Designing a Secure and Privacy-preserving Phone Number Change System in a SMS SaaS Product

Question

I'm working on an application where users are identified by their phone numbers. One user account can have one phonenumber but one phonenumber can be added from multiple accounts. For each phone_number I'm giving 10 free Message Allowance. I'm implementing a feature to allow users to change their phone number in their User Page, but this brings two challenges:

1. Security: If a user changes their phone number, they should "inherit" the message count of the new phone number if it was previously used (i.e., a user can continue using their remaining messages when they change their phone number). However, this opens up a loophole where a user can create multiple accounts with new phone numbers to get more messages and then switch these new accounts to their original phone number to aggregate the message counts.

2. Privacy: When a user tries to change their phone number to a new one, they should not be able to see the message count of the new number if it's already in use by another user. This is to prevent users from snooping on others' message counts.

How can I design the phone number change process to ensure both security (preventing abuse of the message count system) and privacy (preventing disclosure of others' message counts)?

1. Attempted Solution: I tried to associate the message count with the account and not with the phone number. This way, even if a user changes their phone number, they still see the total number of messages associated with their account.

   Problem: This approach is susceptible to exploitation. A user can create a new account with a new phone number, get the initial allocation of messages, and then change the new account's phone number to their original phone number. This way, they can effectively transfer messages from the new account to their original account, thereby getting more messages than they should.

2. Expected Result: I wanted to prevent users from seeing the message count of a phone number that is already in use when they attempt to change their phone number.

   Problem: However, if I show them the message count after they change their phone number, this might indirectly reveal whether the new phone number was previously used or not, which is a privacy concern.

   3. Attempted Solution: I also tried to use a phone verification however this is not viable in my case because users might buy the service for their relatives, so the account owner and the owner of the phone number might be different. I thought since only the owner of the phoneNumber can actually message from that number there is no side-effects of adding it to your account.