Fun to see this issue get talked about. Ancedote- I bought some car parts from a semi-scammer. Not a full-on scam but the guy wouldn't ship the complete order even though he had my money for several weeks. We had communicated on a few different platforms. Each platform offered up a little piece of his identity. Last four of this. First four of that. It was enough to piece it all together.
I gave him a call at his place of employment which happened to be in the exact same industry as the parts that were being sold. I asked him to ship the parts and casually asked if his employer was involved in the sale. He perked right up and the next day he shipped everything I had bought and a few extras.
I re-read this, not to fire back but to understand how you arrive at your conclusion. I think you are interpreting (or assuming maybe), from when I asked about his employer, that I suspected he stole the parts from his employer. That's not the case at all. I just needed a pressure point.
From a legal standpoint blackmail requires the "receipt of money or valuable thing". Because the thing being received is an even exchange of goods already agreed to by both parties, and the threat on not receiving is not an illegal action in itself, it is not likely or plausibly blackmail.
I read it multiple times and fail to understand this interpretation at all. Even in context, I don’t see even a drop of “reasonable suspicion”.
Is it a possibility that the goods were stolen? I suppose, but that’s the case with literally anything you purchase online. I wouldn’t have even thought twice about it. I bought stuff, you didn’t send me stuff, so now I’m upset and want you to send me my stuff.
A more reasonable interpretation is that he was attempting to steal goods or time from the customer by dragging his feet on shipping; 'sorry, item is backordered' often results in the sale being lost, and salespeople are known for sometimes making promises to close deals, without regard to whether they can actually deliver.
Explain the knowingly part. I never suspected he did not own them or that they were stolen. Just knew that he took my money and didn't ship a complete order.
It's not like it's uncommon for folks to leverage employee discounts as arbitrage opportunities for a side hustle. Maybe it violates their terms of employment since they're competing with their employer, but it's not stolen goods.
Why assume that person was stealing anything from the employer, rather than simply being a shitty reseller that only ships when they get a good discount from working in the industry.
A call like that can incentivize them to buy at full price and sell at a loss when their inventory is lacking.
There's one missing piece in that article, and it's the CNAM database (US only).
CNAM is the database that carriers use to give you alphanumeric caller ID ("SMITH JOHN" instead of "+1 (555) 123-4567"). Many carriers don't display this data as far as I believe, but most of them make it available.
Querying that database isn't free, but you could probably find a way to do it for a few hundred numbers relatively cheaply. People's names and emails are often similar, so you could probably figure out an algorithm to give you the most likely candidates.
The data is often wrong in interesting ways (I've seen everything from deadnames to people's exes they still share a plan with), but it is still pretty useful.
At least in T-Mobile's customer UX, you can set this to whatever you want per line [1]. Have tested by changing line CNAM and querying with Twilio number lookup [2]. You're supposed to be honest wrt person's name, but it's honor system.
The point of that database is to display a recognizable name to the people you call, so that they know it's you. A recognizable name isn't always the one on your birth certificate (particularly in the US). There are also businesses, who want their business name there.
As Brit-expat+US-resident (since 2012) T-Mobile got my SSN when I signed-up for my
pre-paid first mobile phone plan in 2012. Paying $50/mo was quite a shock when equivalent (or rather: far superior) service was available in the UK on a PAYG (not even pre-paid!) basis for £10/mo.
...and now I'm on a $110/mo postpaid plan because eventually you get tired of the limitations and just grin-and-bear-it.
So that they can seamlessly upsell you on upgrading to a new phone that you'll pay off in installments over the next couple years.
Also, many postpaid plans (like my home ISP) require SSN because they are providing you service on credit. Postpaid cell paone plans have been the "default" in the US for a long time, though prepaid seems to be gaining market share.
We are kind of assuming a lot when a $100 a month account obviously requires a credit check.
They require a SSN because people don't care and it makes it cheaper to offer the accounts, not because it would actually be a big problem to sell internet service without credit checks.
The credit checks, the carriers would tell you, are to try to protect them against people who sign up for service with a "free" phone on a 3 year commitment (phone paid for in part by 36 installments of credits) and then they stop paying the bill. Sure the phone will be blacklisted and remain SIM-locked, but could still be used on Wi-Fi and either way the carrier can't have it back and is therefore out their cost of the phone.
