[HN Gopher] From email to phone number, a new OSINT approach (2019) ___________________________________________________________________ From email to phone number, a new OSINT approach (2019) Author : Luc Score : 187 points Date : 2023-11-16 15:20 UTC (7 hours ago) (HTM) web link (www.martinvigo.com) (TXT) w3m dump (www.martinvigo.com) | hipadev23 wrote: | Great technique for those VCs who think they can just ignore my | emails | xhkkffbf wrote: | This kind of uncoordinated leaking is a deeper problem. Many | share the last four digits of a SS#. Okay. But often the first | five are easy to guess from the birthday and the birth state. The | first few digits tell the state where the number was issued. | swozey wrote: | Hell a lot of people have a last 4 digit that is literally just | their mothers birth year. | myself248 wrote: | Last four of their SSN? That makes no sense, those digits are | sequentially assigned at the issuing office. | swozey wrote: | Yes, last four. Don't ask me how I know.. Might be a "born | on base" thing but it's no coincidence. | evan_ wrote: | It is a coincidence. You have a 1-in-10000 chance of | getting any 4 digit number and they assign 5.5M a year, | so we can expect that 550 people get their mother's year | of birth every year. You just happened to get 1961. | | (Total guess but how cool would it be if I was right?) | swozey wrote: | I have a REALLY hard time believing that but I've never | looked into it. Like you said, 550 people a year get it. | I just happened to be in the 0.01%? I should be luckier, | lol. | | https://www.quora.com/What-are-the-odds-that-your- | birthday-i... | birdman3131 wrote: | Only for ones issued prior to 2011. While this encompasses any | current adult it is something to keep note of. | hotnfresh wrote: | The core problem is that we have an utterly idiotic system in | which knowing a nine-digit number lets you do any harm | whatsoever. | | We have all the worst parts of a proper national ID system-- | tracking and data gathering by government and other large | organizations isn't hindered a bit, and we're required to | engage with our ad-hoc national ID system all the time for | anything important--but none of the benefits. | | Tons of suffering and wasted time, for no damn reason. | swozey wrote: | lol | | > Paypal, which displays five digits including area code to | anyone knowing the email address (but only three if the attacker | knows the target's password), decided this is working as designed | and will not take action. | | Wild. | | Does anyone know how scammers are getting numbers off of | LinkedIn? Or correlating them to numbers from elsewhere? I know a | company whose employees are constantly getting fake CEO texts. | DalasNoin wrote: | I just realized this is from 2019 and confirmed this literally | still works on PayPal. SMH | RecycledEle wrote: | An objective observer would conclude PayPal only exists to | cause security problems. | | I once called PayPal to report an "your account is suspended" | phishing email and they angrily told me to follow the | directions in the email. | josephg wrote: | My sister got married and changed her surname. PayPal has | inexplicably also changed my surname to my sister's new | surname. | | I can't for the life of me figure out why, or why they | would do that without notifying me. At least no good | reason. It's the strangest thing. | | I haven't even fixed it. I just stopped using PayPal | because I don't trust them any more. | jwally wrote: | Can someone summarize this? | | I think the site is struggling with traffic and I'm getting | 503'd... | Techbrunch wrote: | Martin Vigo's article discusses the security vulnerabilities in | password reset options for various websites and how these can | lead to the exposure of personal phone numbers. Vigo highlights | that during a password reset process, websites often partially | reveal the user's phone number. This partial display varies | across websites; some show the last four digits, others the | first, and so on. By initiating password resets across | different sites, one can potentially piece together most of the | digits of a phone number just from an email address. | _the_inflator wrote: | Awesome TLDR; | | Thx! | jasonjayr wrote: | ... just an email address, and publicly available information | on the phone numbering system assignments + strategies. | swozey wrote: | Basically what they did was do password reset processes at a | bunch of different services like PayPal, LastPass, Ebay.. | yeadda yadda. He found that they all display different portions | of a phone number. PayPal being the worst shows someone | starting the reset process 5 digits. Most showed 2 or 3 but | different portions. | | So what he then did was essentially merge/correlate that data | along with the area code and "exchange" (the part of number | after area code) from sources like | https://www.nationalnanpa.com/ | | Then he has a python script the queries (not sure how I didn't | read the code, I'm assuming NOT through an API but who knows) | the aforementioned services and somehow determines the | likelihood of a number out of several hundreds being registered | to an email or not. I kind of dozed off at the end