Blog WatchGuard

Old mobile numbers can compromise unsecure MFA systems

Multi-factor authentication (MFA) adds a layer of security to logins that is essential to prevent unwanted access. This verification process uses a second device (owned by the user) as an additional identity verification element to which a token is sent (or generated) that certifies access veracity. The most secure MFA systems use applications to generate temporary codes, but many still rely on sending text messages to mobile phones (OTP). However, this method can be ineffective and endanger the user's security. What happens when your old mobile number falls into the hands of third parties? A recent study addresses this issue, warning about the risks of reusing old mobile numbers

Owners of a mobile phone numbers don’t usually give them up for a new number, but this can happen when a mobile carrier offers attractive deals for new registrations. Owners can also take time to communicate their new number to be used for MFA. Carriers "recycle" old phone numbers in such cases, and they end up in the hands of new users. This isn’t a problem, unless the numbers are associated with MFA. Princeton University has published a study warning about the risks of reusing phone numbers in the United States, which is a common practice among carriers. 

Old mobile phone numbers, a gateway for cybercriminals 

The study reveals alarming data: up to 66% of the reused numbers analyzed were still linked via MFA to their previous owners. This poses two problems for the previous owner: first, if the new owner of the mobile line wanted to, they could access their account using multi-factor authentication, and second, the previous owner would have no way of retrieving their password if they forgot it (and would not be able to log in from a new device). 

To illustrate the seriousness of the issue, the study focuses on the case of an owner of a reused number, who started receiving text messages reminding him of a doctor's appointment for the previous owner. Considering that MFA is also applicable to banking, data storage and Cloud photo services, the potential damage is obvious if this number falls into malicious hands. Why then do carriers reuse phone numbers? It simply a matter of availability: Spain has a mobile penetration rate of approximately 112% (CNMC data, 2019), in other words, there are eight million more lines than inhabitants. Given these figures, it is easy to understand that the numbers run out and carriers rush to reuse them. 

Protect user security through MFA not associated with a phone number 

Beyond being aware of the risk of forgetting the MFA links for your old mobile number when you change a phone number, it is crucial to shield corporate mobile phones so that they do not depend solely on sending a token to a phone number. The safest thing to do in this case is to link the user's authentication to the mobile phone itself and not to the phone line, or in other words, to use the mobile phone's DNA to verify the user's authenticity, so that the token cannot be repeated on the same device.  

Watchguard AuthPoint offers the security capabilities and all the elements needed for MSPs to ensure optimal protection of the mobile devices for their corporate customers who rely on their solutions. This sophisticated tool bases MFA on the phone’s own DNA, ensuring that each device has a unique and unrepeatable signature that cannot be replicated on another phone and does not depend on the phone number. It is managed directly from the Cloud, where login alerts and generated tokens can be managed. Watchguard AuthPoint ensures secure logins without the need to manage tokens, as they can be authenticated via the mobile app.