Now, as for why they still do the same credit checks when you bring your own phone, I suspect "Because F you, that's why" is the gist of it.
I use my real name as my email (as many of us do). And my phone number is publicly listed in many phonebooks. In Sweden it's standard practice for everyone to have their address and phone number searchable unless you opt out. Basically what used to be in the phone books in the 80s (which was everyone) just moved online in the 90s so now everyone's adress and phone number is publicly searchable. This can be really useful, but of course it can be used for evil as well.
But one of the really positive things about having so much "public PII" (SSNs, Addresses, phone numbers, birth days) is that people don't have to treat this information as some sort of secret. Everyone needs proper ID and eID because knowing someones digits doesn't make it any easier to impersonate them.
If someone wants my phone number, they take my email which has first- and last name, go to any of the N search sites and they find 100 people sharing my first and last name. If they know a city and approximate age (Which they can easily get from a social platform) they can narrow it down to just a couple of people. Public records then shows my birthdays, my cars, my income, who's also registered on the address, and so on. It's not difficult doing OSINT in Sweden...
> Paypal, which displays five digits including area code to anyone knowing the email address (but only three if the attacker knows the target’s password), decided this is working as designed and will not take action.
Wild.
Does anyone know how scammers are getting numbers off of LinkedIn? Or correlating them to numbers from elsewhere? I know a company whose employees are constantly getting fake CEO texts.
Is it possible you had the "Edit your details" page open and your web-browser "helpfully" auto-filled the form with her details and you submitted the form without noticing?
It gets worse: there's a lot of web-apps out there (both SSRs and SPAs) with <form> elements for personal details which are in the DOM, but "hidden" by doing tricks like `position: absolute; left: -99999px` inside a div with `overflow: hidden` (instead of doing something like `display: none;`) - or have the form hidden by using a z-index behind some curtain/cover element - and I've seen browsers auto-fill those fields and they get POSTed and cause a data overwrite on the server without the user being aware.
It's a fun way to steal PII from people: have a random public webpage that contains a registration form with all kinds of personal details, but has HTML+CSS such that it's visually obscured from the user, but the browser thinks it's a fully visible form, and simply yet the browser autofill it and submit it using JS (getting around the "user must interact with the page" filter by binding it to a big pink button that says "click here to see dancing bunnies!").
Uh, I don't think so. We don't live together and we don't share computers.
Its strange that Paypal would even consider our accounts associated in any way. I wonder if she put a support ticket in to change her name and they changed mine too because we shared the same surname? Does paypal know we're related somehow, or did they just change another random account with our surname when they changed her name, and happened to get her brother? The more I think about it the more questions I have.
"Does anyone know how scammers are getting numbers off of LinkedIn?"
They probably have their phone number visible on their profile or they have an email and the scammer found the number on another platform (like facebook)
> If it is a requirement, consider using a virtual number like Google Voice or even a dedicated SIM that you only use for this purpose and never give the number away.
For the second SIM option, that requires a dual-SIM device, which are still fairly niche in the US.
When it comes to VOIP numbers, unfortunately, many sites look up phone numbers and block VOIP providers, which sucks because Android still has no good way of sending/receiving carrier texts on the desktop (and before someone suggests the Google Messages web interface, it "forgets" my device too often for me to take it seriously). Occasionally, this can create a catch 22, where the VOIP blocking is implemented after the fact and prevents you from ever using the account again because the VOIP blocking was also implemented on the SMS 2FA.
And then there's services which don't even bother to check if they can actually reach a number before accepting it. Harris Teeter pharmacies, for example, will happily accept a VOIP number, but their system is unable to call or text VOIP numbers, so you never get your prescription notices. (And I'd bet this applies to all Kroger brands since they share a lot of systems.)
If you're a Linux user, "KDE Connect" is actually by far the best desktop interface for texting and more. It's changed how my phone and my laptop interact and I think might be my favorite open source project. You can use your laptop as a keyboard, reply to messages from any app that sends a notification, and so much more. The file sending functionality is also far better (and faster) than anything else I've used. It's everything open source software should be.
