[HN Gopher] From email to phone number, a new OSINT approach (2019)
___________________________________________________________________
From email to phone number, a new OSINT approach (2019)
Author : Luc
Score : 187 points
Date : 2023-11-16 15:20 UTC (7 hours ago)
(HTM) web link (www.martinvigo.com)
(TXT) w3m dump (www.martinvigo.com)
| hipadev23 wrote:
| Great technique for those VCs who think they can just ignore my
| emails
| xhkkffbf wrote:
| This kind of uncoordinated leaking is a deeper problem. Many
| share the last four digits of a SS#. Okay. But often the first
| five are easy to guess from the birthday and the birth state. The
| first few digits tell the state where the number was issued.
| swozey wrote:
| Hell a lot of people have a last 4 digit that is literally just
| their mothers birth year.
| myself248 wrote:
| Last four of their SSN? That makes no sense, those digits are
| sequentially assigned at the issuing office.
| swozey wrote:
| Yes, last four. Don't ask me how I know.. Might be a "born
| on base" thing but it's no coincidence.
| evan_ wrote:
| It is a coincidence. You have a 1-in-10000 chance of
| getting any 4 digit number and they assign 5.5M a year,
| so we can expect that 550 people get their mother's year
| of birth every year. You just happened to get 1961.
|
| (Total guess but how cool would it be if I was right?)
| swozey wrote:
| I have a REALLY hard time believing that but I've never
| looked into it. Like you said, 550 people a year get it.
| I just happened to be in the 0.01%? I should be luckier,
| lol.
|
| https://www.quora.com/What-are-the-odds-that-your-
| birthday-i...
| birdman3131 wrote:
| Only for ones issued prior to 2011. While this encompasses any
| current adult it is something to keep note of.
| hotnfresh wrote:
| The core problem is that we have an utterly idiotic system in
| which knowing a nine-digit number lets you do any harm
| whatsoever.
|
| We have all the worst parts of a proper national ID system--
| tracking and data gathering by government and other large
| organizations isn't hindered a bit, and we're required to
| engage with our ad-hoc national ID system all the time for
| anything important--but none of the benefits.
|
| Tons of suffering and wasted time, for no damn reason.
| swozey wrote:
| lol
|
| > Paypal, which displays five digits including area code to
| anyone knowing the email address (but only three if the attacker
| knows the target's password), decided this is working as designed
| and will not take action.
|
| Wild.
|
| Does anyone know how scammers are getting numbers off of
| LinkedIn? Or correlating them to numbers from elsewhere? I know a
| company whose employees are constantly getting fake CEO texts.
| DalasNoin wrote:
| I just realized this is from 2019 and confirmed this literally
| still works on PayPal. SMH
| RecycledEle wrote:
| An objective observer would conclude PayPal only exists to
| cause security problems.
|
| I once called PayPal to report an "your account is suspended"
| phishing email and they angrily told me to follow the
| directions in the email.
| josephg wrote:
| My sister got married and changed her surname. PayPal has
| inexplicably also changed my surname to my sister's new
| surname.
|
| I can't for the life of me figure out why, or why they
| would do that without notifying me. At least no good
| reason. It's the strangest thing.
|
| I haven't even fixed it. I just stopped using PayPal
| because I don't trust them any more.
| jwally wrote:
| Can someone summarize this?
|
| I think the site is struggling with traffic and I'm getting
| 503'd...
| Techbrunch wrote:
| Martin Vigo's article discusses the security vulnerabilities in
| password reset options for various websites and how these can
| lead to the exposure of personal phone numbers. Vigo highlights
| that during a password reset process, websites often partially
| reveal the user's phone number. This partial display varies
| across websites; some show the last four digits, others the
| first, and so on. By initiating password resets across
| different sites, one can potentially piece together most of the
| digits of a phone number just from an email address.
| _the_inflator wrote:
| Awesome TLDR;
|
| Thx!
