This alert may not be shared outside your organization, Do Not Repost or send, place on other websites, List servers, or send to others via email, including other associations or parties. Members and Law enforcement use only. Contact us for any permissions. To do otherwise will result in the loss of membership.
Complete Story
09/17/2020
Accidental Airbnb account takeover linked to recycled phone numbers
SC Magazine
It’s a flaw that can result in account takeover, credit card theft and privacy leaks, and yet it has gone unaddressed for years on certain websites and online apps.
The scenario works like this: A mobile device owner attempts to register an account on a website or web app, using a phone number that was recently assigned to him by a telecom carrier. But that phone number previously belonged to a different phone owner who at one time also signed up for the same web service. Instead of creating a new account, the new device owner instead is logged into the account of the phone number’s original owner.
“It’s probably one of the oldest vulnerabilities with regards to mobile phone numbers… and identity,” said Marc Rogers, executive director of cybersecurity at Okta.
It’s almost as if the new device owner has pulled off a SIM swap scam – only there was no intent of deception. Nobody tricked the wireless carrier into reassigning a victim’s phone number to another device. It just happened by chance.
Alerts
The FRPA alert system distinguishes us from other groups by gathering and providing information to law enforcement, retailers AND financial institutions.
more informationResources
Your electronic library to help in fighting financial fraud for all of our partners.
more information