Abstract
Many organizations require users to provide a phone number for verification when registering an account. Simultaneously, because of the convenience and security of SMS-based two-factor authentication, many organizations adopt this method to enable users to log in their accounts. On the other hand, many web service platforms provide a mass of disposable phone numbers for receiving SMS messages. The original intention of these platforms is to provide user privacy protection services; however, people know very little about the threat that this service poses to the organization’s security. In this paper, we collected data from 9 disposable phone platforms with high traffic in China. These data include 4,669 phone numbers and 30 million messages. These phone numbers come from 44 countries, and most of the phone number carriers are mobile virtual network operators in China. To the best of our knowledge, this is the first paper that discloses the OTA (Online Travel Agency) accounts registered by disposable phone numbers, which would leak a large number of passenger information. Furthermore, we discovered that cybercriminals use temporary OTA accounts to carry out airline seat spinning attacks. Among the organizations we surveyed, only 47% of the organizations’ security mechanisms can detect accounts that registered with disposable numbers. Our findings indicate that disposable phone numbers pose potential threats to cybersecurity, and new solutions are needed to address the threat.
This work is supported by National Major Science and Technology Projects of China (Grant No. 2018YFB1800202, 2017YFB0803001, 2018YFB0804703) and National Natural Science Foundation of China (Grant No. 61571144, U1836117).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
SMS. https://en.wikipedia.org/wiki/SMS. Accessed 18 June 2020
The New York Times, Facebook Security Breach Exposes Accounts of 50 Million Users. https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html. Accessed 18 June 2020
Reaves, B., Scaife, N., Tian, D., Blue, L., Traynor, P., Butler, K.R.: Sending out an SMS: characterizing the security of the SMS ecosystem with public gateways. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 339–356. IEEE, May 2016
Reaves, B., et al.: Characterizing the security of the SMS ecosystem with public gateways. ACM Trans. Priv. Secur. (TOPS) 22(1), 1–31 (2018)
Gelernter, N., Kalma, S., Magnezi, B., Porcilan, H.: The password reset MitM attack. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 251–267. IEEE, May 2017
Jiang, N., Jin, Y., Skudlark, A., Zhang, Z.L.: Greystar: fast and accurate detection of SMS spam numbers in large cellular networks using gray phone space. In: 22nd USENIX Security Symposium (USENIX Security 2013), pp. 1–16 (2013)
Murynets, I., Piqueras Jover, R.: Crime scene investigation: SMS spam data analysis. In: Proceedings of the 2012 Internet Measurement Conference, pp. 441–452, November 2012
Thomas, K., Iatskiv, D., Bursztein, E., Pietraszek, T., Grier, C., McCoy, D.: Dialing back abuse on phone verified accounts. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 465–476, November 2014
SIM swap fraud explained and how to help protect yourself. https://us.norton.com/internetsecurity-mobile-sim-swap-fraud.html. Accessed 4 Aug 2020
Google-libphonenumber. https://github.com/google/libphonenumber. Accessed 18 June 2020
Mobile phone number attribution. https://www.ip138.com/sj/. Accessed 18 June 2020
Analysys. https://boyue.analysys.cn/view/article.html?articleId=20019710&columnId=8. Accessed 18 June 2020
Heydari, A., ali Tavakoli, M., Salim, N., Heydari, Z.: Detection of review spam: a survey. Expert Syst. Appl. 42(7), 3634–3642 (2015)
Apple called out for fake reviews on iOS App Store by Chinese state media. https://www.abacusnews.com/big-guns/apple-called-out-fake-reviews-ios-app-store-chinese-state-media/article/3017845. Accessed 20 June 2020
How Bots Are Disrupting Airline Ticket Sales. https://www.eweek.com/enterprise-apps/how-bots-are-disrupting-airline-ticket-sales. Accessed 20 June 2020
Flight status. http://www.variflight.com/ah118114/HistoryDataSearchRight.asp. Accessed 20 June 2020
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Cheng, Y., Wang, H., Zhang, Z., Li, N. (2020). Characterizing the Security Threats of Disposable Phone Numbers. In: Xu, G., Liang, K., Su, C. (eds) Frontiers in Cyber Security. FCS 2020. Communications in Computer and Information Science, vol 1286. Springer, Singapore. https://doi.org/10.1007/978-981-15-9739-8_37
Download citation
DOI: https://doi.org/10.1007/978-981-15-9739-8_37
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-9738-1
Online ISBN: 978-981-15-9739-8
eBook Packages: Computer ScienceComputer Science (R0)