| jasonjayr wrote:
| ... just an email address, and publicly available information
| on the phone numbering system assignments + strategies.
| swozey wrote:
| Basically what they did was do password reset processes at a
| bunch of different services like PayPal, LastPass, Ebay..
| yeadda yadda. He found that they all display different portions
| of a phone number. PayPal being the worst shows someone
| starting the reset process 5 digits. Most showed 2 or 3 but
| different portions.
|
| So what he then did was essentially merge/correlate that data
| along with the area code and "exchange" (the part of number
| after area code) from sources like
| https://www.nationalnanpa.com/
|
| Then he has a python script the queries (not sure how I didn't
| read the code, I'm assuming NOT through an API but who knows)
| the aforementioned services and somehow determines the
| likelihood of a number out of several hundreds being registered
| to an email or not. I kind of dozed off at the end so I can't
| explain that part very well.
|
| edit: Why am I getting downvoted? This is literally what the
| blog is. My other comment is at the top.. lol. What a waste of
| my time giving an explanation. Ya'll like that low detail
| TechBrunch ChatGPT explanation more? Wild.
| Luc wrote:
| https://web.archive.org/web/20231116163937/https://www.marti...
| egberts1 wrote:
| LOL! DOA!
|
| Next: Signal app, method
| fudged71 wrote:
| @dang please append (2019) to the title
| Luc wrote:
| Fair enough, I did so.
| SpaceLawnmower wrote:
| One thing I've always wondered is how security researchers feel
| justified in releasing tools like the one in this blog post to
| the public. I can almost certainly say that the number of bad or
| creepy uses for an automated email to phone number generating
| tool massively outweighs the good reasons for having one. Does he
| get a pass because he's doing this for "research" and it's a grey
| area anyways? Does he feel better because he talked to the
| companies who exposed the vulnerability and it's neutered now?
| dj_mc_merlin wrote:
| I think there's a good ethical argument for releasing the
| knowledge, not so much the tool. I think the open secret is
| that most people who go into cybersecurity do so because they
| enjoy breaking security through clever methods rather than
| actually helping others stay secure.. but security research is
| legal and hacking random targets isn't.
| viccis wrote:
| I'm in the security industry, and this is absolutely correct.
| There are definitely many who carefully release PoCs when
| appropriate (giving vendors enough time to patch, etc.), but
| a LOT of these tool releases are done mostly to show off how
| smart we are and get clout. You see this big time every
| summer, as researchers all scramble to get a Defcon tool talk
| slot with some new thing they wrote, before immediately
| abandoning it post-con.
|
| Obviously, it's not like anything can or should be done to
| change this, as it's mostly just human nature, and keeping
| the security industry capable of operating legally and in the
| open is paramount. But sometimes people just wanna brag. And
| they get big mad about it and sputter about how literally any
| possible end justifies literally any actual means if you
| point it out (see: the other person responding to the top
| level comment lol)
| pmarreck wrote:
| > I can almost certainly say that the number of bad or creepy
| uses for an automated email to phone number generating tool
| massively outweighs the good reasons for having one
|
| Meanwhile, I can almost certainly say that the number of ways
| to bury your head in the sand instead of simply facing an
| uncomfortable problem massively outweighs the good reasons for
| doing so anyway.
|
| A person who is in need of money and lacking in empathy will
| not fail to use any technique available and it is thus good to
| know the defenses of that or at least be aware of it.
|
| "Creepy" arguments (appeals to shame or disgust) are fallacies.
|
| Security researcher types are well aware of the good-actor
| motivations behind white-hat-hackerdom. Is it wrong that I can
| buy a book on lockpicking? Would I be seen by some as a bad
| parent if I taught it to my kid when he expressed curiosity
| about it?
| SpaceLawnmower wrote:
| I think knowing that this is a vulnerability is fine. The
| tool is what I take issue with.
|
| I mean creepy as in a violation of a right to privacy. I
| don't consent to you knowing my phone number or any PII I put
| into private websites.
