From what I can tell, spam calls are mostly war dialing. Some of them are actually going sequentially, my spouse's number is about 400 away from mine, and sometimes she gets the same automated call minutes after me.
Well, from what I can tell, older people are targeted at far high rate. Age seems to be a valued input to the process. I can guess a number of reasons for that.
When searching for a job is the best example. Though these are usually not hidden numbers and for me, if a mobile is calling it's either a wrong number or work related. Spam seems to always a landline.
Sure. Ever gotten a call from a delivery person with food? A doctor’s office with test results? A hair salon confirming an appointment? A teammate with an emergency at work? A taxi driver with the wallet you forgot? A distant relative that needs help? A potential customer referred by a friend?
My parents (over 70) get so many spam calls on their land line it’s comical. Last time I visited them the calls would come two or three per hour, nonstop, day and night. They would leave the phone off the hook at night so it wouldn’t disturb their sleep. It gets worse every decade. Answered a few of them and it was always the usual suspects: the IRS, Microsoft tech support, your credit card company, vacation winner, etc.
Best thing they ever did was cancel their (at least) 50 year old phone number.
So I'm curious. I live in Japan and have a Japanese number. I have a USA number via Google Fi. I get several spam calls on the USA number but zero on the Japan number.
Any idea why? It it just luck? It is scammers don't target Japan? Is it some technical difference that makes it harder/impossible/costly in Japan? Is it an enforcement issue?
A quick look at my voip carrier says calls to us are 1 cent, and calls to Japan land lines are about 2.5 cents, and Japan mobile is 10 cents. They've generally got pretty good pricing; with volume you can get better, but this is a good place to start. So call cost is going to be a lot more.
Then you've got to find voice talent. You can find English voice talent all over the globe, Japanese voice talent is harder to find and probably costs more.
STIR/SHAKEN will likely help somewhat. It should make it easier to track down accounts of callers, but we'll have to see if enforcement becomes effective, or if actionable complaints make enough of a difference. I don't think telephone companies regular record enough metadata for effective enforcement at the moment, and there isn't a reasonable way to report abuse, so most people just shrug and pick up less calls; we really need a useful reporting mechanism (dial * something after you get a spam call should work IMHO; but that's not me doing the work to correlate reports and what not)
Your phone number is a short unique identifier for you which follows you around for potentially your entire life, because the hassle of changing it is significant.
I imagine marketers find it significantly more valuable than an email address.
I'm not entirely convinced the good old days of the whitepages was actually good.
The phone companies required you to purchase your privacy for a monthly fee if you didn't want to be included in their publications.
Had these publications been privacy focused from the start and required opt-in instead of the extortion for privacy scheme; I have a feeling that these directories would not have existed in the form that they did, if at all.
We already know all possible phone numbers. I think the value would be in associating it with at least one more piece of data to correlate it with other data. At least tie it to some sort of demographics, but preferably an exact individual.
Guess what? I already have your phone number. So do the marketers. And we have everybody else’s in the world as well!
Phone numbers are a small search space. You can just iterate through it to generate all possible phone numbers.
Of course, I don’t know that your phone number belongs to you, but I have it. The same applies to this site if you enter your phone number in it. They will have your phone number… so what? They don’t know it’s your phone number, just that it‘s a phone number, which has zero value.
If you search the web for your exact phone number, there’s a very good chance your phone number is on several “who called me?” websites already. How did they get your number? They didn’t. They just list every possible phone number and hope people will add comments saying who called them from that number.
What information are you actually disclosing here, given that the number itself is worthless?
That the phone number is associated with somebody who wants to know if it’s part of the Facebook breach? What value is that information / what are the risks associated with it? Scammers wouldn’t use it because anybody who is looking this information up is probably less likely than the average person to fall for a scam even when tailored to this breach. They’d probably get a better hit rate by excluding these numbers.
How about associating it with whatever information your browser leaks / whatever tracking they can add? Use private browsing / incognito to reduce that. What value is knowing that a person with an arbitrary phone number uses Chrome vs Safari? What value is knowing that a person with a phone number from a certain area is browsing from an IP address also located in that area?
