[HN Gopher] From email to phone number, a new OSINT approach (2019)
___________________________________________________________________
From email to phone number, a new OSINT approach (2019)
Author : Luc
Score : 296 points
Date : 2023-11-16 15:20 UTC (1 days ago)
(HTM) web link (www.martinvigo.com)
(TXT) w3m dump (www.martinvigo.com)
| hipadev23 wrote:
| Great technique for those VCs who think they can just ignore my
| emails
| xhkkffbf wrote:
| This kind of uncoordinated leaking is a deeper problem. Many
| share the last four digits of a SS#. Okay. But often the first
| five are easy to guess from the birthday and the birth state. The
| first few digits tell the state where the number was issued.
| swozey wrote:
| Hell a lot of people have a last 4 digit that is literally just
| their mothers birth year.
| myself248 wrote:
| Last four of their SSN? That makes no sense, those digits are
| sequentially assigned at the issuing office.
| swozey wrote:
| Yes, last four. Don't ask me how I know.. Might be a "born
| on base" thing but it's no coincidence.
| evan_ wrote:
| It is a coincidence. You have a 1-in-10000 chance of
| getting any 4 digit number and they assign 5.5M a year,
| so we can expect that 550 people get their mother's year
| of birth every year. You just happened to get 1961.
|
| (Total guess but how cool would it be if I was right?)
| swozey wrote:
| I have a REALLY hard time believing that but I've never
| looked into it. Like you said, 550 people a year get it.
| I just happened to be in the 0.01%? I should be luckier,
| lol.
|
| https://www.quora.com/What-are-the-odds-that-your-
| birthday-i...
| myself248 wrote:
| It's a coincidence.
|
| http://web.archive.org/web/20070203124309rn_1/www.cpsr.or
| g/p...
| nerdbert wrote:
| Anyone alive today would be born between 1900 and 2023,
| right?
|
| And their mothers, assuming they were between 13 and 50 when
| they gave birth, would therefore have been born between 1850
| and 2010.
|
| So that's 161 out of 9999 available last-4's (0000 is not
| used) that could possibly be someone's mother's birth year.
|
| And then, of course, it has to be the right year within that
| space.
|
| I am guessing this was something that happened to a few folks
| by chance and then was blown up by people who don't
| understand how many coincidences can occur across a
| population of millions.
| birdman3131 wrote:
| Only for ones issued prior to 2011. While this encompasses any
| current adult it is something to keep note of.
| hotnfresh wrote:
| The core problem is that we have an utterly idiotic system in
| which knowing a nine-digit number lets you do any harm
| whatsoever.
|
| We have all the worst parts of a proper national ID system--
| tracking and data gathering by government and other large
| organizations isn't hindered a bit, and we're required to
| engage with our ad-hoc national ID system all the time for
| anything important--but none of the benefits.
|
| Tons of suffering and wasted time, for no damn reason.
| swozey wrote:
| lol
|
| > Paypal, which displays five digits including area code to
| anyone knowing the email address (but only three if the attacker
| knows the target's password), decided this is working as designed
| and will not take action.
|
| Wild.
|
| Does anyone know how scammers are getting numbers off of
| LinkedIn? Or correlating them to numbers from elsewhere? I know a
| company whose employees are constantly getting fake CEO texts.
| DalasNoin wrote:
| I just realized this is from 2019 and confirmed this literally
| still works on PayPal. SMH
| RecycledEle wrote:
| An objective observer would conclude PayPal only exists to
| cause security problems.
|
| I once called PayPal to report an "your account is suspended"
| phishing email and they angrily told me to follow the
| directions in the email.
| josephg wrote:
| My sister got married and changed her surname. PayPal has
| inexplicably also changed my surname to my sister's new
| surname.
|
| I can't for the life of me figure out why, or why they
| would do that without notifying me. At least no good
| reason. It's the strangest thing.
|
| I haven't even fixed it. I just stopped using PayPal
| because I don't trust them any more.
| DaiPlusPlus wrote:
| Is it possible you had the "Edit your details" page open
| and your web-browser "helpfully" auto-filled the form
| with her details and you submitted the form without
| noticing?
