Disposable Phone Numbers: Risks and Detection

Mobile phones are an essential tool for people wanting to commit online fraud. Certain types of phone numbers, such as disposable phone numbers (or burner phone numbers), carry an intrinsically higher risk of being used by a fraudster. To protect their business and maintain the integrity of their customer base, financial organizations and fintech companies should familiarize themselves with typical red flags related to phone numbers and understand how these risk signals, combined with additional digital insights, can be used to accurately evaluate the risk associated to any user. 

The rise of disposable phone numbers

Disposable phone numbers, also known as temporary or burner numbers, have emerged as a versatile tool over the past few decades. Initially, these numbers were primarily used for personal privacy and security. The concept began gaining traction in the early 2000s with the advent of internet-based telephony and the rise of VoIP (Voice over Internet Protocol) services. As technology advanced, so did the methods for generating and managing disposable numbers, leading to sophisticated systems that provide temporary phone numbers with ease and efficiency.

Current market landscape

Today, the market for disposable phone numbers is robust and expanding. Numerous companies offer services that provide temporary numbers for a range of uses. These services are often integrated into larger platforms, offering seamless user experiences. Key players in this market include companies like Google Voice, Burner, Hushed, and TextNow. The convenience and affordability of these services have contributed to their widespread adoption, catering to both individual and corporate needs.

Legitimate uses of disposable numbers

Disposable phone numbers are invaluable for protecting personal privacy and avoiding spam in online transactions. By using a temporary number, individuals can shield their primary contact information from potential spammers, telemarketers, and data breaches. This ensures that their main phone line remains free from unwanted calls and messages, enhancing their overall privacy and security.

These numbers are also widely used in application testing and development, providing a practical solution for developers who need to simulate various user scenarios. Temporary contact numbers are beneficial for short-term needs, such as selling items on classified ads or arranging meetups, allowing users to share contact information without revealing their permanent numbers. This flexibility makes disposable numbers a convenient tool for a range of temporary communication needs.

Disposable phone numbers also offer crucial protection for journalists and whistleblowers, allowing them to communicate sensitive information anonymously. The ability to quickly dispose of these numbers after use provides an additional layer of security, safeguarding their identities and enhancing their safety in high-risk situations.

How do fraudsters exploit disposable numbers?

While disposable phone numbers offer many legitimate benefits, they also present significant risks when misused by malicious actors. Here are some ways fraudsters exploit these numbers to conduct fraudulent activities and evade detection:

Account creation fraud and its impact

Fraudsters often leverage disposable phone numbers to create multiple fake accounts across various online platforms, using synthetic or completely fabricated identities. This type of fraud is particularly damaging to businesses that rely on user data for operations, marketing, and security. By using disposable numbers fraudsters can bypass standard verification processes during the onboarding phase, to then disappear after having committed fraud. Especially in the lending and Buy Now Pay Later (BNPL) space, disposable phone numbers are used by fraudsters looking to cash in on a loan before disappearing and never making any repayment on it. 

Bypassing 2FA

Two-factor authentication (2FA) is a critical security measure for protecting user accounts, but disposable phone numbers can undermine its effectiveness. Fraudsters can use these numbers to receive authentication codes during onboarding, allowing them to either validate a newly created account or, in certain cases, gain unauthorized access to accounts where the disposable number was added as a secondary verification method by fraudsters. This exploitation weakens the security provided by 2FA, making it easier for malicious actors to infiltrate systems and steal sensitive information.

Burner numbers and smishing

Some criminals use inexpensive and disposable phones to execute their smishing schemes. Smishing, a form of social engineering, involves sending fraudulent text messages to deceive individuals into downloading malware, sharing sensitive information, or transferring money to cybercriminals. The term "smishing" combines "SMS" (short message service) and "phishing."

Abuse of public SMS gateways

According to a recent study, the SMS, commonly used for account verification, has become a hotspot for fraudulent activities within the disposable phone number ecosystem. Researchers from Universidad Carlos III de Madrid, IMDEA Software, and IMDEA Networks have discovered significant abuse of Public SMS Gateways (PSGs). These specialized applications offer free disposable phone numbers without requiring registration or account creation, making them a popular tool for fraudsters.

How disposable number services operate

Disposable phone number services operate through a combination of number allocation systems and routing mechanisms. These services generate temporary numbers from a pool of available numbers, often segmented by geographical regions or service providers. Once a number is allocated, it can be used for a limited period or until a specified usage threshold is met. Calls and messages directed to the disposable number are typically forwarded to the user's primary phone number, ensuring seamless communication without exposing personal details.

