Russians can gain access to the accounts of previous phone number owners when switching mobile phone numbers.
Revamped Guide:
Heads up! Security matters shouldn't be an afterthought, especially when it comes to your SIM card and unique phone number.
Illustration: Shutterstock.
Kicking off our concerns about privacy, let's talk about an experience that has left family members of ours scratching their heads – the co-opted phone number. Purchasing a SIM card from a popular telco brand, we followed the standard operating procedure by registering on messengers like Telegram. Upon registration, instead of opening a fresh, clean account, we stumbled upon someone else's – meet Khamedullo, a guest from the south, complete with a curious-looking avatar that never fails to warm our hearts.
So, as you might have guessed, the number you thought you were buying wasn't exactly brand new. Telegram requests your phone number, and suddenly it's not yours, but that of the previous SIM card holder. Interestingly, this situation is far from unique; other users have voiced similar concerns. The burning question: If I switch my SIM card, will the new owner still have access to my messages?
Unraveling the Mystery:
Is the telecom operator at fault for poorly cleaning the SIM card or are messenger services to blame for this security hole? According to Dmitry Galov, head of Kaspersky GReAT in Russia, SIM card reissuance is handled by operators. The reason old numbers are recycled stems primarily from the fact that the number pool isn't infinite. Some numbers may have cycled through various owners before our family happened upon it. Operators do have certain internal rules dictating the number's "resting" period after an owner has abandoned it. However, this duration can vary between operators (Opting for MegaTel, perhaps?). The core idea is that during this inactivity phase, the user should either link their accounts to a new phone number or be automatically blocked by the service due to inactivity.
As for services, Igor Bederov, General Director of "Internet-Search" company, sheds light on vulnerabilities. He explains that during SMS authorization, there's no second factor. So, when recovering our lost access instead of registering anew, we essentially receive a confirmation code on our newly acquired number – one that the service recognizes as the old owner's. This lack of a second authentication factor potentially exposes us to unauthorized access to our data, conversations, and personal accounts.
Rumors and Reality:
Are there spooky rumors floating around regarding scammers intentionally purchasing used numbers to extract confidential information for blackmail or hacking financial apps? Theoretically, attackers can buy SIM cards and use them to attempt accessing other people's accounts through their phone numbers. However, the occurrences of such activities are rare, thanks to tightening operator controls. Overall, the risks might be overstated.
Services that Alarm:
From Telegram and WhatsApp to Gosuslugi and countless financial services, many vital services rely on phone numbers for authentication. Neglecting two-factor authentication in such services could lead to potential compromise of sensitive data. Some companies require users to take photos or selfies for account verification, especially in car-sharing services. However, unsuspecting organizations are often careless about the security measures they employ.
The Path to Safety:
In light of this situation, it's crucial to take proactive measures. Enabling two-factor authentication is key. This option is available on popular platforms like social networks and messengers in Russia (time to say goodbye to those passwords?).
Dmitry Galov suggests that before giving up a number, users should understand the services reliant on it and contact the service's support or update the settings accordingly. Many applications periodically verify phone numbers, sending notifications to check if the number is still the user's. Important services allow number changes, simplifying the process. After linking accounts to a new number, access from the old one becomes impossible.
Remembering to inform friends, colleagues, and close contacts about your number change is also important (bottom line: keep your squad informed).
A Lawyer's Take:
Given that all SIM cards are now linked through Goservices, Igor Bederev reminds us of potential legal hurdles. Unscrupulous users could face criminal liability for transferring personal accounts to third parties if they were used in illicit activities. If a new user purchases a SIM card with data from the previous owner and subsequently uses those accounts for illegal activities – such as spreading malware or operating fraudulent scams – both the account owner and the new user could be held accountable.
Troubleshooting a Shady SIM Card:
If you've managed to purchase a SIM card associated with someone else's data, refrain from logging in. Contact the service's technical support (such as Telegram or VK), ask them to unlink the foreign account from your number. Provide proof of your ownership of the SIM card via Goservices or the operator, and then follow their instructions to claim a new account. Engage with your operator to obtain a new number if the current one is causing trouble.
Last Call:
In the end, experts suggest a broader implementation of full two-factor authentication, moving away from SMS-based authentication altogether due to its security vulnerabilities. Methods like authenticator apps, push notifications, fingerprint recognition, and hardware tokens can offer improved protection for user identification.
- When purchasing a SIM card, it's essential to consider cybersecurity measures, especially considering technology advancements and the potential vulnerabilities in messenger services, such as Telegram.
- As debate persists on the security of phone numbers in technology, the importance of enabling two-factor authentication cannot be overstated, especially for services like social networks, messengers, and financial applications.
