The dangers of recycling phone numbers
I recently purchased a new SIM card from a local telecom company in Suriname. I was assigned a ‘new’ phone number with this SIM card. After inserting the SIM card into a phone, I installed WhatsApp and tried to activate a WhatsApp account with the ‘new’ phone number. To my surprise, another person’s profile picture and status text appeared in ‘my’ WhatsApp account after activation. It turned out that I had unintentionally taken over someone else’s WhatsApp account.
Shortly after that, I received a message on WhatsApp from someone with a foreign phone number, that would later turn out to be the previous owner of the ‘new’ number that was assigned to me. Without knowing who this person was, I asked if anything was wrong. I received an answer after two days. I can imagine the panic that this person must have felt, considering that their number, which was apparently still in use, was suddenly taken over by someone else. At that point, you don’t know who it is and what’s going on. For example, it could have been a hacker with malicious intent.
After two days, the person told me that, until recently, the phone number I was using belonged to them. I explained that I had gotten the number from the telecom company when I bought a new SIM card, and that they had most likely recycled the number because there had been no top-up on that number for a while. The person explained that they were abroad due to study and had not been able to top-up. I suggested returning the number; for example, I could give the SIM card to family in Suriname. However, the person did not think this was necessary and insisted that I could keep it. I suspect that in the meantime they had already taken steps to limit possible negative consequences.
It is appalling to me that telecom companies are so careless with recycling phone numbers. In today’s context, this is particularly dangerous and poses significant privacy and (cyber) security risks for the affected users as well as their contacts. I use the plural ‘companies’ on purpose here because I’ve seen this problem at both major telecom companies currently operating in Suriname.
Hacking phones
The actual risk of recycled phone numbers is not limited to telecom companies. The security concerns extend to third-party applications such as banks, retail stores, social media and service providers that use the linked SMS services as part of their authentication process and consider phone numbers as the unique identity of their users. SMS authentication is a method that involves sending a One Time Password (OTP) to the user’s phone via a text message or phone call. One of the major banks in Suriname also switched to this system recently.
Researchers at Princeton University did a study in 2021 (“Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States”) on the security and privacy risks of recycling phone numbers by telecom companies. They concluded that former and future owners of recycled numbers are vulnerable to various attacks, such as denial of service, phishing and account takeover (social media, e-mail, e-commerce, banking, etc.) via password resets, among other methods. They also strongly discouraged the use of SMS authentication.
It’s easy to imagine what can happen when your phone number gets into the hands of another person these days. In the above case, I was able to access the previous owner’s WhatsApp account within minutes, instantly seeing their profile picture and status message. Although I didn’t look any further, I could probably also have gained access to all the social media accounts that were registered with that number with little effort, and eventually perhaps even backups and other data stored with various service providers such as Microsoft and Google.
We are spammed almost daily (even as I write this) with text message advertisements and sometimes phone calls from telecom companies. Is it too much to ask to spam phone numbers for months as well with warnings that the number will be recycled if not topped up soon? Or what about repeated (automatic or otherwise) calls by customer service to those numbers to inform them (in various languages) that this will happen before they are recycled? Perhaps the person in the above case could then have asked family members to top up the number.
Lastly, a pro-tip: avoid using WhatsApp for communication; instead, use Signal Private Messenger. I personally have not been using WhatsApp since 2019 because it is spyware like all other Meta/Facebook apps. In this case, I temporarily installed it for a specific purpose on a different number than the one I use daily. Signal is significantly better in terms of privacy and security and would not allow personal data to be used in an account takeover, like in the above case.
Comments
There’s one response. Follow any responses to this post through its comments RSS feed. You can leave a response, or trackback from your own site.