so I can't | explain that part very well. | | edit: Why am I getting downvoted? This is literally what the | blog is. My other comment is at the top.. lol. What a waste of | my time giving an explanation. Ya'll like that low detail | TechBrunch ChatGPT explanation more? Wild. | Luc wrote: | https://web.archive.org/web/20231116163937/https://www.marti... | egberts1 wrote: | LOL! DOA! | | Next: Signal app, method | fudged71 wrote: | @dang please append (2019) to the title | Luc wrote: | Fair enough, I did so. | SpaceLawnmower wrote: | One thing I've always wondered is how security researchers feel | justified in releasing tools like the one in this blog post to | the public. I can almost certainly say that the number of bad or | creepy uses for an automated email to phone number generating | tool massively outweighs the good reasons for having one. Does he | get a pass because he's doing this for "research" and it's a grey | area anyways? Does he feel better because he talked to the | companies who exposed the vulnerability and it's neutered now? | dj_mc_merlin wrote: | I think there's a good ethical argument for releasing the | knowledge, not so much the tool. I think the open secret is | that most people who go into cybersecurity do so because they | enjoy breaking security through clever methods rather than | actually helping others stay secure.. but security research is | legal and hacking random targets isn't. | viccis wrote: | I'm in the security industry, and this is absolutely correct. | There are definitely many who carefully release PoCs when | appropriate (giving vendors enough time to patch, etc.), but | a LOT of these tool releases are done mostly to show off how | smart we are and get clout. You see this big time every | summer, as researchers all scramble to get a Defcon tool talk | slot with some new thing they wrote, before immediately | abandoning it post-con. | | Obviously, it's not like anything can or should be done to | change this, as it's mostly just human nature, and keeping | the security industry capable of operating legally and in the | open is paramount. But sometimes people just wanna brag. And | they get big mad about it and sputter about how literally any | possible end justifies literally any actual means if you | point it out (see: the other person responding to the top | level comment lol) | pmarreck wrote: | > I can almost certainly say that the number of bad or creepy | uses for an automated email to phone number generating tool | massively outweighs the good reasons for having one | | Meanwhile, I can almost certainly say that the number of ways | to bury your head in the sand instead of simply facing an | uncomfortable problem massively outweighs the good reasons for | doing so anyway. | | A person who is in need of money and lacking in empathy will | not fail to use any technique available and it is thus good to | know the defenses of that or at least be aware of it. | | "Creepy" arguments (appeals to shame or disgust) are fallacies. | | Security researcher types are well aware of the good-actor | motivations behind white-hat-hackerdom. Is it wrong that I can | buy a book on lockpicking? Would I be seen by some as a bad | parent if I taught it to my kid when he expressed curiosity | about it? | SpaceLawnmower wrote: | I think knowing that this is a vulnerability is fine. The | tool is what I take issue with. | | I mean creepy as in a violation of a right to privacy. I | don't consent to you knowing my phone number or any PII I put | into private websites. | | It's a lot easier to get caught lockpicking and it has some | legitimate uses. This is like more like an autopicking | machine imo. | itslennysfault wrote: | I think the idea is to highlight the bad security practices | that allow this in hopes that these companies patch these holes | (in this case reduce leaked data in the password reset | process). | | A GREAT example of this was when Firesheep forced Facebook (and | countless other sites) into embracing https. Firesheep was a | firefox plugin that anyone could run on a public wifi (e.g. | coffee shop) and instantly start getting the passwords of | anyone on the same network that logged in to anything over | http. At the time Facebook was http by default. So, it made the | news and forced Facebook to make https required basically | overnight. Many other companies followed suit, and it's likely | fair to say that the release of that plugin single-handedly | accelerated https adoption by a considerable margin. | | I don't know that this release will be that impactful, but its | certainly better than having this be a technique that only | black hats know about. | Eisenstein wrote: | > I don't know that this release will be that impactful | | It was released in 2019 and it is still going on, so | unfortunately it wasn't. | lainga wrote: | The difference between 2010 (firesheep) and now is about | $100B of regulatory capture. That $BIGCO is not this $BIGCO. | kurikuri wrote: | When arguing with an executive on why their company's security | posture needs to be updated, there is nothing quite as | effective as an off the shelf demo. | nbk_2000 wrote: | Similarly to how Journalists feel justified in stories