A WhatsApp account hijacking shows why phone numbers are not good logins A WhatsApp account hijacking shows why phone numbers are not good logins
When Ugo moved to a new country last October, he got a new phone number. Ugo, who lives in Europe, where WhatsApp is very... A WhatsApp account hijacking shows why phone numbers are not good logins

When Ugo moved to a new country last October, he got a new phone number. Ugo, who lives in Europe, where WhatsApp is very popular, didn’t immediately register his new phone number on the app, but was able to continue to use it as normal. It was only when he told WhatsApp that he had a new phone number that the trouble began.

His profile photo changed to a picture of a young woman, and his phone was flooded with new messages from Italian-speaking strangers, including from group chats he was suddenly added to — one of which seemed to be for a family that was not his own.

Ugo, who did not want his last name revealed for privacy reasons, had unintentionally taken over the WhatsApp account of the woman who had the new phone number before he did. She was an active WhatsApp user, but she’d also, apparently, neglected to tell the app what her new phone number was. So when Ugo told his account that he had a new phone number, he assumed control of the WhatsApp account that was still tied to it, and it was merged with his.

“I don’t even know if she was able to regain access to her account at all because for days — weeks, in fact — I was still receiving her messages, even though I kept telling all these people I wasn’t the person they thought I was,” Ugo told Recode. “She was lucky I had good intentions. Her account could’ve merged with someone much less forgiving.”

Ugo isn’t the only WhatsApp user this has happened to. Phone number recycling is a problem WhatsApp is aware of and has largely left to its users to prevent or solve. But it’s also not unique to WhatsApp.

Countless apps and services rely on your phone number to identify you, and that number is not necessarily permanent. Phone numbers are also vulnerable to hackers. They were never meant to be permanent identifiers, so incidents like what happened to Ugo are widespread, ongoing problems that the industry has known about for years. There are at least two research papers about phone number recycling that lay out the potential risks, from targeted attacks by hackers or people who easily buy up recently discarded phone numbers to being cut off from your accounts entirely and a stranger getting access to your life.

Yet the burden is often on users to protect themselves from a security issue that was created for them by some of their favorite apps. Even things that those services might recommend as an added security measure — like text, SMS, or multi-factor authentication — can actually introduce more vulnerabilities.

The number problem

If we didn’t reuse phone numbers, we’d soon run out of them. An estimated 35 million phone numbers are recycled every year in the United States, according to a 2017 FCC analysis of data from the North American Numbering Plan Administrator (NANPA). And there are currently 2.74 billion assignable phone numbers in the US and its territories, NANPA told Recode, though that doesn’t mean all of those numbers have actually been assigned (about half of them haven’t, according to FCC data). So when you give up your phone number, it’s only a matter of time before it gets reassigned to someone else.

In the United States, carriers have to wait at least 45 days before they can assign it to a new user. But that minimum waiting period was only put into effect in 2020. Before that, it was up to the carriers to decide how long to wait before recycling a phone number. Some only waited a few days, according to an FCC report. In France, where Ugo got his new phone number, the minimum waiting time was recently reduced from three months to 45 days.

This makes it pretty easy for misdirected calls to happen. A few decades ago, getting phone calls on your landline that were meant for whoever had the number before you might be annoying, but you weren’t being blasted with large blocks of texts, images, and videos that were meant for someone else, nor was your phone number the key to unlocking various goods and services.

In the age of the smartphone, however, phone number recycling is a major privacy and security problem. Many of us keep huge parts of our lives in our phones and the apps on them. Some of those apps, like WhatsApp, require our phone numbers to register for accounts. Or we use our phone number as a security measure. But phone numbers were never intended to perform these functions. And, as Ugo’s story shows, there are unintended consequences when they do.

But even before the iPhone changed the mobile game, there were concerns over using phone numbers as identifiers.

“Back in 2001 when I worked at Vodafone, we saw this problem coming,” said Marc Rogers, who is now chief security officer at the cybersecurity firm Q-Net Security.

SFGate published a story in 2006 about a man who got a recycled number and was barraged with texts from various women, which both displeased his fianceé and were charged to him because, again, this was in 2006, when pay-per-text was much more common. More recently, we’ve seen plenty of stories about phone numbers changing hands, causing accounts to be taken over by strangers on platforms like Facebook and Airbnb. It’s even happened on WhatsApp before.

The problem isn’t just accidental takeovers. Mobile phones have what’s known as a SIM, or subscriber identity module. That’s usually stored on a tiny removable card, although newer iPhones have embedded them into the devices themselves. If a bad actor gets control of your SIM — this is known as SIM jacking or SIM swapping — or they’re able to reroute text messages that are meant for you, they can access the accounts your phone number unlocks.