|
| It gets worse: there's a lot of web-apps out there (both
| SSRs and SPAs) with <form> elements for personal details
| which are in the DOM, but "hidden" by doing tricks like
| `position: absolute; left: -99999px` inside a div with
| `overflow: hidden` (instead of doing something like
| `display: none;`) - or have the form hidden by using a
| z-index behind some curtain/cover element - and I've seen
| browsers auto-fill those fields and they get POSTed and
| cause a data overwrite on the server without the user
| being aware.
|
| It's a fun way to steal PII from people: have a random
| public webpage that contains a registration form with all
| kinds of personal details, but has HTML+CSS such that
| it's visually obscured from the user, but the browser
| thinks it's a fully visible form, and simply yet the
| browser autofill it and submit it using JS (getting
| around the "user must interact with the page" filter by
| binding it to a big pink button that says "click here to
| see dancing bunnies!").
|
| Browser auto-fill is dangerous.
| josephg wrote:
| Uh, I don't think so. We don't live together and we don't
| share computers.
|
| Its strange that Paypal would even consider our accounts
| associated in any way. I wonder if she put a support
| ticket in to change her name and they changed mine too
| because we shared the same surname? Does paypal know
| we're related somehow, or did they just change another
| random account with our surname when they changed her
| name, and happened to get her brother? The more I think
| about it the more questions I have.
| jwally wrote:
| Can someone summarize this?
|
| I think the site is struggling with traffic and I'm getting
| 503'd...
| Techbrunch wrote:
| Martin Vigo's article discusses the security vulnerabilities in
| password reset options for various websites and how these can
| lead to the exposure of personal phone numbers. Vigo highlights
| that during a password reset process, websites often partially
| reveal the user's phone number. This partial display varies
| across websites; some show the last four digits, others the
| first, and so on. By initiating password resets across
| different sites, one can potentially piece together most of the
| digits of a phone number just from an email address.
| _the_inflator wrote:
| Awesome TLDR;
|
| Thx!
| joeframbach wrote:
| It's clearly AI generated, blatantly so.
| Techbrunch wrote:
| It is but it was proofread by a human with expertise in
| the domain, and honestly I wouldn't have done better in
| such a short amount of words. If someone wants to know
| more they better read the article which I did to make
| sure the generated text wasn't bullcrap :)
| jasonjayr wrote:
| ... just an email address, and publicly available information
| on the phone numbering system assignments + strategies.
| swozey wrote:
| Basically what they did was do password reset processes at a
| bunch of different services like PayPal, LastPass, Ebay..
| yeadda yadda. He found that they all display different portions
| of a phone number. PayPal being the worst shows someone
| starting the reset process 5 digits. Most showed 2 or 3 but
| different portions.
|
| So what he then did was essentially merge/correlate that data
| along with the area code and "exchange" (the part of number
| after area code) from sources like
| https://www.nationalnanpa.com/
|
| Then he has a python script the queries (not sure how I didn't
| read the code, I'm assuming NOT through an API but who knows)
| the aforementioned services and somehow determines the
| likelihood of a number out of several hundreds being registered
| to an email or not. I kind of dozed off at the end so I can't
| explain that part very well.
|
| edit: Why am I getting downvoted? This is literally what the
| blog is. My other comment is at the top.. lol. What a waste of
| my time giving an explanation. Ya'll like that low detail
| TechBrunch ChatGPT explanation more? Wild.
| BenjiWiebe wrote:
| Have an upvote. I preferred your summary. Thanks!
| Luc wrote:
| https://web.archive.org/web/20231116163937/https://www.marti...
| egberts1 wrote:
| LOL! DOA!
|
| Next: Signal app, method
| fudged71 wrote:
| @dang please append (2019) to the title
| Luc wrote:
| Fair enough, I did so.
| SpaceLawnmower wrote:
| One thing I've always wondered is how security researchers feel
| justified in releasing tools like the one in this blog post to
| the public. I can almost certainly say that the number of bad or
| creepy uses for an automated email to phone number generating
| tool massively outweighs the good reasons for having one. Does he
| get a pass because he's doing this for "research" and it's a grey
| area anyways? Does he feel better because he talked to the
| companies who exposed the vulnerability and it's neutered now?
