As industry leaders and cybersecurity experts call on people everywhere to take steps to improve their online security, newer, more user-friendly account verification techniques, such as phone verification and two-factor authentication (2FA), are increasing in adoption.
These features enable websites and mobile apps to verify a unique identity for each legitimate end-user through their valid phone number. Through this phone number, provided by the end-user, businesses can prevent fraud and protect account access through 2FA—where the device tied to that number serves as the second factor. Phone numbers are now often considered the trust anchor for end-user accounts. In some cases, a user’s valid phone number is their user name.
But what happens when the very phone numbers that are used to verify and keep end-users secure are given up, recycled and assigned to a new person?
What is phone number deactivation?
Phone number deactivation is an industry term that refers to the event when a user disconnects their phone number completely. This could be because they moved to a new city, want to prevent specific people from reaching them, or just feel like changing things up. Whatever the reason may be, they are no longer reachable at this phone number.
What is phone number recycling?
Phone number recycling is the industry term that refers to the event when that deactivated/disconnected number gets reassigned to someone else. Typically, it takes at least 90 days for this reassignment to take place but it can be faster in high-demand area codes (212, 310, etc.).
Why is number recycling a problem?
According to the FCC, approximately 35 million phone numbers are recycled every year, or about 100k every single day. Benchmarked against the 361 million U.S. phone numbers, approximately 10% – or 1 out of ten – phone numbers change hands every year.
To understand the security risks of phone number recycling, researchers from the Department of Computer Science and Center for Information Policy at Princeton University analyzed a sample of 259 reassigned phone numbers. The researchers discovered that two-thirds – or 66% – maintained active connections to accounts owned by the previous owners.
Recycled phone numbers create significant security and privacy risks.
In the most basic scenario, the new owner of a phone number is now tied to the account that the former owner linked to that same number—providing access to someone else’s account. Alternatively, this can also lead to:
- The true user being locked out
- Account notification failure
- Security code failure
- Password resets and other messages and alerts not reaching the end-user
What are some solutions?
The good news is there are ways for companies to stay on top of this dilemma and protect their users. The tricky nature of keeping up with recycled numbers is the sheer amount of data, which can prove overwhelming for most companies. This is where Telesign comes in.
As a registered mobile operator, and thanks to our numerous telco partnerships, Telesign is able to provide our customers with valuable data attributes across the number lifecycle for virtually any number in the world, to help deliver assurance and prevent fraudulent activity.
One of our products, PhoneID, provides a variety of phone-based risk indicators that companies can integrate into their systems to better asses the risk of a user based on their phone number.
One such indicator is Number Deactivation, which helps customers determine when a phone number has been truly deactivated, based on carriers’ phone number data and our proprietary analysis. This empowers companies to update account details and avoid accidentally leaking user data before a number is moved over to a new user.
With experts estimating we won’t reach “number exhaustion” for 10-digit phone numbers until roughly 2040, the dilemma around recycled phone numbers will continue to persist. It is up to end-users to stay vigilant with their own data and online security and companies to take steps to help protect their users however they can.
Telesign is here to help, so speak with us today to see how we can best protect you and your users.