People change their phone numbers much more often than when everyone had landlines. These days, phone numbers can be changed as easily as upgrading to the newest smartphone model and are no longer tied to a specific place. For example, people can have cell numbers in a completely different state.
Something else that has changed is the number of sensitive accounts and other connections that a mobile phone number has. From the moment a person gets a new cell number, it begins building digital footprints.
If you haven’t been keeping track of all those footprints, it can mean security risk when you drop that mobile number, and the carrier recycles it.
Many people use their mobile number for password resets for platforms like Microsoft 365, iTunes, and others. If an old mobile number is still tied to any of those password reset accounts after you’ve turned it back over to the carrier, your accounts could be hacked by the person that gets that number next.
Think that most people wouldn’t be so nefarious? You’d be surprised how many criminals out there look up available mobile numbers on carrier websites and then do a Google search on them to see what accounts come up. If the hacker sees enough interesting accounts tied to an available mobile number, they’ll snatch it up.
University Study Shows Recycled Mobile Numbers Can Be Risky
A study done by Princeton University on the risks of recycling a mobile phone number found that out of 259 available numbers, 66% of them were still connected to accounts held with popular websites like Amazon and PayPal, enabling impersonation attacks.
All the new owner of the mobile number would need to do is search on the number to see which sites it was attached to. This type of search could also bring up the former owner’s email address, which would make it even easier for the hacker to try password resets to see which ones were SMS-based.
What Can Happen If Your Old Mobile Number Is Still Connected to Your Accounts?
When you stop and think about all the accounts your mobile number is attached to, the risk of changing that number and allowing it to be recycled becomes clearer. The chance one of your cloud accounts will be hijacked is high if you haven’t updated your contact information.
Some of the many types of text messages that come to our phones from various accounts include:
- Shipping and delivery notices
- Banking alerts
- Deposit notices
- Multi-factor authentication codes
- Medical appointment reminders
- Prescription refills
- And more
What can happen when your old mobile number is leveraged by an online thief?
PII Indexing
PII (Personally Identifiable Information) is easy to find if you have a mobile number to search with. There will be social media accounts that bring up profiles, work-related internet search hits, and more. Scammers gather all this information to create a full PII profile on a person. The more pieces they can put together, the more valuable the full PII package is.
The thief can then either sell the PII on the Dark Web or use it themselves for identity theft.
Social Phishing
If your mobile number is tied to a social media account, then a hacker could potentially take over your account and pose as you. They could then send social phishing messages to any of your contacts attempting to get money or information of value to them.
Account Hijacking Through Password Reset
Many accounts use a mobile number for a password reset. If a hacker has your old number, one of the first things they will try is to gain access to any of your accounts that they can by using password recovery.
If your password recovery link is going to your old mobile number, you might not even realize someone has changed your password and locked you out of your own account.
The university study found that 39% of the available numbers researched were able to have a popular account hijacked via password recovery.
Account Breach Through MFA
Multi-factor authentication is one of the best ways to prevent cloud account hijacking, but it doesn’t help you if the number the code comes to is no longer in your control.
If you haven’t changed your number for a site set up to send an MFA code by SMS, it would be fairly easy for a criminal to breach your account and log in as you.
It’s vital to change your number for all sites and accounts that have that number in your profile before you decide to hand it back over to the mobile carrier.
Get Help with Mobile Security for Your Small Business
Companies that have several mobile numbers are often at higher risk because there’s a better chance a number will get recycled. Rocky Knoll Technologies can work with your Charlotte area business to review and update your mobile security to keep your business from suffering a breach.
Contact us today to schedule a free consultation. Call 704.594.7292 or reach us online.
