Man
Professional
- Messages
- 3,079
- Reaction score
- 615
- Points
- 113
The study showed how old numbers can open access to data.
A new study by Positive Technologies has shown that more than a third of the SIM cards studied provide the ability to attempt authentication in services and applications.
Almost every second phone number checked by specialists during the study has already been used to register various accounts, and more than a third of all analyzed SIM cards allow you to try to log in to previously created active accounts.
Experts studied 38 out of 80 popular applications, excluding services without browser versions and personal accounts of mobile operators from the initial list. The applications were divided into several categories: corporate websites, online stores, pharmacies, food delivery platforms, marketplaces, and social networks. Three types of SIM cards from five major operators were used for the experiment: 30 were purchased in mobile phone stores ("white"), 50 were purchased through Telegram channels ("gray"), and another 15 were rented through specialized online services (virtual).
It turned out that 43% of SIM cards had already been used by previous owners to register accounts in services from the compiled list, and for 37% of numbers, the accounts were active. Researchers were able to confirm the possibility of access to four accounts on marketplaces, but never to bank accounts.
Only one in five operators blocked SIM cards when detecting the activity of researchers. It was also established that two out of five operators disclose the owner's full name when trying to enter the personal account. According to the results of the experiment, there was no relationship between the type of SIM cards (white, gray, virtual) and the probability of successful authorization.
In total, experts confirmed the possibility of access to 57 accounts of the former owners of phone numbers. The researchers also found that if the number had not previously been used to register on social networks, then there were no accounts with this number in other services.
"Our experiment showed that attackers can use your old phone number for attacks as soon as it goes back on sale. Developers should avoid using SMS as the only factor to confirm login or change passwords. When changing the number, users should be able to securely restore access to their accounts, and the registration and password recovery forms should not display information about the presence of an account for a specific number. It is important for telecom operators to notify customers about the blocking of a number via email or an alternative number", Positive Technologies commented.
Experts recommend that users retain access to their phone numbers, and if they lose it, link their accounts to a new number. For mission-critical applications such as instant messengers, social media, and online banking, you should use alternative authorization methods, such as email. Experts also advise avoiding SMS login as much as possible (if possible) and setting up two-factor authentication using one-time password generators. In addition, it is recommended to restrict mobile applications from reading SMS messages, not to disclose one-time passwords, and in case of suspicious activity, contact the support service of the application or the telecom operator.
Source
A new study by Positive Technologies has shown that more than a third of the SIM cards studied provide the ability to attempt authentication in services and applications.
Almost every second phone number checked by specialists during the study has already been used to register various accounts, and more than a third of all analyzed SIM cards allow you to try to log in to previously created active accounts.
Experts studied 38 out of 80 popular applications, excluding services without browser versions and personal accounts of mobile operators from the initial list. The applications were divided into several categories: corporate websites, online stores, pharmacies, food delivery platforms, marketplaces, and social networks. Three types of SIM cards from five major operators were used for the experiment: 30 were purchased in mobile phone stores ("white"), 50 were purchased through Telegram channels ("gray"), and another 15 were rented through specialized online services (virtual).
It turned out that 43% of SIM cards had already been used by previous owners to register accounts in services from the compiled list, and for 37% of numbers, the accounts were active. Researchers were able to confirm the possibility of access to four accounts on marketplaces, but never to bank accounts.
Only one in five operators blocked SIM cards when detecting the activity of researchers. It was also established that two out of five operators disclose the owner's full name when trying to enter the personal account. According to the results of the experiment, there was no relationship between the type of SIM cards (white, gray, virtual) and the probability of successful authorization.
In total, experts confirmed the possibility of access to 57 accounts of the former owners of phone numbers. The researchers also found that if the number had not previously been used to register on social networks, then there were no accounts with this number in other services.
"Our experiment showed that attackers can use your old phone number for attacks as soon as it goes back on sale. Developers should avoid using SMS as the only factor to confirm login or change passwords. When changing the number, users should be able to securely restore access to their accounts, and the registration and password recovery forms should not display information about the presence of an account for a specific number. It is important for telecom operators to notify customers about the blocking of a number via email or an alternative number", Positive Technologies commented.
Experts recommend that users retain access to their phone numbers, and if they lose it, link their accounts to a new number. For mission-critical applications such as instant messengers, social media, and online banking, you should use alternative authorization methods, such as email. Experts also advise avoiding SMS login as much as possible (if possible) and setting up two-factor authentication using one-time password generators. In addition, it is recommended to restrict mobile applications from reading SMS messages, not to disclose one-time passwords, and in case of suspicious activity, contact the support service of the application or the telecom operator.
Source