A bit late but I had completely forgotten about KDE Connect. Back when I last tried it, it did not filter out spam messages (though maybe Google Messages' spam filtering operates on its own layer and thus spam classifications are not reflected back in the OS SMS store, making it impossible for KDE Connect to know about them). Regardless, I get much less SMS spam these days, so maybe that'll be a viable option once more.
I broke down and bought a prepaid SIM and a small dumb phone which I use solely for 2FA. Its about the size as old-school 2FA systems like crypto cards. My original motivation in getting it was my wife was always taking my real phone to get security codes for some shared accounts (on sites that don't have an option for linked accounts). But I also like that it provides small OPSEC improvements over using my real telephone number.
I'm also not aware of any but that's less about whether they're actually available and almost entirely because like 7.6 billion other people, I don't live in the US.
I guess dual SIM is different from having eSIM+physical SIM. Dual SIM typically allows both SIMs/phone-numbers to be active and when you receive a call, you will know which number is being called. With eSIM+physical SIM card, only one can be active at a time. The other has to be disabled. At least, this is what I found few years back.
Nope, eSIM plus physical SIM in an iPhone or in a Pixel or any other phone work just like 2 physical SIMs. It's been supported in mainstream Android for a few years now. Previously it was supported only on devices with 2 slots and each vendor had their flavor in Android.
Yeah I found this out the hard way when travelling recently. There are some great apps that let you buy cheap data-only eSIMs in dozens of countries. You can even buy an eSIM before you travel. It’s crazy convenient and much cheaper than roaming fees.
My girlfriend could keep her home phone line enabled while using the eSIM but I couldn’t, even though we have the same model of phone! Turns out her home line uses a physical sim, but mine is set up using an eSIM and the iPhone 12 can only have 1 eSIM enabled at a time. You can do 1 physical + 1 eSIM, but not 2 esims.
I couldn’t get texts or calls from home without noodling with my phone settings each time. And FaceTime kept enrolling and unenrolling my number.
I’m currently traveling internationally with an iPhone 12 and I can confirm the single eSIM + single physical SIM limitation. Although, in my case, I'm using a physical international SIM and a US eSIM.
I would love to turn off my US eSIM when not in use (I think it uses more power connected to two cellular networks) but that would require unenrolling my US iMessage number and I can’t do that. Definitely the most annoying part of the whole thing.
I considered using a spare iPhone to host a physical SIM with my US number because that would allow the number to stay bonded with my Apple ID and potentially forward SMS over iCloud, but I decided not to because in my experience the SMS part is too flaky to be relied on.
> but that would require unenrolling my US iMessage number
It nags you but you don't have to agree to remove the number. I routinely replace my SIM card when traveling outside the EU and my iMessage number still works for green-bubble people. I ignore/refuse the phone's occasional suggestions to "update" the number.
Good news, with the elimination of the SIM card slot, they fixed this bug and you can have two eSIMs active with no chance of ever getting a physical travel sim to work! /s
Bleh physical sim swapping when travelling is such a pain. I used travel data only esims all through the US, Europe and Egypt. All set up through a single app. I didn’t need to talk to dodgy airport phone shop people a single time in 3 months on the road - which, iPhone limitations aside, I consider a massive win.
(I used the Airalo app. No association. It worked great.)
For the five minutes it takes to get a physical SIM card, I'll take the much cheaper and typically faster service I get with local carriers vs eSIM MVNOs.
Bitwarden has a setting for doing exactly this. Create a random email and a random password on the fly during a new service signup
Also possible to create 2-3 fake Personas in app (Name, DOB, address,…) to scatter your online footprint. Fills forms with the right one at button push.
This kind of uncoordinated leaking is a deeper problem. Many share the last four digits of a SS#. Okay. But often the first five are easy to guess from the birthday and the birth state. The first few digits tell the state where the number was issued.
The core problem is that we have an utterly idiotic system in which knowing a nine-digit number lets you do any harm whatsoever.
