers to gain access to accounts
When you relinquish your number to your service provider, it goes into a pool of recycled numbers. These numbers are then available to other customers and attackers have started claiming them to gain access to active online accounts. Recently, the computer science department of Princeton University sampled 259 recycled phone numbers. Of the 259 numbers sampled, 171 of them were connected to active accounts on popular websites. Meaning those previous number owners were at risk of falling victim to fraud.
How do attackers find these numbers?
The Princeton University study accessed the numbers by browsing available prepaid account numbers. They tested numbers with T-Mobile and Verizon, AT&T did not allow number browsing. The Princeton team found no limits on how many times the recycled number pools could be searched. This means that attackers could automate their search process, making it even easier for them to find vulnerable numbers.
How to protect yourself
There are different courses of action you can take to protect yourself in this situation.
1. Update your account information – Before you deactivate your current number, remove it from the websites you use. If you’ve already changed your number, you can still protect yourself. Make a list of all the websites on which your phone number is used to auto recover your account password. Then, go through the list and update your phone number in each account. Some may require a phone call to customer service.
2. Park or Port your old number – Services like Google Voice allow you to port your number with them for a one-time fee. Once ported, you can continue to receive texts and calls to that number.
3. Don’t recover passwords with your phone – Many websites request that you add a phone number as a password recovery mechanism. Consider removing your phone number as the primary recovery option on these sites. Most sites will let you recover passwords through email which is more secure in this scenario
It is tempting to use text messages for account authentication. But if you change your number, you might give attackers the opportunity they’re looking for.