|
| It's a lot easier to get caught lockpicking and it has some
| legitimate uses. This is like more like an autopicking
| machine imo.
| itslennysfault wrote:
| I think the idea is to highlight the bad security practices
| that allow this in hopes that these companies patch these holes
| (in this case reduce leaked data in the password reset
| process).
|
| A GREAT example of this was when Firesheep forced Facebook (and
| countless other sites) into embracing https. Firesheep was a
| firefox plugin that anyone could run on a public wifi (e.g.
| coffee shop) and instantly start getting the passwords of
| anyone on the same network that logged in to anything over
| http. At the time Facebook was http by default. So, it made the
| news and forced Facebook to make https required basically
| overnight. Many other companies followed suit, and it's likely
| fair to say that the release of that plugin single-handedly
| accelerated https adoption by a considerable margin.
|
| I don't know that this release will be that impactful, but its
| certainly better than having this be a technique that only
| black hats know about.
| Eisenstein wrote:
| > I don't know that this release will be that impactful
|
| It was released in 2019 and it is still going on, so
| unfortunately it wasn't.
| lainga wrote:
| The difference between 2010 (firesheep) and now is about
| $100B of regulatory capture. That $BIGCO is not this $BIGCO.
| kurikuri wrote:
| When arguing with an executive on why their company's security
| posture needs to be updated, there is nothing quite as
| effective as an off the shelf demo.
| nbk_2000 wrote:
| Similarly to how Journalists feel justified in stories that
| have negative repercussions for some parties being reported
| upon. One way of assessing these decisions is answering the
| question "Is more harm done than good by releasing information
| this to the public?"
|
| From my perspective, I'm happy that Martin Vigo released this
| information (in 2019) as it helped me inform my employers (and
| now my clients) to additional threat model vectors to consider
| before deciding how to best perform password resets.
|
| Also in his defense: 1) He originally released a rather
| crippled form of the PoC 2) It requires a Twilio account, which
| raises the barrier to entry and provides a data point for
| analysts were the tool to be used criminally.
| wolverine876 wrote:
| > Similarly to how Journalists feel justified in stories that
| have negative repercussions for some parties being reported
| upon. One way of assessing these decisions is answering the
| question "Is more harm done than good by releasing
| information this to the public?"
|
| That method leads to the worst evils in the world. Many have
| concluded, or used it to justify everything from, 'it's ok to
| take these poor people's land and give it to megacorp,
| because we'll get a factory' to 'it's ok to silence these
| journalists because it's for the public good' to 'it's ok to
| kill my enemies because I think they are bad' to 'it's ok to
| commit genocide against this group because the world will be
| better off without them'.
|
| Who am I, or who are you, to decide what is good or bad, or
| how good or bad, or to weigh those things for others? Beyond
| our obvious cognitive limitations (as humans, we are too
| flawed cognitively and morally to make judgments for others)
| and lack of legitimacy (who elected us?), there is our
| obvious bias - 'good' is what is good from our perspective,
| based on our biases, subject to our ignorance of others.
|
| That's why human rights exist: It's their right and you can't
| make that decision for them; it's up to the person involved.
| If you think their land, etc. is so important, then ask them
| - it's up to them whether they want to do it. They have
| property rights, speech rights, etc. and nobody can abridge
| them, and in the limited circumstances where they can be
| abridged, there is a whole infrastructure of legitimacy
| (democracy), protection from corruption (separation of
| powers, juries, etc.), process (law, due process).
| 867-5309 wrote:
| eh?
| boznz wrote:
| The bad guys know these and a million more exploits already so
| personally I'm fine with these guys exposing the industries
| dirty laundry especially if it shames them into doing
| something. There is also no defense from the company that they
| did not know when it comes to legal action.
| saltminer wrote:
| > If it is a requirement, consider using a virtual number like
| Google Voice or even a dedicated SIM that you only use for this
| purpose and never give the number away.
