WhatsApp Account Takeover Shows Why Phone Numbers Are Not Proper Logins

When he moved to a new country last October, he got a new phone number. Ugo, who lives in Europe, where WhatsApp is very popular, didn’t immediately register his new phone number with the app, but was able to continue using it as normal. It was only when I told WhatsApp that I had a new phone number.

His profile picture changed to that of a young woman, and his phone was flooded with new messages from Italian-speaking strangers, including from a group chat he had suddenly been added to. I was. .

Hugo, who does not want to reveal his last name for privacy reasons, inadvertently hijacked the WhatsApp account of a woman who had a new phone number before him. It seems that I neglected to tell the app. So when Ugo told him he had a new phone number on his account, he took over control of his WhatsApp account that was still associated with it and it merged with his account.

“I don’t even know if she was able to regain access to her account because for days and weeks I was still getting her messages. ‘I thought it was,’ Hugo told Record. “She was lucky because I had good intentions. Her account could have been merged with someone less tolerant.”

Ugo isn’t the only WhatsApp user for whom this has happened. Phone number recycling is a problem his WhatsApp is aware of and it is up to the user to prevent or solve it. But it’s not just WhatsApp.

Countless apps and services use phone numbers to identify you, but those numbers aren’t always permanent. Phone numbers are also vulnerable to hackers. Because they were never meant to be persistent identifiers, incidents like the one with Ugo are a pervasive and ongoing problem that the industry has been aware of for years. There are at least two research papers on phone number recycling, from targeted attacks by hackers and from people who easily buy out recently abandoned phone numbers, allowing strangers to access your life completely disconnected from your account. Potential risk is indicated until .

However, users often bear the burden of protecting themselves from the security issues created by their favorite apps. Even the things these services recommend as extra security measures, such as text, SMS, and multi-factor authentication, can actually introduce more vulnerabilities.

number problem

If you don’t reuse phone numbers, you’ll quickly run out of them. An estimated 35 million phone numbers are recycled in the United States each year, according to a 2017 FCC analysis of data from the North American Numbering Plan Administrator (NANPA). Also, there are currently 2.74 billion assignable phone numbers in the United States and its territories, NANPA told his Recode, but not all of these numbers have actually been assigned. (About half of them are yet to be allocated, according to FCC data). So it’s only a matter of time before you give up your phone number and it’s reassigned to someone else.

In the US, carriers must wait at least 45 days before being able to assign new users. However, that minimum waiting period did not come into effect until 2020. Prior to that, it was up to carriers to decide how long to wait before recycling phone numbers. Some waited only a few days, according to the FCC’s report. In France, where Ugo got a new phone number, the minimum waiting time was recently reduced from his three months to his 45 days.

This makes calling the wrong destination very easy. Decades ago, it might have been annoying to get a phone call to your landline if you knew the phone number, but you’re not going to be bombarded with text, images and videos. was. Your phone number was the key to unlocking various goods and services.

However, in the age of smartphones, recycling phone numbers is a major privacy and security issue. Most of us store most of our lives on our phones and their apps. Some apps, such as WhatsApp, require a phone number to register an account. Or use your phone number as a security measure. However, phone numbers are not intended to perform these functions. And, as Hugo’s story shows, doing so has unintended consequences.

But even before the iPhone changed the mobile game, there were concerns about using phone numbers as identifiers.

“I saw this issue happen in 2001 when I was working at Vodafone,” said Marc Rogers, now chief security officer at cybersecurity firm Q-Net Security.

In 2006, SFGate published a story about a man who obtained a reused number and was barraged with texts from various women. This made the fiancée uncomfortable and charged him. more common. Lately, we’ve seen a lot of stories on platforms like Facebook and his Airbnb about phone numbers changing ownership that have caused strangers to take over their accounts. It happened before with WhatsApp too.

Accidental hijacking isn’t the only problem. Mobile phones have something called a SIM or subscriber ID module. It’s usually stored on a small removable card, but on newer iPhones it’s embedded in the device itself. If a malicious person hijacks your girlfriend’s SIM (this is known as SIMjacking or SIM swapping), or is able to reroute text messages to you, they can access your phone number. You can access accounts unlocked with .