that | have negative repercussions for some parties being reported | upon. One way of assessing these decisions is answering the | question "Is more harm done than good by releasing information | this to the public?" | | From my perspective, I'm happy that Martin Vigo released this | information (in 2019) as it helped me inform my employers (and | now my clients) to additional threat model vectors to consider | before deciding how to best perform password resets. | | Also in his defense: 1) He originally released a rather | crippled form of the PoC 2) It requires a Twilio account, which | raises the barrier to entry and provides a data point for | analysts were the tool to be used criminally. | wolverine876 wrote: | > Similarly to how Journalists feel justified in stories that | have negative repercussions for some parties being reported | upon. One way of assessing these decisions is answering the | question "Is more harm done than good by releasing | information this to the public?" | | That method leads to the worst evils in the world. Many have | concluded, or used it to justify everything from, 'it's ok to | take these poor people's land and give it to megacorp, | because we'll get a factory' to 'it's ok to silence these | journalists because it's for the public good' to 'it's ok to | kill my enemies because I think they are bad' to 'it's ok to | commit genocide against this group because the world will be | better off without them'. | | Who am I, or who are you, to decide what is good or bad, or | how good or bad, or to weigh those things for others? Beyond | our obvious cognitive limitations (as humans, we are too | flawed cognitively and morally to make judgments for others) | and lack of legitimacy (who elected us?), there is our | obvious bias - 'good' is what is good from our perspective, | based on our biases, subject to our ignorance of others. | | That's why human rights exist: It's their right and you can't | make that decision for them; it's up to the person involved. | If you think their land, etc. is so important, then ask them | - it's up to them whether they want to do it. They have | property rights, speech rights, etc. and nobody can abridge | them, and in the limited circumstances where they can be | abridged, there is a whole infrastructure of legitimacy | (democracy), protection from corruption (separation of | powers, juries, etc.), process (law, due process). | 867-5309 wrote: | eh? | boznz wrote: | The bad guys know these and a million more exploits already so | personally I'm fine with these guys exposing the industries | dirty laundry especially if it shames them into doing | something. There is also no defense from the company that they | did not know when it comes to legal action. | saltminer wrote: | > If it is a requirement, consider using a virtual number like | Google Voice or even a dedicated SIM that you only use for this | purpose and never give the number away. | | For the second SIM option, that requires a dual-SIM device, which | are still fairly niche in the US. | | When it comes to VOIP numbers, unfortunately, many sites look up | phone numbers and block VOIP providers, which sucks because | Android still has no good way of sending/receiving carrier texts | on the desktop (and before someone suggests the Google Messages | web interface, it "forgets" my device too often for me to take it | seriously). Occasionally, this can create a catch 22, where the | VOIP blocking is implemented after the fact and prevents you from | ever using the account again because the VOIP blocking was also | implemented on the SMS 2FA. | | And then there's services which don't even bother to check if | they can actually reach a number before accepting it. Harris | Teeter pharmacies, for example, will happily accept a VOIP | number, but their system is unable to call or text VOIP numbers, | so you never get your prescription notices. (And I'd bet this | applies to all Kroger brands since they share a lot of systems.) | stephenr wrote: | > For the second SIM option, that requires a dual-SIM device | | Or a device that supports an eSIM, which is every iPhone since | 2018, for starters. | aidenn0 wrote: | The eSIM is going to be more expensive than a regular SIM | since no MVNO I'm aware of in the US supports eSIMs | sneak wrote: | Mint. | stephenr wrote: | I'm also _not aware of any_ but that 's less about whether | they're actually available and almost entirely because like | 7.6 billion other people, I don't live in the US. | aidenn0 wrote: | Considering how we were talking about how dual-SIM phones | are niche _in the US_ , I think my comment was rather | relevant. | stephenr wrote: | Dual-sim phones aren't just a niche in the US either. | | But regardless: using your existing 5 year old iPhone | with an eSIM that isn't "cheap" is still going to be | cheaper than buying a new dual-sim phone. | piperswe wrote: | Almost all of them do now, since iPhones don't have SIM | card slots in the US anymore. | aidenn0 wrote: | Thanks. Apparently my info was out-of-date; I last | checked in early 2022. | caturopath wrote: | I use Visible and Mint via eSIM | guru4consulting wrote: | I guess dual SIM is different from having eSIM+physical