|
| For the second SIM option, that requires a dual-SIM device, which
| are still fairly niche in the US.
|
| When it comes to VOIP numbers, unfortunately, many sites look up
| phone numbers and block VOIP providers, which sucks because
| Android still has no good way of sending/receiving carrier texts
| on the desktop (and before someone suggests the Google Messages
| web interface, it "forgets" my device too often for me to take it
| seriously). Occasionally, this can create a catch 22, where the
| VOIP blocking is implemented after the fact and prevents you from
| ever using the account again because the VOIP blocking was also
| implemented on the SMS 2FA.
|
| And then there's services which don't even bother to check if
| they can actually reach a number before accepting it. Harris
| Teeter pharmacies, for example, will happily accept a VOIP
| number, but their system is unable to call or text VOIP numbers,
| so you never get your prescription notices. (And I'd bet this
| applies to all Kroger brands since they share a lot of systems.)
| stephenr wrote:
| > For the second SIM option, that requires a dual-SIM device
|
| Or a device that supports an eSIM, which is every iPhone since
| 2018, for starters.
| aidenn0 wrote:
| The eSIM is going to be more expensive than a regular SIM
| since no MVNO I'm aware of in the US supports eSIMs
| sneak wrote:
| Mint.
| stephenr wrote:
| I'm also _not aware of any_ but that 's less about whether
| they're actually available and almost entirely because like
| 7.6 billion other people, I don't live in the US.
| aidenn0 wrote:
| Considering how we were talking about how dual-SIM phones
| are niche _in the US_ , I think my comment was rather
| relevant.
| stephenr wrote:
| Dual-sim phones aren't just a niche in the US either.
|
| But regardless: using your existing 5 year old iPhone
| with an eSIM that isn't "cheap" is still going to be
| cheaper than buying a new dual-sim phone.
| piperswe wrote:
| Almost all of them do now, since iPhones don't have SIM
| card slots in the US anymore.
| aidenn0 wrote:
| Thanks. Apparently my info was out-of-date; I last
| checked in early 2022.
| caturopath wrote:
| I use Visible and Mint via eSIM
| guru4consulting wrote:
| I guess dual SIM is different from having eSIM+physical SIM.
| Dual SIM typically allows both SIMs/phone-numbers to be
| active and when you receive a call, you will know which
| number is being called. With eSIM+physical SIM card, only one
| can be active at a time. The other has to be disabled. At
| least, this is what I found few years back.
| piperswe wrote:
| I know that iPhones with SIM+eSIM can have both active at
| the same time, and iPhones with just eSIM can have two
| eSIMs active.
| josephg wrote:
| Yeah I found this out the hard way when travelling
| recently. There are some great apps that let you buy
| cheap data-only eSIMs in dozens of countries. You can
| even buy an eSIM before you travel. It's crazy convenient
| and much cheaper than roaming fees.
|
| My girlfriend could keep her home phone line enabled
| while using the eSIM but I couldn't, even though we have
| the same model of phone! Turns out her home line uses a
| physical sim, but mine is set up using an eSIM and the
| iPhone 12 can only have 1 eSIM enabled at a time. You can
| do 1 physical + 1 eSIM, but not 2 esims.
|
| I couldn't get texts or calls from home without noodling
| with my phone settings each time. And FaceTime kept
| enrolling and unenrolling my number.
| darkwater wrote:
| Nope, eSIM plus physical SIM in an iPhone or in a Pixel or
| any other phone work just like 2 physical SIMs. It's been
| supported in mainstream Android for a few years now.
| Previously it was supported only on devices with 2 slots
| and each vendor had their flavor in Android.
| pnw wrote:
| eBay doesn't block Google voice numbers. The only site which
| seems to is Discord in my experience.
|
| Personally I prefer to use a non-obvious dedicated email per
| account e.g. ebpnw@mydomain.com, so the attacker has to guess
| the email as well.
| thedaly wrote:
| > Personally I prefer to use a non-obvious dedicated email
| per account e.g. ebpnw@mydomain.com, so the attacker has to
| guess the email as well.
