Two-factor authorization is supposed to lead to increased security. That extra step is supposed to prevent spammers from breaking into your account. By just learning one access point, they are still required to take an extra step that they most likely do not know. However, researchers have learned that 2FA can lead to a security risk with recycled phone numbers.
Recycled Phone Numbers Expose 2FA Accounts
Whether it’s because they relocate or switch cell carriers, people change their phone numbers from time to time. But there isn’t an unlimited supply of unused phone numbers. Because of this, discarded phone numbers are often recycled. You may have discovered this when you picked up a new number and are bothered by a rash of calls for the person who was previously connected to that number.
You may be bothered by more than that. If the number was previously attached to 2FA, the information from the accounts is subject to a security risk. Now instead of needing the two factors for access, all that is needed is the phone number.
Princeton University researchers discovered the security risk associated with 2FA and recycled phone numbers. Out of more than 250 phone numbers the researchers sampled, 17 were connected to accounts at popular websites. Those numbers that were sampled were available to two major carriers.
“Additionally, a majority of available numbers led to hits on people search services, which provide personally identifiable information on previous owners. Furthermore, a significant fraction (100 of 259) of the numbers were linked to leaked login credentials on the Web, which could enable account hijackings that defeat SMS-based multi-factor authentication,” detailed the researchers in their study.
“We also found design weaknesses in carriers’ online interfaces and number recycling policies that could facilitate attacks involving number recycling.”
The new owners of the phone numbers are subjected to security and privacy-related calls and messages, including such things as authentication passcodes. The Princeton researchers believe the new owners could become incentivized to exploit the accounts these new numbers are connected to.
Limiting the Security Risk
What can you do when you are changing your phone number to limit the security risk of your accounts that were at one point connected to 2FA? Tracking down all those accounts protected by 2FA would be a nightmare.
The Princeton researchers believe you should “park” your old number when you’re switching to a new one. You can do this with a parking service, a mobile virtual network operator (MVNO), or a VOIP provider. This could give you the time you need to update your 2FA settings on your old accounts.