"This used to be my phone number"

Question

I added a new phone line and someone called claiming to be the previous owner of the phone number. He requested that I forward information a text message (He wanted me to forward 2 Factor Authentication information that would be sent to my new phone number via SMS). Naturally, I refused the request. I do not think that they are too happy with the refusal.

Are there are any risks I should be aware of or precautions that I should take, given that there is some 'funny business' afoot?

CLARIFICATION: The caller does not know my name or any of my accounts. If the caller is a bad actor, then he is compromising someone else's account because the phone number he called was recently issued to me and I do not give it out to anyone, because I use a call forwarding service. Said phone number has not been given out to anyone

Sometimes we're just too paranoid. It's quite possible the person isn't lying, and it WAS their phone number. It's also possible this is some form of fraud. If you were feeling nice I suppose you could offer to unlock whatever account they have for them instead of passing on the information directly. I don't really see what the harm is if you haven't set 2FA anywhere yourself, especially if you handle all resets. Then again, it's also possible it's someone ELSES phone number, and you'd be resetting a completely different person's account. — Steve Sether, Jul 18 '19 at 17:30
I actually texted someone with my old phone number asking for the code once. Unfortunately, they never replied to me, so I had to create a new account. — oxr463, Jul 18 '19 at 18:37
Possibly relevant. https://security.stackexchange.com/questions/182567/i-gave-my-cell-number-to-a-stranger-on-the-internet-have-i-fallen-victim-to-a-s — JMac, Jul 19 '19 at 00:42
*"Naturally, I refused the request."* -- In cases like this, it is often more appropriate to simply offer no response whatsoever. There is no guarantee that the number has been re-issued yet, or that it is to a device that can do SMS with a human... let them wonder. — trognanders, Jul 19 '19 at 19:17
@trognanders - If it were a disconnected conversation (text, email), absolutely, no response would be best. But the OP was on a phone call with the other person. Simply hanging up when asked to forward the information wouldn't improve anything, the caller already knows he's reached someone. Morever, if it's a truthful person at the other end, telling them you won't do it is useful and appropriate. If it's a scammer, at that point doesn't much matter whether you say no or just hang up, they'll still try again. :-) — T.J. Crowder, Jul 20 '19 at 13:09
@T.J.Crowder: It would be possible that the person legitimately had the phone number, and lost it for whatever reason. Some pay-as-you-go mobile services re-use numbers rather eagerly on unpaid accounts. I'm not sure how one would verify the bona fides of an individual to distinguish between an honest individual and someone who is trying to breach the account of someone who lost their phone number, but the situation is not implausible. — supercat, Jul 21 '19 at 23:55
@supercat - My point above was that just offering no response (per trognanders) wasn't a useful option in this case. But yes, entirely plausible. But you still have to say no. Even if you're 100% sure *you* haven't registered any 2FA to the number, the person *before* you may have, and you don't know that the person you're talking to is the person who had the number before you. :-) — T.J. Crowder, Jul 22 '19 at 06:36
@T.J.Crowder: That's why I mentioned the importance of verifying the person's bona fides. If one can determine that the holder of the problematic account also had a long-standing account elsewhere that remains active, one could contact the person who has the active account and would presumably either be the person who was seeking help, or would be interested to know that someone was trying to social-engineer their way into their account. As to how much time and effort it's worthwhile to spend helping strangers, that's a matter of personal judgment. — supercat, Jul 22 '19 at 14:46

score 65 · Answer 1 · edited Jul 20 '19 at 18:16

It's a known scam attempt. The caller probably compromised one of your accounts, and got stopped by the 2FA token sent to your phone. If you send them the token, your account is fully compromised. Or, as Nic pointed very well, may be the account of someone else.

What you do?

First: don't send them any code or token. That will prevent them for compromising your account.

Second: If your provider offers any alternatives, replace SMS as 2FA on every account you have with a more secure solution, like a hardware or software TOTP token. SMS is too insecure for that. 1 2 3 4

Third: change your passwords. If you don't have a password manager keeping different accounts for each service, install and setup one now. It will take time, but takes way less time than to recover from any mischief an attacker can do with your online services. While you are changing passwords and storing them on your password manager, switch the 2FA from SMS to TOTP to have a safer 2FA.

Don't trust your brain to pick passwords. They are guessable, and a computer can try billions of combinations per second. Any password manager, no matter how primitive, is better than us at creating password.

Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/96465/discussion-on-answer-by-thoriumbr-this-used-to-be-my-phone-number). — Rory Alsop, Jul 21 '19 at 21:20
If they were a bad actor, and they were hard core, they just would have had your number slammed to their SIM. If they have lost access to their bank, bitcoin, paypal account, there are other ways a genuine owner can go? This is why *you* need a second number for 2FA if a number is required. — mckenzm, Jul 22 '19 at 00:07

score 2 · Answer 2 · answered Jul 22 '19 at 00:19

This is probably a attempt to gain access to the account that sent the code this is a common method of bypassing 2FA it works by once a message is sent with the code a attacker will text you and say that it is there old phone number and they need the code this might be someone who actually needs the code however more likely it is a attacker trying to gain access to your account

"This used to be my phone number"

2 Answers2