We have all the worst parts of a proper national ID system—tracking and data gathering by government and other large organizations isn’t hindered a bit, and we’re required to engage with our ad-hoc national ID system all the time for anything important—but none of the benefits.
Tons of suffering and wasted time, for no damn reason.
Anyone alive today would be born between 1900 and 2023, right?
And their mothers, assuming they were between 13 and 50 when they gave birth, would therefore have been born between 1850 and 2010.
So that's 161 out of 9999 available last-4's (0000 is not used) that could possibly be someone's mother's birth year.
And then, of course, it has to be the right year within that space.
I am guessing this was something that happened to a few folks by chance and then was blown up by people who don't understand how many coincidences can occur across a population of millions.
It is a coincidence. You have a 1-in-10000 chance of getting any 4 digit number and they assign 5.5M a year, so we can expect that 550 people get their mother's year of birth every year. You just happened to get 1961.
(Total guess but how cool would it be if I was right?)
I have a REALLY hard time believing that but I've never looked into it. Like you said, 550 people a year get it. I just happened to be in the 0.01%? I should be luckier, lol.
I made an email randomizer that makes scrambled emails using the "+" feature. So any external service sees "gary+FqZWMK@gmail.com" and it automatically creates an unscrambled folder in my email that takes "FqZWMK" and converts it to the name of the service like "Netflix" or whatever.
What's nice is that I completely control the mapping of ids, so if I can make multiple random addresses go to a "one-time" inbox that automatically sends emails to spam after a while.
One thing I've always wondered is how security researchers feel justified in releasing tools like the one in this blog post to the public. I can almost certainly say that the number of bad or creepy uses for an automated email to phone number generating tool massively outweighs the good reasons for having one. Does he get a pass because he's doing this for "research" and it's a grey area anyways? Does he feel better because he talked to the companies who exposed the vulnerability and it's neutered now?
I think the idea is to highlight the bad security practices that allow this in hopes that these companies patch these holes (in this case reduce leaked data in the password reset process).
A GREAT example of this was when Firesheep forced Facebook (and countless other sites) into embracing https. Firesheep was a firefox plugin that anyone could run on a public wifi (e.g. coffee shop) and instantly start getting the passwords of anyone on the same network that logged in to anything over http. At the time Facebook was http by default. So, it made the news and forced Facebook to make https required basically overnight. Many other companies followed suit, and it's likely fair to say that the release of that plugin single-handedly accelerated https adoption by a considerable margin.
I don't know that this release will be that impactful, but its certainly better than having this be a technique that only black hats know about.
Similarly to how Journalists feel justified in stories that have negative repercussions for some parties being reported upon. One way of assessing these decisions is answering the question "Is more harm done than good by releasing information this to the public?"
From my perspective, I'm happy that Martin Vigo released this information (in 2019) as it helped me inform my employers (and now my clients) to additional threat model vectors to consider before deciding how to best perform password resets.
Also in his defense:
1) He originally released a rather crippled form of the PoC
2) It requires a Twilio account, which raises the barrier to entry and provides a data point for analysts were the tool to be used criminally.
> Similarly to how Journalists feel justified in stories that have negative repercussions for some parties being reported upon. One way of assessing these decisions is answering the question "Is more harm done than good by releasing information this to the public?"
That method leads to the worst evils in the world. Many have concluded, or used it to justify everything from, 'it's ok to take these poor people's land and give it to megacorp, because we'll get a factory' to 'it's ok to silence these journalists because it's for the public good' to 'it's ok to kill my enemies because I think they are bad' to 'it's ok to commit genocide against this group because the world will be better off without them'.
Who am I, or who are you, to decide what is good or bad, or how good or bad, or to weigh those things for others? Beyond our obvious cognitive limitations (as humans, we are too flawed cognitively and morally to make judgments for others) and lack of legitimacy (who elected us?), there is our obvious bias - 'good' is what is good from our perspective, based on our biases, subject to our ignorance of others.
That's why human rights exist: It's their right and you can't make that decision for them; it's up to the person involved. If you think their land, etc. is so important, then ask them - it's up to them whether they want to do it. They have property rights, speech rights, etc. and nobody can abridge them, and in the limited circumstances where they can be abridged, there is a whole infrastructure of legitimacy (democracy), protection from corruption (separation of powers, juries, etc.), process (law, due process).