| dj_mc_merlin wrote:
| I think there's a good ethical argument for releasing the
| knowledge, not so much the tool. I think the open secret is
| that most people who go into cybersecurity do so because they
| enjoy breaking security through clever methods rather than
| actually helping others stay secure.. but security research is
| legal and hacking random targets isn't.
| viccis wrote:
| I'm in the security industry, and this is absolutely correct.
| There are definitely many who carefully release PoCs when
| appropriate (giving vendors enough time to patch, etc.), but
| a LOT of these tool releases are done mostly to show off how
| smart we are and get clout. You see this big time every
| summer, as researchers all scramble to get a Defcon tool talk
| slot with some new thing they wrote, before immediately
| abandoning it post-con.
|
| Obviously, it's not like anything can or should be done to
| change this, as it's mostly just human nature, and keeping
| the security industry capable of operating legally and in the
| open is paramount. But sometimes people just wanna brag. And
| they get big mad about it and sputter about how literally any
| possible end justifies literally any actual means if you
| point it out (see: the other person responding to the top
| level comment lol)
| pmarreck wrote:
| > I can almost certainly say that the number of bad or creepy
| uses for an automated email to phone number generating tool
| massively outweighs the good reasons for having one
|
| Meanwhile, I can almost certainly say that the number of ways
| to bury your head in the sand instead of simply facing an
| uncomfortable problem massively outweighs the good reasons for
| doing so anyway.
|
| A person who is in need of money and lacking in empathy will
| not fail to use any technique available and it is thus good to
| know the defenses of that or at least be aware of it.
|
| "Creepy" arguments (appeals to shame or disgust) are fallacies.
|
| Security researcher types are well aware of the good-actor
| motivations behind white-hat-hackerdom. Is it wrong that I can
| buy a book on lockpicking? Would I be seen by some as a bad
| parent if I taught it to my kid when he expressed curiosity
| about it?
| SpaceLawnmower wrote:
| I think knowing that this is a vulnerability is fine. The
| tool is what I take issue with.
|
| I mean creepy as in a violation of a right to privacy. I
| don't consent to you knowing my phone number or any PII I put
| into private websites.
|
| It's a lot easier to get caught lockpicking and it has some
| legitimate uses. This is like more like an autopicking
| machine imo.
| itslennysfault wrote:
| I think the idea is to highlight the bad security practices
| that allow this in hopes that these companies patch these holes
| (in this case reduce leaked data in the password reset
| process).
|
| A GREAT example of this was when Firesheep forced Facebook (and
| countless other sites) into embracing https. Firesheep was a
| firefox plugin that anyone could run on a public wifi (e.g.
| coffee shop) and instantly start getting the passwords of
| anyone on the same network that logged in to anything over
| http. At the time Facebook was http by default. So, it made the
| news and forced Facebook to make https required basically
| overnight. Many other companies followed suit, and it's likely
| fair to say that the release of that plugin single-handedly
| accelerated https adoption by a considerable margin.
|
| I don't know that this release will be that impactful, but its
| certainly better than having this be a technique that only
| black hats know about.
| Eisenstein wrote:
| > I don't know that this release will be that impactful
|
| It was released in 2019 and it is still going on, so
| unfortunately it wasn't.
| lainga wrote:
| The difference between 2010 (firesheep) and now is about
| $100B of regulatory capture. That $BIGCO is not this $BIGCO.
| kurikuri wrote:
| When arguing with an executive on why their company's security
| posture needs to be updated, there is nothing quite as
| effective as an off the shelf demo.
| nbk_2000 wrote:
| Similarly to how Journalists feel justified in stories that
| have negative repercussions for some parties being reported
| upon. One way of assessing these decisions is answering the
| question "Is more harm done than good by releasing information
| this to the public?"
|
| From my perspective, I'm happy that Martin Vigo released this
| information (in 2019) as it helped me inform my employers (and
| now my clients) to additional threat model vectors to consider
| before deciding how to best perform password resets.
