Εχουμε συνηθίσει να μοιραζόμαστε προσωπικές πληροφορίες, όπως τον αριθμό του τηλεφώνου μας, χωρίς δεύτερη σκέψη. Αξίζει, όμως, η πρακτική αυτή τους κινδύνους που εγκυμονεί; Ο αριθμός τηλεφώνου μας μάς ταυτοποιεί περισσότερο από το πλήρες ονοματεπώνυμό μας.

Πρόσφατα ζήτησα από την εταιρεία διαδικτυακής ασφάλειας Fyde να χρησιμοποιήσει τον αριθμό μου για να αναδείξει τους πιθανούς κινδύνους που εγκυμονεί η αποκάλυψή του. Ο Εμρέ Τεζίσκι, ερευνητής θεμάτων ασφαλείας στη Fyde, ανέλαβε το καθήκον με χαρά. Εισήγαγε τον αριθμό μου στο αρχείο δημοσίων εγγράφων και εύκολα δημιούργησε έναν πλήρη φάκελο για το πρόσωπό μου, όπου περιλαμβάνονταν στοιχεία όπως το όνομά μου, η ημερομηνία γέννησης, η διεύθυνση, οι φόροι ακίνητης περιουσίας που καταβάλλω, αλλά και τα ονόματα των μελών της οικογενείας μου. Θεωρητικά, αν ήταν κακόβουλος ο ερευνητής, θα μπορούσε να χρησιμοποιήσει τα στοιχεία που συγκέντρωσε για να απαντήσει στις ερωτήσεις ασφαλείας και να μπει στους διαδικτυακούς λογαριασμούς μου.

Οι ερευνητές χρειάστηκαν μία ώρα με τον αριθμό του κινητού μου για να αποκαλύψουν ολόκληρη τη ζωή μου. Απλώς τον εισήγαγαν στις Λευκές Σελίδες Premium (του τηλεφωνικού καταλόγου), μια διαδικτυακή βάση δεδομένων που χρεώνει 5 δολάρια για να παράσχει πρόσβαση σε όλα τα δημόσια αρχεία. Στη συνέχεια, έκαναν ενδελεχή αναζήτηση στο Διαδίκτυο και ακολούθησαν το μονοπάτι των δεδομένων, προκειμένου να ανακαλύψουν ακόμα περισσότερες πληροφορίες. Μέσα σε αυτή την ώρα ανακάλυψαν τη διεύθυνση του σπιτιού μου, την έκτασή του, την αξία του και τους φόρους που πληρώνω για αυτό. Επίσης, διευθύνσεις όπου κατοικούσα κατά την περασμένη δεκαετία, το πλήρες όνομα των γονέων μου, της αδελφής μου και της θείας μου. Τους παλιούς τηλεφωνικούς μου αριθμούς, όπως και αυτόν του σταθερού στο πατρικό μου, αλλά και πληροφορίες για τα περιουσιακά στοιχεία που κάποτε κατείχα, συν το λευκό ποινικό μητρώο μου.

Ενας χάκερ θα μπορούσε να αλλάξει τον κωδικό πρόσβασης των λογαριασμών μου απαντώντας στις ερωτήσεις ασφαλείας, όπως «ποιο είναι το πατρικό όνομα της μητέρας σας;» και «σε ποια διεύθυνση κατοικούσατε;». Θα μπορούσε να χρησιμοποιήσει τις προσωπικές πληροφορίες που συνδέονται με τον αριθμό του κινητού προκειμένου να αποκτήσει μια νέα κάρτα Sim, κλειδώνοντάς με εκτός κινητού. Έχοντας τον έλεγχο του κινητού, θα μπορούσε να εισβάλει στους λογαριασμούς μου, εφόσον είχαν μηχανισμούς αποστολής κωδικών ασφαλείας με γραπτό μήνυμα, όταν θα έμπαινα σε κάποιον διαδικτυακό λογαριασμό. Ενας απατεώνας, χρησιμοποιώντας το ελεγχόμενο από αυτόν αριθμό του κινητού μου, θα μπορούσε να παραπλανήσει μέλη της οικογένειάς μου, ώστε να του αποκαλύψουν κωδικούς πρόσβασης ή να στείλουν χρήματα. Και βέβαια, έχοντας γνώση του τηλεφωνικού αριθμού μου, θα μπορούσε να καλέσει τον τηλεφωνητή και να παραβιάσει τις δικλίδες ασφαλείας, ακούγοντας τα μηνύματά μου.

Σε κάποιες περιπτώσεις βεβαίως είναι θεμιτό να αποκαλύπτετε τον τηλεφωνικό σας αριθμό, όπως για παράδειγμα στις συναλλαγές σας με τις τράπεζες. Σε ποιες εταιρείες, όμως, θα πρέπει να τον εμπιστευθείτε; Δυστυχώς, δεν υπάρχει σαφής απάντηση στο ερώτημα. Μια λύση θα ήταν να αποκτήσετε και έναν δεύτερο αριθμό, τον οποίο θα χρησιμοποιείτε με άτομα και εταιρείες που δεν εμπιστεύεστε. Τέλος, αν έχετε κάρτες που γράφουν τον αριθμό του κινητού σας, σκίστε τες και φτιάξτε άλλες, που να περιέχουν μόνο το τηλέφωνο του γραφείου σας.



I Shared My Phone Number. I Learned I Shouldn’t Have.

Our personal tech columnist asked security researchers what they could find out about him from just his cellphone number. Quite a lot, it turns out.

For most of our lives, we have been conditioned to share a piece of personal information without a moment’s hesitation: our phone number.

We punch in our digits at the grocery store to get a member discount or at the pharmacy to pick up medication. When we sign up to use apps and websites, they often ask for our phone number to verify our identity.