SIM. | Dual SIM typically allows both SIMs/phone-numbers to be | active and when you receive a call, you will know which | number is being called. With eSIM+physical SIM card, only one | can be active at a time. The other has to be disabled. At | least, this is what I found few years back. | piperswe wrote: | I know that iPhones with SIM+eSIM can have both active at | the same time, and iPhones with just eSIM can have two | eSIMs active. | josephg wrote: | Yeah I found this out the hard way when travelling | recently. There are some great apps that let you buy | cheap data-only eSIMs in dozens of countries. You can | even buy an eSIM before you travel. It's crazy convenient | and much cheaper than roaming fees. | | My girlfriend could keep her home phone line enabled | while using the eSIM but I couldn't, even though we have | the same model of phone! Turns out her home line uses a | physical sim, but mine is set up using an eSIM and the | iPhone 12 can only have 1 eSIM enabled at a time. You can | do 1 physical + 1 eSIM, but not 2 esims. | | I couldn't get texts or calls from home without noodling | with my phone settings each time. And FaceTime kept | enrolling and unenrolling my number. | darkwater wrote: | Nope, eSIM plus physical SIM in an iPhone or in a Pixel or | any other phone work just like 2 physical SIMs. It's been | supported in mainstream Android for a few years now. | Previously it was supported only on devices with 2 slots | and each vendor had their flavor in Android. | pnw wrote: | eBay doesn't block Google voice numbers. The only site which | seems to is Discord in my experience. | | Personally I prefer to use a non-obvious dedicated email per | account e.g. ebpnw@mydomain.com, so the attacker has to guess | the email as well. | thedaly wrote: | > Personally I prefer to use a non-obvious dedicated email | per account e.g. ebpnw@mydomain.com, so the attacker has to | guess the email as well. | | Should I stop doing my obvious, ie hackernews@mydomain.com, | account emails? | Sardtok wrote: | If you want to increase your security, generate a random | string for the "account" name. | | If you are using a password manager, then this shouldn't be | too difficult. | | It can be a hassle when registering for something in | person, though. | pavon wrote: | I broke down and bought a prepaid SIM and a small dumb phone | which I use solely for 2FA. Its about the size as old-school | 2FA systems like crypto cards. My original motivation in | getting it was my wife was always taking my real phone to get | security codes for some shared accounts (on sites that don't | have an option for linked accounts). But I also like that it | provides small OPSEC improvements over using my real telephone | number. | marklar423 wrote: | That's a great idea for a shared 2FA device | earthscienceman wrote: | If you're a Linux user, "KDE Connect" is actually by far the | best desktop interface for texting and more. It's changed how | my phone and my laptop interact and I think might be my | favorite open source project. You can use your laptop as a | keyboard, reply to messages from any app that sends a | notification, and so much more. The file sending functionality | is also far better (and faster) than anything else I've used. | It's everything open source software should be. | pmarreck wrote: | Keeping a phone number secret is "security by obscurity" and | therefore the whole point of this article is rather moot. | realusername wrote: | Not completely, when you have the email + the phone number, you | can make much more sophisticated phishing attempts | miki123211 wrote: | There's one missing piece in that article, and it's the CNAM | database (US only). | | CNAM is the database that carriers use to give you alphanumeric | caller ID ("SMITH JOHN" instead of "+1 (555) 123-4567"). Many | carriers don't display this data as far as I believe, but most of | them make it available. | | Querying that database isn't free, but you could probably find a | way to do it for a few hundred numbers relatively cheaply. | People's names and emails are often similar, so you could | probably figure out an algorithm to give you the most likely | candidates. | | The data is often wrong in interesting ways (I've seen everything | from deadnames to people's exes they still share a plan with), | but it is still pretty useful. | toomuchtodo wrote: | At least in T-Mobile's customer UX, you can set this to | whatever you want per line [1]. Have tested by changing line | CNAM and querying with Twilio number lookup [2]. You're | supposed to be honest wrt person's name, but it's honor system. | | [1] | https://www.t-mobile.com/support/tutorials/device/app/ios/to... | | [2] https://www.twilio.com/code-exchange/lookup | navigate8310 wrote: | Why is this not tied to a person's SSN (if possible)? | miki123211 wrote: | Why would it be? | | The point of that database is to display a recognizable name | to the people you call, so that they know it's you. A | recognizable name isn't always the one on your birth | certificate (particularly in the US). There are also | businesses, who want their business name there. | evan_ wrote: | Is there an accessible database somewhere that would