|
| Also in his defense: 1) He originally released a rather
| crippled form of the PoC 2) It requires a Twilio account, which
| raises the barrier to entry and provides a data point for
| analysts were the tool to be used criminally.
| wolverine876 wrote:
| > Similarly to how Journalists feel justified in stories that
| have negative repercussions for some parties being reported
| upon. One way of assessing these decisions is answering the
| question "Is more harm done than good by releasing
| information this to the public?"
|
| That method leads to the worst evils in the world. Many have
| concluded, or used it to justify everything from, 'it's ok to
| take these poor people's land and give it to megacorp,
| because we'll get a factory' to 'it's ok to silence these
| journalists because it's for the public good' to 'it's ok to
| kill my enemies because I think they are bad' to 'it's ok to
| commit genocide against this group because the world will be
| better off without them'.
|
| Who am I, or who are you, to decide what is good or bad, or
| how good or bad, or to weigh those things for others? Beyond
| our obvious cognitive limitations (as humans, we are too
| flawed cognitively and morally to make judgments for others)
| and lack of legitimacy (who elected us?), there is our
| obvious bias - 'good' is what is good from our perspective,
| based on our biases, subject to our ignorance of others.
|
| That's why human rights exist: It's their right and you can't
| make that decision for them; it's up to the person involved.
| If you think their land, etc. is so important, then ask them
| - it's up to them whether they want to do it. They have
| property rights, speech rights, etc. and nobody can abridge
| them, and in the limited circumstances where they can be
| abridged, there is a whole infrastructure of legitimacy
| (democracy), protection from corruption (separation of
| powers, juries, etc.), process (law, due process).
| 867-5309 wrote:
| eh?
| nerdbert wrote:
| I cannot follow your thread from a security researcher
| sharing tools to put pressure on an insecure website, to a
| megacorporation stealing someone's land.
| wolverine876 wrote:
| I'm talking generally about this reasoning, whether used
| by security researchers or governments condemning land
| for megacorps (or anyone else):
|
| >>> One way of assessing these decisions is answering the
| question "Is more harm done than good by releasing
| information this to the public?"
| boznz wrote:
| The bad guys know these and a million more exploits already so
| personally I'm fine with these guys exposing the industries
| dirty laundry especially if it shames them into doing
| something. There is also no defense from the company that they
| did not know when it comes to legal action.
| 0xDEAFBEAD wrote:
| I agree, should've done responsible disclosure
| saltminer wrote:
| > If it is a requirement, consider using a virtual number like
| Google Voice or even a dedicated SIM that you only use for this
| purpose and never give the number away.
|
| For the second SIM option, that requires a dual-SIM device, which
| are still fairly niche in the US.
|
| When it comes to VOIP numbers, unfortunately, many sites look up
| phone numbers and block VOIP providers, which sucks because
| Android still has no good way of sending/receiving carrier texts
| on the desktop (and before someone suggests the Google Messages
| web interface, it "forgets" my device too often for me to take it
| seriously). Occasionally, this can create a catch 22, where the
| VOIP blocking is implemented after the fact and prevents you from
| ever using the account again because the VOIP blocking was also
| implemented on the SMS 2FA.
|
| And then there's services which don't even bother to check if
| they can actually reach a number before accepting it. Harris
| Teeter pharmacies, for example, will happily accept a VOIP
| number, but their system is unable to call or text VOIP numbers,
| so you never get your prescription notices. (And I'd bet this
| applies to all Kroger brands since they share a lot of systems.)
| stephenr wrote:
| > For the second SIM option, that requires a dual-SIM device
|
| Or a device that supports an eSIM, which is every iPhone since
| 2018, for starters.
| aidenn0 wrote:
| The eSIM is going to be more expensive than a regular SIM
| since no MVNO I'm aware of in the US supports eSIMs
| sneak wrote:
| Mint.
| stephenr wrote:
| I'm also _not aware of any_ but that 's less about whether
| they're actually available and almost entirely because like
| 7.6 billion other people, I don't live in the US.
