As industry leaders and cybersecurity experts call on people everywhere to take steps to improve their online security, newer, more user-friendly account verification techniques, such as phone verification and two-factor authentication (2FA), are increasing in adoption. These features enable websites and mobile apps to verify a unique identity for each legitimate end-user through their valid phone number. Through this phone number, provided by the end-user, businesses can prevent fraud and protect account access through 2FA – where the device tied to that number serves as the “second factor.” Phone numbers are now often considered the “trust anchor” for end-user accounts. In some cases, a user's valid phone number is their user name. But what happens when the very phone numbers that are used to verify and keep end-users secure are given up, recycled and assigned to a new person?
Phone number deactivation is an industry term that refers to the event when a user disconnects their phone number completely. This could be because they moved to a new city, want to prevent specific people from reaching them, or just feel like changing things up. Whatever the reason may be, they are no longer reachable at this phone number.
Phone number recycling is the industry term that refers to the event when that deactivated/disconnected number gets reassigned to someone else. Typically, it takes at least 90 days for this reassignment to take place but it can be faster in high-demand area codes (212, 310, etc.).
Recent news has risen that shows what can happen when phone–based 2FA and recycled phone numbers collide. Even though this a rare occurrence (a study by the FCC found that in the US only 4.93% of users recycle their phone number each year), if users are not diligent in updating their account information and companies are not aware of numbers being recycled, it can lead to increased risks for the integrity of the account. In the most basic scenario, the new owner of a phone number is now tied to the account that the former owner linked to that same number—providing access to someone else's account. Alternatively, this can also lead to the true user being locked out and account notifications, security codes, password resets and other messages and alerts are not reaching the end-user.
The good news is there are ways for companies to stay on top of this dilemma and help protect their users. The tricky nature of keeping up with recycled numbers is the sheer amount of data, which can prove overwhelming for most companies. This is where TeleSign comes in. As a registered mobile operator, and thanks to our numerous telco partnerships, TeleSign is able to provide our customers with valuable data attributes across the number lifecycle for virtually any number in the world, to help deliver assurance and prevent fraudulent activity. One of our products, TeleSign PhoneID, provides a variety of phone-based risk indicators that companies can integrate into their systems to better asses the risk of a user based on their phone number. One such indicator is Number Deactivation, which helps customers determine when a phone number has been truly deactivated-- based on carriers' phone number data and our proprietary analysis. This empowers companies to update account details and avoid accidentally leaking user data before a number is moved over to a new user. With experts estimating we won't reach “number exhaustion” for 10-digit phone numbers until roughly 2040, the dilemma around recycled phone numbers will continue to persist. It is up to end-users to stay vigilant with their own data and online security and companies to take steps to help protect their users however they can. TeleSign is here to help, so reach out to our sales team today to see how we can best protect you and your users."