allow | T-Mobile to get a name from an SSN (or verify that an SSN and | a name match)? | bbarnett wrote: | Why would a phone company know a person's SSN?! | Gh0stRAT wrote: | So that they can seamlessly upsell you on upgrading to a | new phone that you'll pay off in installments over the next | couple years. | | Also, many postpaid plans (like my home ISP) require SSN | because they are providing you service on credit. Postpaid | cell paone plans have been the "default" in the US for a | long time, though prepaid seems to be gaining market share. | rsync wrote: | "Querying that database isn't free, but you could probably find | a way to do it for a few hundred numbers relatively cheaply." | /usr/local/bin/curl -s -X GET "https://lookups.twilio.com/v1/Ph | oneNumbers/$number?Type=carrier&Type=caller-name" -u | $accountsid:$authtoken | /usr/local/bin/jq '.' | | I don't even know what it costs ... maybe a penny per lookup ? | I forget ... | | It also shows carrier and whether it is a mobile or landline, | etc. | bunabhucan wrote: | All this hassle using different email addresses for each service | and a Google voice number was worth it. | dang wrote: | Related: | | _Email to Phone Number Osint Tool_ - | https://news.ycombinator.com/item?id=30476792 - Feb 2022 (2 | comments) | shivz45 wrote: | Oh i tried this technique just now to confirm one scammer's real | phone number details. | | Paypal here again | RecycledEle wrote: | The author ignores number portability. Just because I currently | live in a city and have AT&T does not mean they issued my phone | number. | 1nd1ansumm3r wrote: | Fun to see this issue get talked about. Ancedote- I bought some | car parts from a semi-scammer. Not a full-on scam but the guy | wouldn't ship the complete order even though he had my money for | several weeks. We had communicated on a few different platforms. | Each platform offered up a little piece of his identity. Last | four of this. First four of that. It was enough to piece it all | together. I gave him a call at his place of employment which | happened to be in the exact same industry as the parts that were | being sold. I asked him to ship the parts and casually asked if | his employer was involved in the sale. He perked right up and the | next day he shipped everything I had bought and a few extras. | dotBen wrote: | So what you are saying is you knowingly participated in receipt | of stolen goods - upon reasonable suspicion he didn't own the | goods being sold, you encouraged him to send you more of them. | | I mean, you'll disagree with that characterization I'm sure, | but read what you wrote again... | wizerdrobe wrote: | He easily could have bought parts for a better price seeing | as his has the hook-up through his employer. | | Without further detail none of us can know the results. | Calling someone a thief is a bit of a move... | cooper_ganglia wrote: | I read it multiple times and fail to understand this | interpretation at all. Even in context, I don't see even a | drop of "reasonable suspicion". | | Is it a possibility that the goods were stolen? I suppose, | but that's the case with literally anything you purchase | online. I wouldn't have even thought twice about it. I bought | stuff, you didn't send me stuff, so now I'm upset and want | you to send me my stuff. | romwell wrote: | Why assume that person was stealing anything from the | employer, rather than simply being a shitty reseller that | only ships when they get a good discount from working in the | industry. | | A call like that can incentivize them to buy at full price | and sell at a loss when their inventory is lacking. | jmprspret wrote: | Yeah? Sounds pretty badass to me | MR4D wrote: | They could also have been counterfeit or substandard. | | Not saying you're wrong (because I think you're right), but | there are other scenarios here, so from a theft perspective, | the OP would be not guilty. | 1nd1ansumm3r wrote: | Explain the knowingly part. I never suspected he did not own | them or that they were stolen. Just knew that he took my | money and didn't ship a complete order. | m463 wrote: | sounds more like he was competing against his employer | pengaru wrote: | It's not like it's uncommon for folks to leverage employee | discounts as arbitrage opportunities for a side hustle. Maybe | it violates their terms of employment since they're competing | with their employer, but it's not stolen goods. | 1nd1ansumm3r wrote: | I re-read this, not to fire back but to understand how you | arrive at your conclusion. I think you are interpreting (or | assuming maybe), from when I asked about his employer, that I | suspected he stole the parts from his employer. That's not the | case at all. I just needed a pressure point. | dools wrote: | As an Australian I can only ever recall seeing the last 2 or 3 | digits of my mobile number. The first 2 digits of all mobile | numbers are the same and you can't send text messages to | landlines. | BHSPitMonkey wrote: | "Good morning class. A certain agitator, for privacy's sake let's | call her Lisa S... No, that's too obvious. Let's say L. Simpson." ___________________________________________________________________ (page generated 2023-11-16 23:00 UTC)