| aidenn0 wrote:
| Considering how we were talking about how dual-SIM phones
| are niche _in the US_ , I think my comment was rather
| relevant.
| stephenr wrote:
| Dual-sim phones aren't just a niche in the US either.
|
| But regardless: using your existing 5 year old iPhone
| with an eSIM that isn't "cheap" is still going to be
| cheaper than buying a new dual-sim phone.
| piperswe wrote:
| Almost all of them do now, since iPhones don't have SIM
| card slots in the US anymore.
| aidenn0 wrote:
| Thanks. Apparently my info was out-of-date; I last
| checked in early 2022.
| caturopath wrote:
| I use Visible and Mint via eSIM
| guru4consulting wrote:
| I guess dual SIM is different from having eSIM+physical SIM.
| Dual SIM typically allows both SIMs/phone-numbers to be
| active and when you receive a call, you will know which
| number is being called. With eSIM+physical SIM card, only one
| can be active at a time. The other has to be disabled. At
| least, this is what I found few years back.
| piperswe wrote:
| I know that iPhones with SIM+eSIM can have both active at
| the same time, and iPhones with just eSIM can have two
| eSIMs active.
| josephg wrote:
| Yeah I found this out the hard way when travelling
| recently. There are some great apps that let you buy
| cheap data-only eSIMs in dozens of countries. You can
| even buy an eSIM before you travel. It's crazy convenient
| and much cheaper than roaming fees.
|
| My girlfriend could keep her home phone line enabled
| while using the eSIM but I couldn't, even though we have
| the same model of phone! Turns out her home line uses a
| physical sim, but mine is set up using an eSIM and the
| iPhone 12 can only have 1 eSIM enabled at a time. You can
| do 1 physical + 1 eSIM, but not 2 esims.
|
| I couldn't get texts or calls from home without noodling
| with my phone settings each time. And FaceTime kept
| enrolling and unenrolling my number.
| lstamour wrote:
| Good news, with the elimination of the SIM card slot,
| they fixed this bug and you can have two eSIMs active
| with no chance of ever getting a physical travel sim to
| work! /s
| josephg wrote:
| Bleh physical sim swapping when travelling is such a
| pain. I used travel data only esims all through the US,
| Europe and Egypt. All set up through a single app. I
| didn't need to talk to dodgy airport phone shop people a
| single time in 3 months on the road - which, iPhone
| limitations aside, I consider a massive win.
|
| (I used the Airalo app. No association. It worked great.)
| nerdbert wrote:
| For the five minutes it takes to get a physical SIM card,
| I'll take the much cheaper and typically faster service I
| get with local carriers vs eSIM MVNOs.
| traceroute66 wrote:
| > iPhone 12 can only have 1 eSIM enabled at a time. You
| can do 1 physical + 1 eSIM, but not 2 esims.
|
| IIRC this is a limitation that only applies to iPhone
| <=12.
|
| I am pretty sure that newer iPhone models all support
| dual-active eSIM, irrespective of whether or not you have
| a physical SIM slot model or not.
| dblitt wrote:
| I'm currently traveling internationally with an iPhone 12
| and I can confirm the single eSIM + single physical SIM
| limitation. Although, in my case, I'm using a physical
| international SIM and a US eSIM.
|
| I would love to turn off my US eSIM when not in use (I
| think it uses more power connected to two cellular
| networks) but that would require unenrolling my US
| iMessage number and I can't do that. Definitely the most
| annoying part of the whole thing.
|
| I considered using a spare iPhone to host a physical SIM
| with my US number because that would allow the number to
| stay bonded with my Apple ID and potentially forward SMS
| over iCloud, but I decided not to because in my
| experience the SMS part is too flaky to be relied on.
| nerdbert wrote:
| > but that would require unenrolling my US iMessage
| number
|
| It nags you but you don't have to agree to remove the
| number. I routinely replace my SIM card when traveling
| outside the EU and my iMessage number still works for
| green-bubble people. I ignore/refuse the phone's
| occasional suggestions to "update" the number.