All of the comments people have made about privacy here seem to be useless “oh my god, now they have your phone number!” panic that doesn’t seem to realise that a phone number in isolation is worthless. It’s possible that there are potential privacy problems here, but as far as I’ve seen, nobody has actually mentioned any.
Eh, so what? I've had the same gmail email address for around 17 years now and I get like 50 spam emails a day that are successfully filtered by their spam protection.
I have to prune my email inbox like a garden. I'm constantly unsubscribing from stuff. It's just the reality of the way how the internet and email works, unfortunately.
If you're on the "facebooked" list your number is already disclosed and correlated to you and your email address - inputting it onto a website to see if it's one of the compromised will have absolutely no effect.
I received 10 spam calls in 3 hours yesterday from "Chase Bank" about verifying a purchase in Ohio. All came from my area code and matched the same 3 digits of my phone number. I sometimes receive spam calls but never more than one or two in an afternoon. I was wondering what changed recently or how I got onto a new list.
Now I realize, two days ago I used this website.
Has anyone else had a similar experience? I am not assigning blame here but pointing out a coincidence. It would be great to hear if others going through the same thing.
The two sites seem to have different sources, however - HIBP claims neither my email nor my phone number were involved in the FB leak, while the "Facebooked" site correctly identified that my number was tied to my name and other pieces of information.
Well, it’s sending a sha256 for your phone number, how is this not good enough? How you would expect to check the number in the database without hashing or passing it clear?
So, the main point of this article to avoid that site, is that they could google SHA256 for a known simple number, namely "11111111111" and boom!, this way the site programmer would reverse back to know your number?
If that's the case I suggest he would google Bitcoin's SHA256 numbers too. Heck, at ~55k USD per bitcoin, he would become, literally, multimillionaire overnight. What a buffoon! And it hit HN top as well, pfff.
> this way the site programmer would reverse back to know your number?
Author here, and yes that is what I claim. This is actually crypto 101 stuff!
1.) Pre computing SHA256 of a small set of numbers (1111111111 - 9999999999) takes only a couple minutes on your average laptop. That is how people find the preimage (password) of leaked password hashes! More sophisticated techniques use rainbow tables etc.
2.) The preimages of Bitcoins, github commits and file hashes have much more entropy to be able to brute force them. Hence, I will not be able to (with todays computing power) find a pre-image of Bitcoin's SHA256 etc. and sadly not become a millionaire overnight :(
3.) Not related to this but hashing functions do get 'weaker' over time as computing power increases. We don't use MD5 anymore for a reason. SHA1 has attacks now (https://shattered.io/). This is why git to move to SHA256 (https://lwn.net/Articles/811068/). n number of years from now, there will be collision attacks on SHA256 as well, at which point we'll have to move to a better, stronger hash!
I'm more annoyed with the security community making it so hard to get access to the raw leak. There's a weird elitist attitude of "only we can handle the data" even though every black and white hat in the world already grabbed it.
56 comments
[ 3.0 ms ] story [ 125 ms ] threadBut it's the same as spam... getting one victim out of a hundred thousand is probably enough to make it pay off.
Just about all the others get to go to voicemail and I’ll read the vm messages at my leisure as my phone transcribes them for me.
Best thing they ever did was cancel their (at least) 50 year old phone number.
Any idea why? It it just luck? It is scammers don't target Japan? Is it some technical difference that makes it harder/impossible/costly in Japan? Is it an enforcement issue?
Also what happened / is happening with https://en.wikipedia.org/wiki/STIR/SHAKEN ? Will it solve the issue?
Then you've got to find voice talent. You can find English voice talent all over the globe, Japanese voice talent is harder to find and probably costs more.
STIR/SHAKEN will likely help somewhat. It should make it easier to track down accounts of callers, but we'll have to see if enforcement becomes effective, or if actionable complaints make enough of a difference. I don't think telephone companies regular record enough metadata for effective enforcement at the moment, and there isn't a reasonable way to report abuse, so most people just shrug and pick up less calls; we really need a useful reporting mechanism (dial * something after you get a spam call should work IMHO; but that's not me doing the work to correlate reports and what not)
I imagine marketers find it significantly more valuable than an email address.
what happened to the good old days of the white page phone books.