|
| Should I stop doing my obvious, ie hackernews@mydomain.com,
| account emails?
| Sardtok wrote:
| If you want to increase your security, generate a random
| string for the "account" name.
|
| If you are using a password manager, then this shouldn't be
| too difficult.
|
| It can be a hassle when registering for something in
| person, though.
| pavon wrote:
| I broke down and bought a prepaid SIM and a small dumb phone
| which I use solely for 2FA. Its about the size as old-school
| 2FA systems like crypto cards. My original motivation in
| getting it was my wife was always taking my real phone to get
| security codes for some shared accounts (on sites that don't
| have an option for linked accounts). But I also like that it
| provides small OPSEC improvements over using my real telephone
| number.
| marklar423 wrote:
| That's a great idea for a shared 2FA device
| earthscienceman wrote:
| If you're a Linux user, "KDE Connect" is actually by far the
| best desktop interface for texting and more. It's changed how
| my phone and my laptop interact and I think might be my
| favorite open source project. You can use your laptop as a
| keyboard, reply to messages from any app that sends a
| notification, and so much more. The file sending functionality
| is also far better (and faster) than anything else I've used.
| It's everything open source software should be.
| pmarreck wrote:
| Keeping a phone number secret is "security by obscurity" and
| therefore the whole point of this article is rather moot.
| realusername wrote:
| Not completely, when you have the email + the phone number, you
| can make much more sophisticated phishing attempts
| miki123211 wrote:
| There's one missing piece in that article, and it's the CNAM
| database (US only).
|
| CNAM is the database that carriers use to give you alphanumeric
| caller ID ("SMITH JOHN" instead of "+1 (555) 123-4567"). Many
| carriers don't display this data as far as I believe, but most of
| them make it available.
|
| Querying that database isn't free, but you could probably find a
| way to do it for a few hundred numbers relatively cheaply.
| People's names and emails are often similar, so you could
| probably figure out an algorithm to give you the most likely
| candidates.
|
| The data is often wrong in interesting ways (I've seen everything
| from deadnames to people's exes they still share a plan with),
| but it is still pretty useful.
| toomuchtodo wrote:
| At least in T-Mobile's customer UX, you can set this to
| whatever you want per line [1]. Have tested by changing line
| CNAM and querying with Twilio number lookup [2]. You're
| supposed to be honest wrt person's name, but it's honor system.
|
| [1]
| https://www.t-mobile.com/support/tutorials/device/app/ios/to...
|
| [2] https://www.twilio.com/code-exchange/lookup
| navigate8310 wrote:
| Why is this not tied to a person's SSN (if possible)?
| miki123211 wrote:
| Why would it be?
|
| The point of that database is to display a recognizable name
| to the people you call, so that they know it's you. A
| recognizable name isn't always the one on your birth
| certificate (particularly in the US). There are also
| businesses, who want their business name there.
| evan_ wrote:
| Is there an accessible database somewhere that would allow
| T-Mobile to get a name from an SSN (or verify that an SSN and
| a name match)?
| bbarnett wrote:
| Why would a phone company know a person's SSN?!
| Gh0stRAT wrote:
| So that they can seamlessly upsell you on upgrading to a
| new phone that you'll pay off in installments over the next
| couple years.
|
| Also, many postpaid plans (like my home ISP) require SSN
| because they are providing you service on credit. Postpaid
| cell paone plans have been the "default" in the US for a
| long time, though prepaid seems to be gaining market share.
| rsync wrote:
| "Querying that database isn't free, but you could probably find
| a way to do it for a few hundred numbers relatively cheaply."
| /usr/local/bin/curl -s -X GET "https://lookups.twilio.com/v1/Ph
| oneNumbers/$number?Type=carrier&Type=caller-name" -u
| $accountsid:$authtoken | /usr/local/bin/jq '.'
|
| I don't even know what it costs ... maybe a penny per lookup ?