I cannot follow your thread from a security researcher sharing tools to put pressure on an insecure website, to a megacorporation stealing someone's land.
I think there's a good ethical argument for releasing the knowledge, not so much the tool. I think the open secret is that most people who go into cybersecurity do so because they enjoy breaking security through clever methods rather than actually helping others stay secure.. but security research is legal and hacking random targets isn't.
I'm in the security industry, and this is absolutely correct. There are definitely many who carefully release PoCs when appropriate (giving vendors enough time to patch, etc.), but a LOT of these tool releases are done mostly to show off how smart we are and get clout. You see this big time every summer, as researchers all scramble to get a Defcon tool talk slot with some new thing they wrote, before immediately abandoning it post-con.
Obviously, it's not like anything can or should be done to change this, as it's mostly just human nature, and keeping the security industry capable of operating legally and in the open is paramount. But sometimes people just wanna brag. And they get big mad about it and sputter about how literally any possible end justifies literally any actual means if you point it out (see: the other person responding to the top level comment lol)
When arguing with an executive on why their company’s security posture needs to be updated, there is nothing quite as effective as an off the shelf demo.
The bad guys know these and a million more exploits already so personally I'm fine with these guys exposing the industries dirty laundry especially if it shames them into doing something. There is also no defense from the company that they did not know when it comes to legal action.
> I can almost certainly say that the number of bad or creepy uses for an automated email to phone number generating tool massively outweighs the good reasons for having one
Meanwhile, I can almost certainly say that the number of ways to bury your head in the sand instead of simply facing an uncomfortable problem massively outweighs the good reasons for doing so anyway.
A person who is in need of money and lacking in empathy will not fail to use any technique available and it is thus good to know the defenses of that or at least be aware of it.
"Creepy" arguments (appeals to shame or disgust) are fallacies.
Security researcher types are well aware of the good-actor motivations behind white-hat-hackerdom. Is it wrong that I can buy a book on lockpicking? Would I be seen by some as a bad parent if I taught it to my kid when he expressed curiosity about it?
I check GitHub's Trending page for Python projects every day or so. I was a little confused why this repo was trending today, particularly because the note at the top indicates that a lot of the services patched the exploit long ago.
It's interesting to see that this being posted here on Hacker News is presumably enough to push the GitHub repo to the trending page for Python.
As an Australian I can only ever recall seeing the last 2 or 3 digits of my mobile number. The first 2 digits of all mobile numbers are the same and you can't send text messages to landlines.
Basically what they did was do password reset processes at a bunch of different services like PayPal, LastPass, Ebay.. yeadda yadda. He found that they all display different portions of a phone number. PayPal being the worst shows someone starting the reset process 5 digits. Most showed 2 or 3 but different portions.
So what he then did was essentially merge/correlate that data along with the area code and "exchange" (the part of number after area code) from sources like https://www.nationalnanpa.com/
Then he has a python script the queries (not sure how I didn't read the code, I'm assuming NOT through an API but who knows) the aforementioned services and somehow determines the likelihood of a number out of several hundreds being registered to an email or not. I kind of dozed off at the end so I can't explain that part very well.
edit: Why am I getting downvoted? This is literally what the blog is. My other comment is at the top.. lol. What a waste of my time giving an explanation. Ya'll like that low detail TechBrunch ChatGPT explanation more? Wild.
Martin Vigo's article discusses the security vulnerabilities in password reset options for various websites and how these can lead to the exposure of personal phone numbers. Vigo highlights that during a password reset process, websites often partially reveal the user's phone number. This partial display varies across websites; some show the last four digits, others the first, and so on. By initiating password resets across different sites, one can potentially piece together most of the digits of a phone number just from an email address.
It is but it was proofread by a human with expertise in the domain, and honestly I wouldn't have done better in such a short amount of words. If someone wants to know more they better read the article which I did to make sure the generated text wasn't bullcrap :)
That doesn't change the fact that these are not "secrets" (except by accident) and that their current secrecy-by-coincidence therefore should not be relied upon