Types of disposable numbers

Temporary numbers: these numbers are generated for short-term use, often lasting only a few minutes to a few days. They are ideal for quick tasks such as account verification or temporary communication needs.

Burner phones: burner phones are low-cost mobile phones with preloaded minutes, intended for short-term use and then discarded. They offer higher anonymity since they are not tied to a permanent account or identity.

Virtual numbers: virtual numbers are cloud-based and can be used across multiple devices. They provide greater flexibility and are often integrated with various online services and apps for enhanced functionality.

Integration with smartphone apps and web services

Disposable phone numbers are commonly integrated with smartphone apps and web services to provide users with a seamless experience. These integrations allow users to manage their disposable numbers directly from their mobile devices, making it easy to send and receive messages, make calls, and set up call forwarding. Popular apps like Burner and Hushed offer user-friendly interfaces that simplify the process of obtaining and using temporary numbers.

Service providers implement various security measures to protect users and prevent misuse of disposable phone numbers. These measures include encryption of messages and calls, stringent verification processes for users, and monitoring systems to detect and block suspicious activities. Despite these efforts, the inherent anonymity and temporary nature of disposable numbers can still pose significant security challenges, necessitating continuous improvements and innovations in security protocols.

Shortfalls of current security measures

Despite the various security measures implemented by service providers, disposable phone numbers continue to present significant challenges. Traditional security measures, such as encryption and basic user verification, while essential, are often insufficient in fully addressing the risks associated with disposable numbers. The anonymity and temporary nature of these numbers make it difficult to track and prevent fraudulent activities effectively.

One major shortfall is the reliance on static verification methods like SMS-based two-factor authentication (2FA). While 2FA adds an extra layer of security, it can be easily bypassed using disposable numbers. Fraudsters exploit this vulnerability by using temporary numbers to receive verification codes, allowing unauthorized access to accounts and sensitive information.

Another challenge lies in the limited scope of current security protocols. Many systems focus primarily on the surface-level attributes of phone numbers, such as their origin and validity, without delving deeper into the behavioral patterns associated with their usage. This approach leaves gaps that can be exploited by sophisticated fraudsters who use disposable numbers as part of more complex schemes.

Disposable phone detection with Trustfull

Trustfull's Digital Risk Intelligence Platform offers real-time analysis of any users' digital footprint, combining hundreds of signals on users' phone, email and IP address to calculate a risk score on a scale from 0 to 100. Among the many digital signals processed by Trustfull, there is also the identification of disposable phone numbers. Based on our experience processing millions of sign-up attempts and transactions, disposable phone numbers present a higher correlation with fraudulent accounts than standard phone numbers. Through custom risk models, risk and compliance teams can fine-tune the impact of any digital signal, including the presence of a disposable phone number, on the overall risk score assigned to users by the system.

Trust and risk phone signals

Disposable phone detection is only one benefit that is unlocked by Trusftull's digital scoring models. Other phone signals that provide key fraud prevention insights are listed below:

Risk Phone Signals

• Disposable phone: flagged and certified to be part of the black market for disposable numbers
• Carrier = virtual MNO: number is valid but registered with a virtual operator (usually no KYC)
• No app connected: no messaging or any other app associated with a phone number is highly unusual.
• Too many apps: an unusually high number of connected accounts seems suspicious

Trust Phone Signals

• Carrier = tier 1 carrier: number is registered with a carrier where ID is required for the purchase
• Porting history = true: number was ported between carriers, which involves paperwork and KYC.
• Number was detected in a data breach: can imply a genuine number and implicitly show how long is it in use.
• High information coherence: no discrepancies found among social, messaging, and profile data

From disposable phone detection to stronger fraud protection

Disposable phone numbers, while providing numerous benefits for privacy and short-term communication needs, also pose significant risks as they can be easily exploited by fraudsters. The challenge for businesses and security professionals is to effectively differentiate between legitimate and malicious use of these numbers.  

Trustfull’s Digital Risk Intelligence Platform employs advanced ML algorithms to analyze various digital signals, offering comprehensive protection by integrating disposable phone detection with other security measures such as email address analytics, IP address analysis, device detection, and browser fingerprinting.  

While the Trustfull platform can identify disposable phone numbers and assess their associated risks, teams can achieve more accurate fraud detection results by combining as many digital signals as possible. This approach can stop fraud during digital onboarding and ensure the integrity of user accounts.