Cyber security expert Asela Waidyalankara has warned of the possible risk posed by the recycling of mobile numbers in Sri Lanka.
He pointed out that many online services allow customers to reset their passwords by clicking a link sent via SMS and this unfortunately widespread practice has turned mobile numbers into de facto identity documents.
Many people willingly abandon a mobile number without considering the potential fallout to their digital identities when that number invariably gets reassigned to another person.
Research shows how fraudsters can abuse Telecommunications providers to identify available, recycled mobile numbers that allow password resets at a range of email providers and financial services online, Waidyalankara said.
Citing a research by the Computer Science Department at Princeton University, he said researchers had sampled 259 phone numbers at two major carriers, and found 171 of them were tied to existing accounts at popular websites, potentially allowing those accounts to be hijacked.
The Princeton team has a number of recommendations for T-Mobile and Verizon, noting that both carriers allow unlimited inquiries on their prepaid customer platforms online — meaning there is nothing to stop attackers from automating this type of number reconnaissance.
Waidyalankara said it is recommended that Telcos teach their support employees to remind customers about the risks of relinquishing a mobile number without first disconnecting it from other identities and sites online.
It’s viral for people to use something other than text messages for two-factor authentication on their email accounts when stronger authentication options are available, such as Google Authenticator, he explained.
The full Princeton study can be accessed here:
https://recyclednumbers.cs.princeton.edu/assets/recycled-numbers-latest.pdf
(NewsWire)