People today are increasingly connected to their mobile devices. These devices, in turn, are usually linked to mobile numbers (e.g., the 06 numbers in the Netherlands) for telephony (making "old-fashioned" phone calls and exchanging text messages). On top of this, many of the most popular mobile apps rely (in part) on mobile numbers to identify individual users and to forward messages to them. This means that people are linked to their mobile numbers more than ever, and thus these numbers are in practice considered unique identifiers of these individuals.
author: Mortaza S. Bargh
Mobile numbers also play an important role as a means of authentication for individual users.[1] Online services used, for example, for online banking, social networking and emailing, sometimes use text messages (and thus rely on mobile numbers) to send One Time Passwords (OTPs) to users when they want to log into their accounts or reset their passwords. In other words, mobile numbers are increasingly being used to identify and authenticate people.
Mobile numbers can continue to perform this dual role of legitimizing and identifying individual users well only as long as the links between individuals and their devices, or those between devices and mobile numbers, are not broken. The first scenario can occur when, for example, people lose their devices; the second scenario occurs when, for example, a mobile phone subscription is terminated. These broken links could cause privacy and security problems. This contribution discusses some of the privacy and security risks that could arise from mobile number reuse.
The number of possible mobile numbers is not infinite.[2] Therefore, mobile numbers that have been deactivated and reclaimed for one reason or another are often offered again to new customers by telecom providers. The policy for reuse of these deactivated numbers can vary greatly from country to country or even from telecom provider to provider.[3] Providers normally place the recovered numbers in a state of quarantine (also known as a "cooling off period") for a period of time (e.g., three months).
While mobile number reuse offers a solution to the chronic shortage of numbers, such reuse would expose both the new and previous owners of these numbers to security and privacy risks. The following is a (not exhaustive) list of potential risks.[4]
The new owner of a reused mobile number could receive calls from people who have the previous owner on their contact list and do not know that this number no longer belongs to the previous owner. There are stories on the Internet about new owners of mobile numbers who are regularly called (or even harassed) by these contacts,[5] which is a clear violation of the privacy of these new owners of reused mobile numbers, as unwanted intrusion into their private lives.
Nowadays, messaging apps (such as WhatsApp and Telegram) also use mobile numbers to (partially) identify their users and to forward messages to these users. It is therefore wise to find out in advance to what extent these apps rely on mobile numbers for message forwarding. If message forwarding depends entirely on mobile numbers, then the problem mentioned above (that the new owners of mobile numbers are harassed by the contacts of the previous owners) also applies to these apps. Another privacy risk with these messaging apps is that the new owner's profile picture may be shared with (and thus may be visible to) the previous owner's contacts.
The impact of privacy and security risks are greater for previous owners than for new owners. As mentioned above, mobile numbers are sometimes used by various online services as a means of authentication for individual users. For example, as the second step of a Two-factor Authentication (2FA), these services may send an OTP (a confirmation number) via text message to users who want to access these services, or who want to reset their password (if they have forgotten it, for example). If the new owner of a mobile number is an intruder who knows the previous owner (or who knows how to find information about the previous owner through online search engines or social media, for example), this intruder can cause great harm to the previous owner. For example, the intruder may go to the website of an online service that the victim (the previous owner) uses, click on the link for forgotten passwords, answer a few questions about the victim, receive the OTP via text message to reset the victim's account for this online service, enter a new password for the account, and thereby take over the victim's account. After such a takeover, victims often have no access to their account at all. Depending on the type of online service, the victim is then at risk of financial losses (in banking applications, for example), invasions of their privacy (on social media, for example) and impediments to taking important services (limited or no access to mail and messaging apps, for example).
With a messaging app, it is wise to find out in advance whether or not the previous owner's contact list will be passed on to the new owner of the mobile number. If this list does get passed on, the intruder (the new owner) can call these contacts of the victim and cause reputational damage to the victim, or even scam these contacts by asking them for help or favors on behalf of the victim.
The privacy and security risks mentioned above are best addressed by a combination of different methods. For example, the previous owners of reused mobile numbers can take care to notify both their personal contacts, and any online services that may use the number as part of a 2FA process, that the number has been deactivated. Online service providers, in turn, should regularly ask their customers whether these mobile numbers are still being actively used and have not been deactivated. The use of text messages for OTP is unsafe in any case and should therefore be replaced by other methods that do not rely entirely on mobile numbers.
The views and opinions expressed in this contribution do not necessarily reflect the official policy or position of the author's employers.
[1] See, for example, https://www.wired.com/story/phone-numbers-indentification-authentication/, https://krebsonsecurity.com/2019/03/why-phone-numbers-stink-as-identity-proof/
[2] See https://www.acm.nl/nl/publicaties/acm-gaat-ongebruikte-06-nummers-terughalen. Currently, the Consumer & Market Authority (ACM) is responsible for assigning mobile numbers to telecom providers. If a provider has not found customers for some of the assigned numbers within a year, the ACM reclaims these unused numbers.
[3] https://labs.detectify.com/2018/05/24/recycled-phone-numbers/
[4] The risks of mobile number reuse are in some ways similar to the risks of so-called SIM-swapping fraud, where an intruder intentionally takes someone's mobile number and transfers it to another mobile device. See, for example, https://securelist.com/large-scale-sim-swap-fraud/90353/, https://www.wired.com/story/sim-swap-attack-defend-phone/, https://www.rtlnieuws.nl/tech/artikel/4827171/esim-sim-swapping-06-nummer-overnemen-hacken
[5] See, for example, https://www.abc.net.au/news/2017-09-30/political-staffer-phone-numbers-recycled-for-public-citizens/9002498, https://www.quora.com/Do-old-cell-phone-numbers-get-retired-or-reused