This column will encourage a new exercise. Before you hand over your number, ask yourself: Is it worth the risk?

This question is crucial now that our primary phone numbers have shifted from landlines to mobile devices, our most intimate tools, which often live with us around the clock. Our mobile phone numbers have become permanently attached to us because we rarely change them, porting them from job to job and place to place.








At the same time, the string of digits has increasingly become connected to apps and online services that are hooked into our personal lives. And it can lead to information from our offline worlds, including where we live and more. 

In fact, your phone number may have now become an even stronger identifier than your full name. I recently found this out firsthand when I asked Fyde, a mobile security firm in Palo Alto, Calif., to use my digits to demonstrate the potential risks of sharing a phone number.

Emre Tezisci, a security researcher at Fyde with a background in telecommunications, took on the task with gusto. He and I had never met or talked. He quickly plugged my cellphone number into a public records directory. Soon, he had a full dossier on me — including my name and birth date, my address, the property taxes I pay and the names of members of my family.

From there, it could have easily gotten worse. Mr. Tezisci could have used that information to try to answer security questions to break into my online accounts. Or he could have targeted my family and me with sophisticated phishing attacks. He and the other researchers at Fyde opted not to do so, since such attacks are illegal.

“If you want to give out your number, you are taking additional risk that you might not be aware of,” said Sinan Eren, chief executive of Fyde. “Because of collisions in names due to the massive number of people online today, a phone number is a stronger identifier.”




There is no simple solution to this. In some situations, giving your digits to institutions like your bank provides an extra layer of security. But in most cases, the potential dangers and annoyances of handing out your number outweigh the benefits, as you will read below.
It took only an hour for my cellphone number to expose my life.

All that Mr. Tezisci, the researcher, had to do was plug my number into White Pages Premium, an online database that charges $5 a month for access to public records. He then did a thorough web search and followed a data trail — linking my name and address to information in other online background-checking tools and public records — to track down more details.
In an hour, this is what came up:
  • My current home address, its square footage, the cost of the property and the taxes I pay on it.
  • My past addresses from the last decade.
  • The full names of my mother, father, sister and aunt.
  • My past phone numbers, including the landline for my parents’ home.
  • Information about a property I previously owned, including its square footage and the mortgage taken out on it.
  • My lack of a criminal record.
While Fyde declined to hack into my accounts using the obtained information and my number, the company warned that there was plenty an attacker could do:
  • A hacker could try to reset my password for an online account by answering security questions like “What is your mother’s maiden name?” or “Which of the previous addresses did you live at?”
  • An attacker could use the personal information linked to my phone number to trick a customer service representative for my phone carrier into porting my number onto a new SIM card, thus hijacking my digits — a practice called SIM swapping.
  • A hijacker with control of my phone number could then break into my accounts if I had mechanisms in place to receive a security code in a text message when logging in to an online account.
  • A scammer could also use my hijacked phone number to trick members of my family into sharing their passwords or sending money.
  • A scammer could also target my phone number with phishing texts and robocalls.
  • An intruder could use knowledge of my phone number to call my voice mail inbox and try to crack the personal identification number to listen to my messages.
Marketers could also take advantage:
  • An ad tech agency could add my number to a detailed profile about me, linked to other information about my identity and web-browsing activities.
  • If I signed up for an internet service with my phone number, a brand that bought my digits from an ad firm could upload them into an ad tech tool to correlate the number with my online profile and serve targeted ads.
  • A shady marketing agency could add my number to a database to blast me with spam calls and text-messaged promotions.
There are some situations when sharing your phone number is reasonable.

When you enter your user name and password to get into your online banking account, the bank may call or text you with a temporary code that you must enter before you can log in. This is a security mechanism known as two-factor verification. In this situation, your phone number is a useful extra factor to prove you are who you say you are.

“A phone number is a better identifier than just your name, but sometimes you want that,” said Simon Thorpe, director of product for Twilio, a communications company that works with phone carriers on combating robocalls.

But which companies should you trust with your phone number? Here’s where things get tricky.
Plenty of tech companies let you use your phone number to protect your accounts from unauthorized access. But even some legitimate brands like Facebook have been scrutinized for improper use of phone numbers.

Last year, a study by the tech blog Gizmodo found that after a Facebook user set up two-step verification with his phone number, advertisers that uploaded his digits into Facebook’s database could match them to his Facebook profile and serve targeted ads. Separately, some people complained this year that the social network allowed them to look up a person’s Facebook profile just by typing a phone number into its search bar.

The company has removed the ability to find people’s profiles by entering their phone number, said Rochelle Nadhiri, a Facebook spokeswoman. She added that when a user set up two-step verification with a phone number, the company would not use the information to serve targeted ads.




But when large companies like Facebook abuse your digits, whom do you trust?
Unfortunately, there is no neat solution. It all involves work.

That includes first asking yourself whether the benefits of giving out your phone number outweigh the potential risks. 

You might also want to set up a second phone number to cloak your personal digits altogether. You could share this second phone number with people and brands you don’t entirely trust. Apps like Google Voice and Burner let you create a different number that you can use for calls and texts.
As for two-factor authentication, most tech companies offer other verification options. They include apps that generate temporary security codes or a physical security key that can be plugged in. Generally, those are safer to use than a phone number.

Here’s a bonus piece of advice. If you have business cards with your personal number printed on them, shred them and order new ones with just your office line. 

Eventually, I spoke to Mr. Tezisci about his experience tracking me. He said he was surprised by how easily a person could be targeted with a single set of numbers.

“I only spent an hour, and I was able to see all your addresses and all phone numbers,” he told me. “I think that’s scary, isn’t it? And I selected the legal options. If I were a scammer, I would have gone for your relatives.”

0 σχόλια:

Δημοσίευση σχολίου

top