| darkwater wrote:
| Nope, eSIM plus physical SIM in an iPhone or in a Pixel or
| any other phone work just like 2 physical SIMs. It's been
| supported in mainstream Android for a few years now.
| Previously it was supported only on devices with 2 slots
| and each vendor had their flavor in Android.
| pnw wrote:
| eBay doesn't block Google voice numbers. The only site which
| seems to is Discord in my experience.
|
| Personally I prefer to use a non-obvious dedicated email per
| account e.g. ebpnw@mydomain.com, so the attacker has to guess
| the email as well.
| thedaly wrote:
| > Personally I prefer to use a non-obvious dedicated email
| per account e.g. ebpnw@mydomain.com, so the attacker has to
| guess the email as well.
|
| Should I stop doing my obvious, ie hackernews@mydomain.com,
| account emails?
| Sardtok wrote:
| If you want to increase your security, generate a random
| string for the "account" name.
|
| If you are using a password manager, then this shouldn't be
| too difficult.
|
| It can be a hassle when registering for something in
| person, though.
| freetanga wrote:
| Bitwarden has a setting for doing exactly this. Create a
| random email and a random password on the fly during a
| new service signup
|
| Also possible to create 2-3 fake Personas in app (Name,
| DOB, address,...) to scatter your online footprint. Fills
| forms with the right one at button push.
| pavon wrote:
| I broke down and bought a prepaid SIM and a small dumb phone
| which I use solely for 2FA. Its about the size as old-school
| 2FA systems like crypto cards. My original motivation in
| getting it was my wife was always taking my real phone to get
| security codes for some shared accounts (on sites that don't
| have an option for linked accounts). But I also like that it
| provides small OPSEC improvements over using my real telephone
| number.
| marklar423 wrote:
| That's a great idea for a shared 2FA device
| earthscienceman wrote:
| If you're a Linux user, "KDE Connect" is actually by far the
| best desktop interface for texting and more. It's changed how
| my phone and my laptop interact and I think might be my
| favorite open source project. You can use your laptop as a
| keyboard, reply to messages from any app that sends a
| notification, and so much more. The file sending functionality
| is also far better (and faster) than anything else I've used.
| It's everything open source software should be.
| WirelessGigabit wrote:
| Google voice numbers can be detected, even you have one ported
| from say AT&T. Twillio's API marks it as Google Voice.
|
| And for dual SIM phones:
|
| > An iPhone XS, iPhone XS Max, iPhone XR,
|
| Source: https://support.apple.com/en-us/HT209044
|
| That's 6 generations of iPhone that have dual SIM, in which
| there is at least 1 eSIM.
| jimmaswell wrote:
| Windows phone link is pretty nice for sending and receiving
| texts through your phone on a desktop.
| pmarreck wrote:
| Keeping a phone number secret is "security by obscurity" and
| therefore the whole point of this article is rather moot.
| realusername wrote:
| Not completely, when you have the email + the phone number, you
| can make much more sophisticated phishing attempts
| miki123211 wrote:
| There's one missing piece in that article, and it's the CNAM
| database (US only).
|
| CNAM is the database that carriers use to give you alphanumeric
| caller ID ("SMITH JOHN" instead of "+1 (555) 123-4567"). Many
| carriers don't display this data as far as I believe, but most of
| them make it available.
|
| Querying that database isn't free, but you could probably find a
| way to do it for a few hundred numbers relatively cheaply.
| People's names and emails are often similar, so you could
| probably figure out an algorithm to give you the most likely
| candidates.
|
| The data is often wrong in interesting ways (I've seen everything
| from deadnames to people's exes they still share a plan with),
| but it is still pretty useful.
| toomuchtodo wrote:
| At least in T-Mobile's customer UX, you can set this to
| whatever you want per line [1]. Have tested by changing line
| CNAM and querying with Twilio number lookup [2]. You're
| supposed to be honest wrt person's name, but it's honor system.
|
| [1]
| https://www.t-mobile.com/support/tutorials/device/app/ios/to...
|
| [2] https://www.twilio.com/code-exchange/lookup
| navigate8310 wrote:
| Why is this not tied to a person's SSN (if possible)?
