Forgotten phone numbers, lingering in customers’ profiles, are a potent weapon for fraudsters, turning a cornerstone of digital security — multifactor authentication — into a direct liability for financial institutions.
Account takeover, or ATO, fraud presents a multibillion-dollar threat, but an often overlooked form of attack is gaining traction: The exploitation of recycled phone numbers. After a federally mandated period of 45 to 90 days, a number disconnected by one person can be reassigned to anyone else.
According to Federal Communications Commission, or FCC, data from 2013 to 2016, carriers recycled approximately 35 million phone numbers in the U.S. each year. More
Not all of this churn is from individual consumers. Some is from businesses opening and closing sometimes thousands of numbers at a time, for services such as alarm systems, remote monitoring and e-fax. These numbers are not associated with bank accounts.
However, for banks and credit unions that rely on phone numbers to verify customer identity, when an individual changes their phone number or drops it entirely, it creates a security loophole.
The problem directly undermines the security of sending one-time passcodes via SMS or automated voice messages. When financial institutions operate on the assumption that the phone number on file belongs to their customer, but the number is recycled, the institution may unknowingly send authentication codes and sensitive alerts directly to a fraudster.
This vulnerability is not theoretical. The National Institute of Standards and Technology, or NIST, explicitly advised government entities against using phone numbers for authentication, per
A proven threat
Researchers sampled 259 recycled numbers and found that “171 were tied to existing accounts at popular websites, potentially allowing those accounts to be hijacked,” the Princeton researchers, Kevin Lee and Arvind Narayanan, wrote.
The study confirmed that a motivated attacker can easily obtain these numbers and intercept sensitive communications. During a one-week monitoring period of recycled numbers they acquired, the researchers found that nearly 10% received security-sensitive messages intended for previous owners, including one-time passwords and mobile banking texts.
The researchers found that the online portals that carriers offer to register new phone numbers often have few or no limits on how many times a user can search for available numbers, making it easy for an attacker to write a simple script to query the carrier’s interface and filter for numbers that are likely recycled.
The Princeton researchers noted that new numbers are often assigned in consecutive blocks, like newly printed money. Recycled numbers, however, appear as random, nonsequential phone numbers within an area code. This makes it possible to determine whether a phone number is likely recycled.
These methods are a contributor to the larger crisis of ATO fraud, which cost U.S. adults an estimated $23 billion in 2023,
While recycled numbers represent only a fraction of these cases, they provide a direct and often undetectable path for criminals to seize control of an account.
When a fraudster gains control of a recovery phone number, they can reset passwords, change contact details and, eventually, drain funds, all while the legitimate customer remains unaware.
Closing the loophole: New verification methods
For banks that continue to use phone numbers as a form of identity verification, companies including Prove and Telesign provide real-time phone number intelligence services, which can help a bank verify the ownership and tenure of a phone number.
These services can be especially useful when making real-time risk assessments, such as when a high-risk transaction is requested.
These systems can also alert institutions if a number was recently ported or reassigned, a critical red flag indicating that an SMS authentication code might not be trustworthy.
By analyzing signals directly from the mobile network, these services help institutions determine the risk that changes on an account are the work of a fraudster who has just acquired a recycled number.
How institutions can advise customers
While institutions can adopt new technologies, customer education remains a critical line of defense.
Financial institutions can empower their customers by advising them to conduct an audit of sorts to find and remove old, unused phone numbers from their online accounts.
Key steps for customers include:
- Auditing major hub accounts: Start by checking the security and recovery settings on all primary email accounts and social media profiles. These are often used to access other services.
- Search password managers: Customers who have a password manager can use the search function within a password manager to look for any instances of an old phone number.
- Comb through email history: Search email archives for an old number or for phrases like “verify your number” or “new account” to uncover forgotten services where an old number might be stored.
By proactively encouraging this digital hygiene, banks and credit unions can help customers close a dangerous security gap that fraudsters are all too willing to exploit.