| I forget ...
|
| It also shows carrier and whether it is a mobile or landline,
| etc.
| bunabhucan wrote:
| All this hassle using different email addresses for each service
| and a Google voice number was worth it.
| dang wrote:
| Related:
|
| _Email to Phone Number Osint Tool_ -
| https://news.ycombinator.com/item?id=30476792 - Feb 2022 (2
| comments)
| shivz45 wrote:
| Oh i tried this technique just now to confirm one scammer's real
| phone number details.
|
| Paypal here again
| RecycledEle wrote:
| The author ignores number portability. Just because I currently
| live in a city and have AT&T does not mean they issued my phone
| number.
| 1nd1ansumm3r wrote:
| Fun to see this issue get talked about. Ancedote- I bought some
| car parts from a semi-scammer. Not a full-on scam but the guy
| wouldn't ship the complete order even though he had my money for
| several weeks. We had communicated on a few different platforms.
| Each platform offered up a little piece of his identity. Last
| four of this. First four of that. It was enough to piece it all
| together. I gave him a call at his place of employment which
| happened to be in the exact same industry as the parts that were
| being sold. I asked him to ship the parts and casually asked if
| his employer was involved in the sale. He perked right up and the
| next day he shipped everything I had bought and a few extras.
| dotBen wrote:
| So what you are saying is you knowingly participated in receipt
| of stolen goods - upon reasonable suspicion he didn't own the
| goods being sold, you encouraged him to send you more of them.
|
| I mean, you'll disagree with that characterization I'm sure,
| but read what you wrote again...
| wizerdrobe wrote:
| He easily could have bought parts for a better price seeing
| as his has the hook-up through his employer.
|
| Without further detail none of us can know the results.
| Calling someone a thief is a bit of a move...
| cooper_ganglia wrote:
| I read it multiple times and fail to understand this
| interpretation at all. Even in context, I don't see even a
| drop of "reasonable suspicion".
|
| Is it a possibility that the goods were stolen? I suppose,
| but that's the case with literally anything you purchase
| online. I wouldn't have even thought twice about it. I bought
| stuff, you didn't send me stuff, so now I'm upset and want
| you to send me my stuff.
| romwell wrote:
| Why assume that person was stealing anything from the
| employer, rather than simply being a shitty reseller that
| only ships when they get a good discount from working in the
| industry.
|
| A call like that can incentivize them to buy at full price
| and sell at a loss when their inventory is lacking.
| jmprspret wrote:
| Yeah? Sounds pretty badass to me
| MR4D wrote:
| They could also have been counterfeit or substandard.
|
| Not saying you're wrong (because I think you're right), but
| there are other scenarios here, so from a theft perspective,
| the OP would be not guilty.
| 1nd1ansumm3r wrote:
| Explain the knowingly part. I never suspected he did not own
| them or that they were stolen. Just knew that he took my
| money and didn't ship a complete order.
| m463 wrote:
| sounds more like he was competing against his employer
| pengaru wrote:
| It's not like it's uncommon for folks to leverage employee
| discounts as arbitrage opportunities for a side hustle. Maybe
| it violates their terms of employment since they're competing
| with their employer, but it's not stolen goods.
| 1nd1ansumm3r wrote:
| I re-read this, not to fire back but to understand how you
| arrive at your conclusion. I think you are interpreting (or
| assuming maybe), from when I asked about his employer, that I
| suspected he stole the parts from his employer. That's not the
| case at all. I just needed a pressure point.
| dools wrote:
| As an Australian I can only ever recall seeing the last 2 or 3
| digits of my mobile number. The first 2 digits of all mobile
| numbers are the same and you can't send text messages to
| landlines.
| BHSPitMonkey wrote:
| "Good morning class. A certain agitator, for privacy's sake let's
| call her Lisa S... No, that's too obvious. Let's say L. Simpson."
___________________________________________________________________
(page generated 2023-11-16 23:00 UTC)