Recycled cell numbers putting digital privacy at risk
Sensitive information from previous subscribers ending up in hands of strangers
Published:Sunday | October 29, 2023 | 12:10 AMMark Titus - Sunday Gleaner Writer
To access this article in full please login or register today
A senior crime-fighter is among a number of Jamaicans who have had their SIM cards repossessed and reassigned by telecommunications providers. However, in his case, sensitive information from informants has now ended up in the hands of a stranger....
A senior crime-fighter is among a number of Jamaicans who have had their SIM cards repossessed and reassigned by telecommunications providers. However, in his case, sensitive information from informants has now ended up in the hands of a stranger.
The businessman who was given the repossessed number told The Sunday Gleaner that he was desirous of having a private number to communicate with close relatives and friends, but little did he know that he would be in for a shock.
“I inserted the SIM [card] in my phone and followed the steps to configure it, and everything was going as expected – until a barrage of text messages started coming immediately after I completed the setup,” he recalled. “I was surprised because I had not shared my new number with anyone.”
The situation took a more sinister turn when he downloaded WhatsApp, the social media messenger service offered by Meta. He was quickly bombarded with more messages, including details on the description of criminals and their whereabouts and other information regarding wanted men.
Among the WhatsApp messages seen by The Sunday Gleaner was what appeared to be sensitive data from a government agency on an individual on the police’s radar.
The cop’s brother, who later called the number, was also surprised that a stranger answered the call.
When contacted by The Sunday Gleaner, the senior cop expressed gratitude for the information, but he declined to explain why the SIM was repossessed.
A subscriber identity module – or SIM – is a tiny card with an inserted chip which, when placed in a smartphone, allows the user to make calls, and contains sensitive information added by the owner, just like a computer.
120 OR 150 DAYS TO TOP-UP
Jamaica’s two main telecoms providers, FLOW and Digicel, allow some 120 and 150 days of inactivity, respectively, before repossessing assigned numbers. The length of time is also dependent on the existing demand for numbers.
Elon Parkinson, head of communications and corporate affairs at Digicel, explained to The Sunday Gleaner that the time given for each customer to top up their service is dependent on the value of the last amount added. But closed user group, or CUG, accounts, managed by Digicel Business, are given longer airtime.
“For example, a $108 top-up voucher gives a customer 21 days of active airtime, during which they are able to make and receive calls or use [funds] towards the purchase of a Prime Bundle plan,” Parkinson said. “Once the credit has expired, and the customer has not completed another direct top-up within 120 days, the number will expire due to inactivity.”
FLOW said that the customer gets to a no-credit state by using up all their credit or if the amount has expired. If credit is not added within 150 days, the number enters a “cooling” period of at least 30 days, following which it is eligible to be recycled and reassigned.
“During the extended period, customers can still receive calls,” FLOW told The Sunday Gleaner. “Once the customer tops up while in the ‘no credit’ state, the customer will return to an ‘active’ state.”
According to the companies, all management, recycling, and reassignment are done impartially and are only determined based on the customer’s top-up and usage habits. They say that several methods are also used to notify customers of the need to top up.
Weighing in on the senior cop’s predicament, former Police Commissioner Rear Admiral Hardley Lewin was not impressed with his decision to receive sensitive information on a private number.
“‘Should he be using his private phone in that manner?’ and ‘Does the JCF (Jamaica Constabulary Force) provide you with a service phone?’ are some of the questions to be asked,” the former army man opined.
“Security practitioners have to be a bit more diligent as to how they receive their communication and by what means. If this is a service phone, they [telecoms firms] would know that it is signed off by the police.
“I know when I was there most police officers had a service phone,” he told The Sunday Gleaner.
CURRENT HOLDERS ANNOYED
On social media platform X, formerly known as Twitter, several Jamaicans have detailed horror stories of either losing their numbers unexpectedly or ending up with a number where the majority of calls and messages are for previous holders.
Apart from messages from friends, relatives, associates and customers from previous holders, they bemoan getting notifications that friends who have been dead for years just joined a social media platform, credit and debit card transaction notifications, messages about electricity usage from the Jamaica Public Service Company, and a range of other messages.
Some have even found humour in daring bill collectors to seize goods or take them to court after receiving threatening calls or messages about loans or hire-purchase agreements in arrears by the previous holder of the number.
But others have not found the constant annoyance funny.
“Man tek a loan and nah pay it back... stop use him phone number... now digicel recycle that number give mi when mi buy a new SIM... loan place nuh stop text and tell mi i need to pay up,” one X user posted in May.
Internationally, there have been numerous reports of people using repossessed numbers to hijack online accounts of previous users by using SMS authentication or impersonating them in scams. Reports of stalking and have also emerged.
EXCEPTIONS TO THE RULE
Security expert Dr Jason McKay believes that the telecoms should not take such a hard stance against all users, but that there should be some exceptions to the rule.
“I think there should be some category of persons that hold certain jobs that are not affected by this practice,” McKay told The Sunday Gleaner. “This would mean that their number is for life and there is a one-time fee at the [start or] end of the contract.”
Addressing the issue of phone number reassignment, telecommunications engineer at the Office of Utilities Regulation, Gordon Swaby, in a column published in The Sunday Gleaner last week, said the practice of reassigning numbers is to prevent the premature exhaustion of area codes.
“The demand for numbering resources is expected to increase as they are also being utilised for machine-to-machine communications and between Internet of Things devices,” he said. “First, phone numbers are a public resource, not owned by telecoms providers or customers, and so there is no guarantee of a lifetime assignment.”
“The resources cannot be sold, brokered, bartered, or leased by the providers for a fee or other consideration, except in a manner consistent with the OUR’s direction,” added Swaby.
BE MORE MINDFUL OF SECURITY RISK
Yet cybercrimes expert Godphey Sterling is not convinced that the telecoms firms have done enough to inform their subscribers of the consequences if they fail to top up, but he is cautioning the public about their methods of saving information.
“Legally, they are not even required to tell you that they are taking back the number once the time is passed and there is no top-up. What the companies are doing might be unethical, but not illegal,” Sterling told The Sunday Gleaner.
He added, “One should be careful where your [contact] numbers are saved. For some carriers, it sometimes default to be saved on the SIM card as opposed to the phone, which means that once that SIM gets into another device, it will allow for access to those numbers and the difficulty is that most persons don’t pay attention about these things.”
The failure of consumers to practise the use of multi-factor authentication has also amplified the problem that he likens to the SIM swap scam, which has led to customers being defrauded of millions of dollars globally.
Locally, only two notable SIM swap cases were investigated by the Financial Investigations Division between January 2021 and June 2022, affecting 27 customers who lost a total of J$61 million and US$133,000 from their bank accounts.
But with the ingenuity of fraudsters, Sterling, who heads the Jamaica Cyber Incident Response Team, is appealing for greater responsibility from both telecoms operators and their subscribers.
“The challenge we face is that there needs to be a bit more corporate responsibility on the part of the service providers in terms of either pointing out these areas of the fine print or finding more ways to notify consumers of the given timelines to top up,” he asserted.