Recycled phone numbers are more dangerous than you think – Protect yourself now

A mobile number is tied to multiple digital services today – e‑wallets, social media accounts, two‑factor authentication apps, bank accounts, UPI apps, personal data storage and more. So it goes without saying that an unauthorised change of the mobile number that you owned earlier could end up creating a nightmare of multiple digital risks. With changes in the regulation policy in India(BHARAT), it has become common that the mobile number you were once subscribed to earlier can become invalid and is recycled to someone else. But what you must not know is that the number that was once under your control might also be independently mis‑assigned and become accessible to someone without you or the telecom service provider’s (TP) awareness.

What’s causing this?

Reuse of mobile numbers by telcos and mobile network operators (MNOs): Mobile numbers are often recycled by telecom service providers when an old subscriber disconnects or lapses that number without porting it to another telecom provider. From the date of new assignment to a fresh subscriber, all one‑time passwords (OTPs), calls and messages will be directed to the person to whom the number was re‑assigned. Simultaneously, the existing number‑holder may continue to receive network operator messages, bank transaction alerts, OTPs, messages and calls related to online accounts, subscriptions and apps for a while.

Changes in the India(BHARAT)n mobile number validation regulatory guidelines by the Telecom Regulatory Authority of India(BHARAT) (TRAI) and the Department of Telecommunications (DoT): The government is constantly working towards increased security with regards to authentication of a mobile number on websites and applications. For example, the next few months could see banks and UPI apps required to ensure that the mobile number indeed belongs to the person who claims to have it and not anyone else.

The risks in a nutshell

Unauthorized access: Unauthorised use of your previous mobile number can allow the new user of that number to receive OTPs and security alerts intended for you and the unknowing user could start to abuse it in password reset, account takeover or misuse.

Data leakage: User data stored on services with SMS verification or services where the mobile number was used as an identifier such as banking alerts, financial service apps and subscription services, app sign‑up notifications can now be accessed by someone else, while you no longer have the access to that mobile number.

Identity ambiguity: Services and individuals who wish to contact you through your old number (for example, friends and family members), may now reach out to the new user of that number and this new user may get confused and may reach back or re‑transmit personal information.

Loss of critical messages: Critical SMS such as banking notifications or financial transaction messages, security notifications that you were getting in your old number will now start going to the new user.

How to keep your personal information safe?

Stop using your mobile number: If you don’t use a mobile number anymore, it is critical to change the mobile number in all relevant services as early as possible, or as soon as you realise you’re not going to use it again.

De‑link number‑based accounts: You should sign‑in to all services that you have registered your old number with and change the number or log out so that the number is no longer associated with the account.

Audit security settings: Services which you still have the old mobile number can allow you to check which devices, active sessions, and login alerts are enabled. It is advised to remove any unused, unrecognised or redundant entries.

Add alternative or multiple verification processes: A majority of services today offer users the facility to register more than one mobile number, or even a personal or business email ID. It’s strongly advised to add an email ID, alternative phone number or the authenticator app method where applicable.

Be on the lookout for alerts: If you start to receive banking or transaction messages on a mobile number you no longer use take that as a strong warning signal that someone else has assumed the mobile number and may have automatically triggered those services as well.

Inform and keep track with your telecom service provider: When you surrender or stop using a number make sure it is deactivated or correctly reassigned. Confirm with the telecom service provider, or keep a watch on the old number in question.

Alert if any unusual activity is observed: Unauthorised or unexpected email alerts of password‑reset, new device login, SMS alerts or calls which are linked to the old mobile number is a red signal that someone else might be using the number. Immediately change the password and lock the account and inform the service provider of such activity.

It’s clear that a mobile number is now the access point to everything you own and do digitally. When it changes hands or becomes misassigned, you run the risk of being locked out of your accounts or losing that access key. A lot of damage to your personal information is preventable simply by proactively changing the number or by staying alert of the common risks listed here.