The Security Risks of Phone Number Recycling and How to Safeguard Yourself

Phone numbers are a limited resource, and telecommunications companies often reassign inactive numbers. This practice poses significant security risks. When a number is recycled, the new holder can receive recovery and verification messages meant for the previous owner, leading to potential impersonation or account compromises. In this article, we will delve into the dangers associated with number recycling and outline essential steps you can take to safeguard your personal information.

Understanding the Risks of Number Recycling

Numerous online services require your phone number for purposes such as account verification and recovery, while certain applications like WhatsApp rely exclusively on your phone number for functionality. If you deactivate or change a number without properly unlinking it from various accounts, the telecommunications provider may recycle it, handing it to a new user. This new user could gain access to accounts that are still associated with the old number.

To combat these security issues, many carriers enforce a “cooling-off”period, during which the number is not assigned to anyone else. This period usually lasts between 45 to 90 days, allowing the previous owner to unlink their accounts from the old number. However, it’s important to note that some services, including WhatsApp, will automatically delete user accounts after 120 days of inactivity. Many other services do not use this indicator for identifying recycled numbers, leaving former owners at risk.

Once a number has been recycled, the new owner may impersonate the prior user, hack into accounts through SMS recovery options, and access sensitive information. Cybercriminals actively search for recycled numbers, comparing them against leaked databases or examining consecutive number blocks, which makes them prime targets for exploitation.

To protect yourself from the perils of recycled numbers, proactive measures are essential, especially when deactivating a phone number.

Disassociate Your Accounts from the Old Number

It is crucial to unlink your phone number from all your accounts that utilize it for recovery or two-factor authentication (2FA).The challenge lies in identifying all accounts linked to that number. Here are some strategies to simplify the process:

Utilize your email: Since most accounts are tied to your email address, log in and perform a search using your number within quotes, such as “09991234567”.This can help you locate emails from services associated with your number.

Searching in Gmail with search bar in focus

Review your password manager: If you use a password manager, go through the saved entries to identify linked accounts.
Check third-party logins: For accounts associated with Google or Facebook, visit their respective connected apps pages to view linked services.

Properly Manage Your Messaging Accounts

For messaging applications such as WhatsApp, Signal, and Telegram, which rely on a dedicated number, ensure you follow the official procedures for deleting your account or changing your number. By doing so, you help prevent the transfer of your data and minimize the risk of impersonation.

For instance, in WhatsApp, you can navigate to Settings → Account to find options for both Change Number and Delete Account.

Remove Yourself from Promotional Communications

Promotional messages can reveal sensitive details about the previous owner’s activities, including personal information. To safeguard this information, review your text messages and unsubscribe from promotional offers by responding with STOP or UNSUBSCRIBE. Most promotional messages also contain an Unsubscribe link or instructions for opting out.

In addition to unsubscribing, consider searching for your information on data broker sites and removing it. The new user may discover your details through these platforms.

Inform Key Contacts About the Change

Even after a number has been recycled, it remains stored in the contacts of individuals who previously communicated with you. This can lead to confusion, as they may attempt to reach out to the new owner. It is advisable to send a message to key contacts, especially those in professional settings, informing them of your number change.

Keep Your Number Active

If you prefer not to go through the disassociation process, consider taking steps to prevent your number from being deactivated beforehand. For users on prepaid plans, regularly topping up and using your number (through calls, texts, or data) can help maintain its active status. Postpaid users simply need to ensure their bills are consistently paid to keep the number alive.

Opt for Alternatives to Phone Number-Based Recovery

Number recycling heightens the risk of account takeovers. The best preventative measure is to avoid linking your phone number to accounts whenever possible. While some services, like messaging apps and banks, necessitate a phone number, many others do not require it.

For account recovery, using an email address is sufficient. You may also set up a secondary email as a backup method for recovery. Additionally, utilizing passkeys can enhance security compared to traditional passwords, reducing reliance on potentially vulnerable recovery options. Furthermore, passkeys are more resistant to phishing attacks than standard 2FA methods.

When it comes to two-factor authentication, SMS verification is recognized as less secure, with organizations like Google moving toward phasing it out. Consider switching to more reliable methods, such as TOTP or push notifications, which do not depend on a phone number.

Conclusion

Your deactivated phone number can become a liability, particularly if you have not properly dissociated your accounts from it. If you’re transitioning to a new number, ensure that all old accounts are unlinked before deactivating the number to mitigate potential risks.

Source & Images