| miki123211 wrote:
| Why would it be?
|
| The point of that database is to display a recognizable name
| to the people you call, so that they know it's you. A
| recognizable name isn't always the one on your birth
| certificate (particularly in the US). There are also
| businesses, who want their business name there.
| evan_ wrote:
| Is there an accessible database somewhere that would allow
| T-Mobile to get a name from an SSN (or verify that an SSN and
| a name match)?
| bbarnett wrote:
| Why would a phone company know a person's SSN?!
| Gh0stRAT wrote:
| So that they can seamlessly upsell you on upgrading to a
| new phone that you'll pay off in installments over the next
| couple years.
|
| Also, many postpaid plans (like my home ISP) require SSN
| because they are providing you service on credit. Postpaid
| cell paone plans have been the "default" in the US for a
| long time, though prepaid seems to be gaining market share.
| maxerickson wrote:
| We are kind of assuming a lot when a $100 a month account
| obviously requires a credit check.
|
| They require a SSN because people don't care and it makes
| it cheaper to offer the accounts, not because it would
| actually be a big problem to sell internet service
| without credit checks.
| xp84 wrote:
| The credit checks, the carriers would tell you, are to
| try to protect them against people who sign up for
| service with a "free" phone on a 3 year commitment (phone
| paid for in part by 36 installments of credits) and then
| they stop paying the bill. Sure the phone will be
| blacklisted and remain SIM-locked, but could still be
| used on Wi-Fi and either way the carrier can't have it
| back and is therefore out their cost of the phone.
|
| Now, as for why they still do the same credit checks when
| you bring your own phone, I suspect "Because F you,
| that's why" is the gist of it.
| DaiPlusPlus wrote:
| > Why would a phone company know a person's SSN?!
|
| As Brit-expat+US-resident (since 2012) T-Mobile got my SSN
| when I signed-up for my pre-paid first mobile phone plan in
| 2012. Paying $50/mo was quite a shock when equivalent (or
| rather: far superior) service was available in the UK on a
| PAYG (not even pre-paid!) basis for PS10/mo.
|
| ...and now I'm on a $110/mo postpaid plan because
| eventually you get tired of the limitations and just grin-
| and-bear-it.
| nerdbert wrote:
| When visiting the USA I have often bought prepaid
| T-Mobile SIM cards for cash without showing any ID.
| pyinstallwoes wrote:
| That's pretty normal in the USA.
| hobofan wrote:
| Because regulators want to tie phone numbers to identities.
| It helps curb illegal activity, but of course also makes
| surveillance a lot easier.
| rsync wrote:
| "Querying that database isn't free, but you could probably find
| a way to do it for a few hundred numbers relatively cheaply."
| /usr/local/bin/curl -s -X GET "https://lookups.twilio.com/v1/Ph
| oneNumbers/$number?Type=carrier&Type=caller-name" -u
| $accountsid:$authtoken | /usr/local/bin/jq '.'
|
| I don't even know what it costs ... maybe a penny per lookup ?
| I forget ...
|
| It also shows carrier and whether it is a mobile or landline,
| etc.
| DaiPlusPlus wrote:
| > I don't even know what it costs ... maybe a penny per
| lookup ? I forget ...
|
| $0.01/lookup: https://www.twilio.com/en-us/trusted-
| activation/pricing/look...
| bunabhucan wrote:
| All this hassle using different email addresses for each service
| and a Google voice number was worth it.
| hackideiomat wrote:
| if anyone does not do this yet and wants an easy solution:
| Firefox Relay
| GaryNumanVevo wrote:
| I made an email randomizer that makes scrambled emails using
| the "+" feature. So any external service sees
| "gary+FqZWMK@gmail.com" and it automatically creates an
| unscrambled folder in my email that takes "FqZWMK" and converts
| it to the name of the service like "Netflix" or whatever.
|
| What's nice is that I completely control the mapping of ids, so
| if I can make multiple random addresses go to a "one-time"
| inbox that automatically sends emails to spam after a while.
