The Kenyan government launched the Gava Mkononi app this week.
Against this backdrop, there are genuine concerns about risks to personal data and the steps being taken to safeguard it. In this article, we review the risks associated with recycled phone numbers.
Gava Mkononi and eCitizen
The Kenya government has prioritized mobile phones in their digital services ambition to scale up access to government services from the current 400 to 5,000 by the end of the year. To that end, it is facilitating citizens' access to low-priced mobile phones through a local manufacturer and a leading telco.
The Gava Mkononi service is an extension of the country’s eCitizen platform. The eCitizen platform uses SMS-based authentication where a single-use passcode (OTP) is sent to the subscriber's phone through a text message.
Negative effects of recycled numbers
More than ever, phone numbers are tied to people’s identities.
They are used to link online accounts (social media accounts, ride-sharing apps, mobile banking) to real-world entities. They are also used for authentication.
Phone numbers are also a finite resource. Therefore, numbers that are no longer in use are not permanently retired.
Recycling phone numbers occurs when subscribers are assigned a previously owned phone number.
An inactive line is recycled and re-issued to another person. A phone line becomes inactive due to various reasons to include:
- switch to a new carrier,
- cancelled service,
- death,
- switch to another number,
- violation of service terms,
- lack of use.
The new owner of the line often ends up receiving communication meant for the previous owner .
Whereas #recycling phone numbers serves commercial purposes, the practice also has inherent risks.
Personally Identifiable Information (PII) can go out the door with recycled numbers. Adversaries can exploit phone number recycling. A man was recently charged with stealing Kes.400,000 when he used a recycled line assigned to him after recycling, to access money in the previous owner's bank account.
A couple of questions persist:
- Who is responsible for data breaches?
- Who is responsible for notifying service providers that the line needs to be updated?
Kevin Lee & Arvind Narayanan, researchers from the Department of Computer Science and Center for Information Technology Policy at Princeton University, conducted a study on the security & privacy risks of number recycling. They sampled 259 phone numbers available to new subscribers at two major carriers and found that;
- 171 numbers were tied to existing accounts at popular websites, potentially allowing those accounts to be hijacked.
- Majority of available numbers led to hits on search services, which PII on previous owners.
- 100 numbers were linked to leaked login credentials on the dark web, which could enable account hijackings that defeat SMS-based multi-factor authentication.
The full research paper can be accessed here.
Some suggested actions
The following are selected measures that can be taken to mitigate and assign #risks associated with number recycling:
- users and service providers to switch to or prioritize email authentication by providers that do not recycle accounts eg gmail.
- the #Communication Authority of Kenya to work with the Competition Authority of Kenya to create a recycled number database. Carriers to be mandated to report recycled numbers monthly which would be compiled into a centralized source. Users to be facilitated at a fee, to check for reassigned numbers against their calling lists thereby reducing the possibility of violations by users. This service would also facilitate database updates by service providers in keeping with data #compliance (accuracy) requirements.
Other measures aligned with specific threats, are outline in the report extract below.
Conclusion
It takes more, to be in compliance and protect your personal data.
We live you with a report highlighting negative subscriber experiences with recycled lines.
Comments ()