“The entire SIM swap ecosystem has sprung up around the vulnerability of SMS,” Rogers said.

In a study about security risks due to recycled phone numbers, Princeton computer science professor Arvind Narayanan and researcher Kevin Lee found that most of the available phone numbers at T-Mobile and Verizon were still attached to accounts on various websites, indicating that the people who had those numbers previously hadn’t yet told those services their numbers had changed. Of the 200 recycled numbers Lee and Narayanan bought for the study, they were able to obtain sensitive data (defined as anything with personally identifiable information or multi-factor authentication passcodes) that was meant for the number’s previous owner on nearly 10 percent of them. And that was after just one week.

It’s not just phone numbers that we’ve turned into problematic identifiers. There are also Social Security numbers, which started out as a way to track workers’ earnings even if they changed jobs, addresses, and names, but have evolved into national identifiers, used by the IRS, financial institutions, and even health providers. Anyone whose identity has been stolen can tell you that this Social Security number system isn’t perfect. Email addresses serve a similar unintended purpose, which causes privacy problems if you happen to have an email address that is constantly mistaken for someone else’s.

The industry could do more, but it probably won’t

WhatsApp says it takes several steps to prevent scenarios like Ugo’s, such as removing account data from accounts that have been inactive for at least 45 days and are then activated on a different mobile device.

“If for some reason you no longer want to use WhatsApp tied to a particular phone number, then the best thing to do is transfer it to a new phone number or delete the account within the app,” WhatsApp told Recode. “In all cases, we strongly encourage people to use two-step verification for added security.”

Those solutions leave most of the work to users, some of whom aren’t aware of their responsibilities. Enabling two-step or multi-factor authentication by default, which companies like Google and Amazon have done on some of their services, would stop these hijackings. WhatsApp could also ask users to verify their phone numbers occasionally, which would prod people like the previous owner of Ugo’s new number to transfer her account before it was hijacked.

There are other things the industry — apps, carriers, phone operating system developers — can do. But they usually don’t unless they’re legally required to or something truly egregious happens. In the meantime, many of them like to demand phone numbers from users even in cases where it’s not necessary that they have them. And they’re not always very responsible with those numbers, either.

“We knew it was a problem 20 years ago, but almost nothing has happened to reduce the risk for consumers. It’s probably about time for policymakers to step in and start putting pressure on the telecommunications companies to look at ways this can be resolved technically,” Rogers said.

In the end, businesses will always have their best interests at heart, and those aren’t always yours. You have to protect yourself.

What you can do

You may be thinking that this doesn’t apply to you if you aren’t planning on changing your number. But that change may not be planned. A hit song might come out with your phone number as its chorus. Or the president could give it out during a campaign rally. Or you might reveal it on Twitter to make a point about AI chatbots that you didn’t think through. There are more serious reasons why you might have to change your phone number. Or you might die, in which case you won’t care about privacy and security issues anymore, but the people you leave behind might. Even if you keep your phone number forever, you’re not immune to some of these privacy issues.

“Even if you’re not planning on changing your number anytime soon, you may interact with friends or family members who have, and unknowingly end up sending sensitive information to new owners of those recycled numbers,” Lee, the Princeton researcher, said.

The best way to solve the problem is never to let it become one. That is, don’t attach your phone number to your accounts wherever possible. In some cases, like signing up for a WhatsApp account, you don’t have a choice. But you can at least minimize your exposure.

“People change their numbers for all sorts of reasons, and it’s practically impossible to update one’s number in every system and contact list out there,” Narayanan said.

You’ll also want to enable two-factor authentication everywhere you can, but don’t use your phone number as that second factor. Not only is it useless if you no longer have access to that phone number, but it’s also just not a good way to protect your account in general, considering how vulnerable phone numbers can be. Use an authenticator app or hardware key instead. Those can’t be SIM jacked, and they’re independent of your phone number.

There are some apps and services that you have to attach your phone number to or that only offer text authentication. You can try to avoid using them, but that’s not always possible. You can keep your old number from going back into circulation by using a phone number parking service, as Lee and Narayanan suggest in their study. Some are just a few dollars a month. It doesn’t even have to be forever; you may just want to do this for a year or two to give yourself more time to identify and switch your accounts over to the new number, and for your contacts to realize your number has changed.

Considering all the things that could go wrong when your phone number is given to someone else, however, the marginal cost might be worth it. Otherwise, you’re entrusting what could be very sensitive information to carriers, apps, websites, and whoever gets your phone number next. At that point, you can only hope that they take good care of it.

Source link