“The whole SIM swap ecosystem has sprung up over the SMS vulnerability,” said Rogers.

In a study on the security risks from recycled phone numbers, Princeton University computer science professor Arvind Narayanan and researcher Kevin Lee found that most of the phone numbers available at T-Mobile and Verizon are still in accounts on various websites. found to be associated. Those numbers had not previously notified those services that they had changed numbers. Of the 200 recycled numbers that Lee and Narayanan purchased for their research, about 10% contained sensitive data (personally identifiable information or multi-factor authentication passcodes) intended for the number’s previous owner. ) was obtained. And that was just a week later.

Phone numbers aren’t the only problematic identifiers. I also have a social security number. It started as a way to track workers’ earnings even if they changed jobs, addresses or names, but has evolved into a national identification number used by the IRS, financial institutions and even health care providers. We did. Anyone whose ID was stolen can tell that this Social Security Number system is not perfect. Email addresses serve a similar unintended purpose. This creates a privacy issue if you have an e-mail address that is constantly mistaken for someone else’s e-mail address.

The industry could do more, but it probably won’t

WhatsApp says it is taking several steps to prevent scenarios like Ugo’s, including deleting account data from accounts that have been inactive for at least 45 days and activating them on another mobile device.

“If for some reason you don’t want to use WhatsApp associated with a particular phone number, the best thing to do is transfer it to a new number or delete your account within the app,” WhatsApp told Recode. I’m here. “In all cases, he highly recommends using two-factor authentication for added security.”

These solutions leave most of the work to the user, and some users are unaware of their responsibilities. Enabling his two-step or multi-factor authentication by default, which companies like Google and Amazon do for some of their services, can stop these hijacks. WhatsApp may also ask users to verify their phone number from time to time. This will encourage people like the previous owners of Ugo’s new number to give her account over before it is hijacked.

There is more that the industry can do, such as developers of apps, carriers, and phone operating systems. But I usually don’t unless I’m legally required to do so or something really bad has happened. In the meantime, many of them prefer to ask users for their phone numbers, even if they don’t have to have them. .

“We’ve known this to be a problem for 20 years, but little has been done to mitigate consumer risk. It’s time to start putting pressure on telecom companies to look at ways,” said Rogers.

Ultimately, business always has their best interests at heart, but that may not always be in your best interests. you have to protect yourself.

what you can do

If you don’t plan on changing your number, you may be thinking that this isn’t the case for you. However, that change may not have been planned. A hit song might come out with your phone number as the chorus. Alternatively, the president can distribute it during campaign rallies.or maybe you published on twitter Point out AI chatbots you didn’t know about considerThere are more serious reasons why you should change your phone number. Or you may die. In that case, you no longer care about privacy or security issues, but the people you leave behind might. I can not do it.

“Even if you don’t plan to change your number right away, contact friends and family who have changed your number,” Lee, a researcher at Princeton University, said. You may end up sending it to the new owner.”

The best way to solve the problem is to never have one. In other words, avoid attaching phone numbers to accounts whenever possible. Sometimes you have no choice, like signing up for a WhatsApp account. But at least you can minimize your exposure.

“People change their numbers for all sorts of reasons. It’s virtually impossible to update their number in every system and contact list,” said Narayanan.

You should also enable two-factor authentication whenever possible, but don’t use your phone number as a second factor. Not only is it useless if you lose access to that phone number, but it’s generally not a good way to secure your account given how vulnerable phone numbers can be. Please use the key. They cannot be SIM jacked and are unrelated to phone numbers.

There are some apps and services that require you to attach your phone number or that only offer text authentication. You can avoid using them, but it’s not always possible. As suggested by Lee and Narayanan’s study, using phone number parking services can prevent old numbers from going into circulation. Some are only a few dollars a month. It doesn’t even have to be forever. We recommend doing this for a year or two to allow time for the account to be identified and switched to the new number, and for your contacts to be aware that the number has changed.

However, the marginal cost might be worth it, given all the things that could go wrong if your phone number were passed on to someone else. You leave a lot of information to carriers, apps, websites, and whoever gets your phone number next. At that point, I can only hope they take care of it.