The phone companies required you to purchase your privacy for a monthly fee if you didn't want to be included in their publications. Had these publications been privacy focused from the start and required opt-in instead of the extortion for privacy scheme; I have a feeling that these directories would not have existed in the form that they did, if at all.
Phone numbers are a small search space. You can just iterate through it to generate all possible phone numbers.
Of course, I don’t know that your phone number belongs to you, but I have it. The same applies to this site if you enter your phone number in it. They will have your phone number… so what? They don’t know it’s your phone number, just that it‘s a phone number, which has zero value.
If you search the web for your exact phone number, there’s a very good chance your phone number is on several “who called me?” websites already. How did they get your number? They didn’t. They just list every possible phone number and hope people will add comments saying who called them from that number.
What information are you actually disclosing here, given that the number itself is worthless?
That the phone number is associated with somebody who wants to know if it’s part of the Facebook breach? What value is that information / what are the risks associated with it? Scammers wouldn’t use it because anybody who is looking this information up is probably less likely than the average person to fall for a scam even when tailored to this breach. They’d probably get a better hit rate by excluding these numbers.
How about associating it with whatever information your browser leaks / whatever tracking they can add? Use private browsing / incognito to reduce that. What value is knowing that a person with an arbitrary phone number uses Chrome vs Safari? What value is knowing that a person with a phone number from a certain area is browsing from an IP address also located in that area?
All of the comments people have made about privacy here seem to be useless “oh my god, now they have your phone number!” panic that doesn’t seem to realise that a phone number in isolation is worthless. It’s possible that there are potential privacy problems here, but as far as I’ve seen, nobody has actually mentioned any.
I have to prune my email inbox like a garden. I'm constantly unsubscribing from stuff. It's just the reality of the way how the internet and email works, unfortunately.
While I'd trust HIBP more it isn't doing anything significantly different with the lookup process, is it?
"There's no k-anonymity implementation for phone numbers at this point in time." https://www.troyhunt.com/the-facebook-phone-numbers-are-now-...
Putting a number sends it directly in the GET request: https://haveibeenpwned.com/unifiedsearch/%2B1%20123%20456%20...
Edit: as does looking up an email. It's password lookups that use local hashing/k-anonymity: https://haveibeenpwned.com/Privacy
Now I realize, two days ago I used this website.
Has anyone else had a similar experience? I am not assigning blame here but pointing out a coincidence. It would be great to hear if others going through the same thing.
https://www.thenewseachday.com/private-facebook-phone-number...
An even safer way: Look at your phone log. If you haven’t received 25 spam calls in the past week, your number probably isn’t in the list.
For example, HIBP does not send your password (or its complete hash) to the backend in order to find if it has been previously exposed. They use this method: https://blog.cloudflare.com/validating-leaked-passwords-with...
I'm not saying this article is crap -- just that if it is, you probably just happened to see it before the white blood cells kicked in.
If that's the case I suggest he would google Bitcoin's SHA256 numbers too. Heck, at ~55k USD per bitcoin, he would become, literally, multimillionaire overnight. What a buffoon! And it hit HN top as well, pfff.
Author here, and yes that is what I claim. This is actually crypto 101 stuff!
1.) Pre computing SHA256 of a small set of numbers (1111111111 - 9999999999) takes only a couple minutes on your average laptop. That is how people find the preimage (password) of leaked password hashes! More sophisticated techniques use rainbow tables etc.
2.) The preimages of Bitcoins, github commits and file hashes have much more entropy to be able to brute force them. Hence, I will not be able to (with todays computing power) find a pre-image of Bitcoin's SHA256 etc. and sadly not become a millionaire overnight :(
3.) Not related to this but hashing functions do get 'weaker' over time as computing power increases. We don't use MD5 anymore for a reason. SHA1 has attacks now (https://shattered.io/). This is why git to move to SHA256 (https://lwn.net/Articles/811068/). n number of years from now, there will be collision attacks on SHA256 as well, at which point we'll have to move to a better, stronger hash!