Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States

Kevin Lee; Arvind Narayanan

doi:10.1109/eCrime54498.2021.9738792

Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States

Kevin Lee, Arvind Narayanan

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

8 Scopus citations

Abstract

We examined the security and privacy risks of phone number recycling in the United States. We sampled 259 phone numbers available to new subscribers at two major carriers, and found that 171 of them were tied to existing accounts at popular websites, potentially allowing those accounts to be hijacked. Additionally, a majority of available numbers led to hits on people search services, which provide personally identifiable information on previous owners. Furthermore, a significant fraction (100 of 259) of the numbers were linked to leaked login credentials on the web, which could enable account hijackings that defeat SMS-based multi-factor authentication. We also found design weaknesses in carriers' online interfaces and number recycling policies that could facilitate attacks involving number recycling. We close by recommending steps carriers, websites, and subscribers can take to reduce risk.

Original language	English (US)
Title of host publication	Proceedings of the 2021 APWG Symposium on Electronic Crime Research, eCrime 2021
Publisher	IEEE Computer Society
ISBN (Electronic)	9781665480291
DOIs	https://doi.org/10.1109/eCrime54498.2021.9738792
State	Published - 2021
Event	2021 APWG Symposium on Electronic Crime Research, eCrime 2021 - Virtual, Online, United States Duration: Dec 1 2021 → Dec 3 2021

Publication series

Name	eCrime Researchers Summit, eCrime
Volume	2021-December
ISSN (Print)	2159-1237
ISSN (Electronic)	2159-1245

Conference

Conference	2021 APWG Symposium on Electronic Crime Research, eCrime 2021
Country/Territory	United States
City	Virtual, Online
Period	12/1/21 → 12/3/21

All Science Journal Classification (ASJC) codes

Computer Networks and Communications
Computer Science Applications
Information Systems
Information Systems and Management

Access to Document

10.1109/eCrime54498.2021.9738792

Cite this

@inproceedings{6129c1a9654b4bf59e8b93b8d43b7fcb,

title = "Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States",

abstract = "We examined the security and privacy risks of phone number recycling in the United States. We sampled 259 phone numbers available to new subscribers at two major carriers, and found that 171 of them were tied to existing accounts at popular websites, potentially allowing those accounts to be hijacked. Additionally, a majority of available numbers led to hits on people search services, which provide personally identifiable information on previous owners. Furthermore, a significant fraction (100 of 259) of the numbers were linked to leaked login credentials on the web, which could enable account hijackings that defeat SMS-based multi-factor authentication. We also found design weaknesses in carriers' online interfaces and number recycling policies that could facilitate attacks involving number recycling. We close by recommending steps carriers, websites, and subscribers can take to reduce risk.",

author = "Kevin Lee and Arvind Narayanan",

note = "Publisher Copyright: {\textcopyright} 2021 IEEE.; 2021 APWG Symposium on Electronic Crime Research, eCrime 2021 ; Conference date: 01-12-2021 Through 03-12-2021",

year = "2021",

doi = "10.1109/eCrime54498.2021.9738792",

language = "English (US)",

series = "eCrime Researchers Summit, eCrime",

publisher = "IEEE Computer Society",

booktitle = "Proceedings of the 2021 APWG Symposium on Electronic Crime Research, eCrime 2021",

address = "United States",

}

Lee, K & Narayanan, A 2021, Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States. in Proceedings of the 2021 APWG Symposium on Electronic Crime Research, eCrime 2021. eCrime Researchers Summit, eCrime, vol. 2021-December, IEEE Computer Society, 2021 APWG Symposium on Electronic Crime Research, eCrime 2021, Virtual, Online, United States, 12/1/21. https://doi.org/10.1109/eCrime54498.2021.9738792

Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States. / Lee, Kevin; Narayanan, Arvind.
Proceedings of the 2021 APWG Symposium on Electronic Crime Research, eCrime 2021. IEEE Computer Society, 2021. (eCrime Researchers Summit, eCrime; Vol. 2021-December).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States

AU - Lee, Kevin

AU - Narayanan, Arvind

PY - 2021

Y1 - 2021

N2 - We examined the security and privacy risks of phone number recycling in the United States. We sampled 259 phone numbers available to new subscribers at two major carriers, and found that 171 of them were tied to existing accounts at popular websites, potentially allowing those accounts to be hijacked. Additionally, a majority of available numbers led to hits on people search services, which provide personally identifiable information on previous owners. Furthermore, a significant fraction (100 of 259) of the numbers were linked to leaked login credentials on the web, which could enable account hijackings that defeat SMS-based multi-factor authentication. We also found design weaknesses in carriers' online interfaces and number recycling policies that could facilitate attacks involving number recycling. We close by recommending steps carriers, websites, and subscribers can take to reduce risk.

AB - We examined the security and privacy risks of phone number recycling in the United States. We sampled 259 phone numbers available to new subscribers at two major carriers, and found that 171 of them were tied to existing accounts at popular websites, potentially allowing those accounts to be hijacked. Additionally, a majority of available numbers led to hits on people search services, which provide personally identifiable information on previous owners. Furthermore, a significant fraction (100 of 259) of the numbers were linked to leaked login credentials on the web, which could enable account hijackings that defeat SMS-based multi-factor authentication. We also found design weaknesses in carriers' online interfaces and number recycling policies that could facilitate attacks involving number recycling. We close by recommending steps carriers, websites, and subscribers can take to reduce risk.

UR - http://www.scopus.com/inward/record.url?scp=85128075372&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85128075372&partnerID=8YFLogxK

U2 - 10.1109/eCrime54498.2021.9738792

DO - 10.1109/eCrime54498.2021.9738792

M3 - Conference contribution

AN - SCOPUS:85128075372

T3 - eCrime Researchers Summit, eCrime

BT - Proceedings of the 2021 APWG Symposium on Electronic Crime Research, eCrime 2021

PB - IEEE Computer Society

T2 - 2021 APWG Symposium on Electronic Crime Research, eCrime 2021

Y2 - 1 December 2021 through 3 December 2021

ER -

Security and Privacy Risks of Number Recycling at Mobile Carriers in the United States

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this