| dang wrote:
| Related:
|
| _Email to Phone Number Osint Tool_ -
| https://news.ycombinator.com/item?id=30476792 - Feb 2022 (2
| comments)
| shivz45 wrote:
| Oh i tried this technique just now to confirm one scammer's real
| phone number details.
|
| Paypal here again
| RecycledEle wrote:
| The author ignores number portability. Just because I currently
| live in a city and have AT&T does not mean they issued my phone
| number.
| 1nd1ansumm3r wrote:
| Fun to see this issue get talked about. Ancedote- I bought some
| car parts from a semi-scammer. Not a full-on scam but the guy
| wouldn't ship the complete order even though he had my money for
| several weeks. We had communicated on a few different platforms.
| Each platform offered up a little piece of his identity. Last
| four of this. First four of that. It was enough to piece it all
| together. I gave him a call at his place of employment which
| happened to be in the exact same industry as the parts that were
| being sold. I asked him to ship the parts and casually asked if
| his employer was involved in the sale. He perked right up and the
| next day he shipped everything I had bought and a few extras.
| 1nd1ansumm3r wrote:
| I re-read this, not to fire back but to understand how you
| arrive at your conclusion. I think you are interpreting (or
| assuming maybe), from when I asked about his employer, that I
| suspected he stole the parts from his employer. That's not the
| case at all. I just needed a pressure point.
| ahoka wrote:
| Didn't you basically blackmail the guy?
| dylan604 wrote:
| your point?
| ikekkdcjkfke wrote:
| Pressure and coercion is part and parcel of existing
| mavamaarten wrote:
| Pressuring to follow up on a made deal does not really
| count as blackmail imo.
| Lord-Jobo wrote:
| From a legal standpoint blackmail requires the "receipt of
| money or valuable thing". Because the thing being received
| is an even exchange of goods already agreed to by both
| parties, and the threat on not receiving is not an illegal
| action in itself, it is not likely or plausibly blackmail.
|
| -not a lawyer, just work with too many of them
| dools wrote:
| As an Australian I can only ever recall seeing the last 2 or 3
| digits of my mobile number. The first 2 digits of all mobile
| numbers are the same and you can't send text messages to
| landlines.
| BHSPitMonkey wrote:
| "Good morning class. A certain agitator, for privacy's sake let's
| call her Lisa S... No, that's too obvious. Let's say L. Simpson."
| sp0rk wrote:
| I check GitHub's Trending page for Python projects every day or
| so. I was a little confused why this repo was trending today,
| particularly because the note at the top indicates that a lot of
| the services patched the exploit long ago.
|
| It's interesting to see that this being posted here on Hacker
| News is presumably enough to push the GitHub repo to the trending
| page for Python.
| Uptrenda wrote:
| I noticed that some websites also reveal different parts of the
| credit card. Really hope that this attack also doesn't work
| there. Lmao...
| hackideiomat wrote:
| The amazon thing bugs me, as someone with a custom domain :D I
| literally get 1 or 2 * in my name and the rest is public
| knowledge due to this
| alkonaut wrote:
| I use my real name as my email (as many of us do). And my phone
| number is publicly listed in many phonebooks. In Sweden it's
| standard practice for everyone to have their address and phone
| number searchable unless you opt out. Basically what used to be
| in the phone books in the 80s (which was everyone) just moved
| online in the 90s so now everyone's adress and phone number is
| publicly searchable. This can be really useful, but of course it
| can be used for evil as well.
|
| But one of the really positive things about having so much
| "public PII" (SSNs, Addresses, phone numbers, birth days) is that
| people don't have to treat this information as some sort of
| secret. Everyone needs proper ID and eID because knowing someones
| digits doesn't make it any easier to impersonate them.
|
| If someone wants my phone number, they take my email which has
| first- and last name, go to any of the N search sites and they
| find 100 people sharing my first and last name. If they know a
| city and approximate age (Which they can easily get from a social
| platform) they can narrow it down to just a couple of people.
| Public records then shows my birthdays, my cars, my income, who's
| also registered on the address, and so on. It's not difficult
| doing OSINT in Sweden...
___________________________________________________________________
(page generated 2023-11-17 23:02 UTC)