Show HN: Doxx Me – See how doxxable your phone number is (app.efani.com)
I built this tool that checks publicly available data against your phone number. I was surprised how one my numbers (which I text and sign up for services with) has a lot of information attached to it including my full name, all previous addresses, relatives, emails, and more.
219 comments
[ 3.0 ms ] story [ 175 ms ] threadHere are how results are displayed if someone doesn't want to search their number:
====
The following data is publicly associated with your phone number Carrier (MOBILE)
Associated Names No Associated EmailsNo Associated Birthdays
No Associated Locations
No Extra Sensitive Info
No Associated Institutions
No Associated Businesses
No Associated Phone Numbers
No Associated Social Media
No Associated People
No Associated Marketing Info
No Known Data Breaches
====
"Associated Names" is the city and province i reside in, and the carrier is more or less accurate. Both things i wouldn't expect to be able to keep secret without extreme effort.
1. https://www.ssa.gov/employer/stateweb.htm
This is just your phone number. The thing you give out to people you just met. What the secure app signal requires for signup. And what spammers seem to always be able to find.
I can even find direct links to voter registries in some states I've lived.
I am not allowed to vote. Yet, this tool was able to pull a lot of info regardless.
Also, reading the privacy policy, it looks lacking. I'm not a lawyer, but https://www.nolo.com/legal-encyclopedia/what-to-include-in-y... clearly states that if your service sends text messages, you should make a statement about retaining that data indefinitely.
After reviewing the privacy policy, and seeing who else is involved in the company, no thanks. Seems very non professional.
Radio Shack had one. Judge threw it out in bankruptcy court.
Others have a clause "we can change this whenever yadda yadda".
Basically if you think that's going to stop them, I have a bridge to sell ya.
It also found the names and dates of birth of our extended families.
For #1 - That's what Efani Secure Mobile does. For #2 - we've listed few services but you can also email all the data brokers and they'll delete the info. You can also hire firms which do this by charging a subscription
Please consider using our affiliate link as we are providing this tool for free.
My Data Removal is cheaper so might be more worth it
I built the tool - https://www.efani.com/leadership
[1]: https://www.efani.com/about-us
[2]: https://www.efani.com/leadership
We're a MVNO that guarantees protection against SIM Swap . We've additional protections but not able to offer it to public yet.
Not from a marketing standpoint, but from a procedural level, how is this guaranteed?
Are you able to go into detail about this without giving up proprietary/secret sauce? Asking as a former pbx engineer at a couple of CLECs who is intimately familiar with the LNP process.
So to answer the original question on how we can guarantee while other carriers are not. There are two common attacks to compromise your account.
Sim Swap & Port out
In Sim Swap, any employee person can replace the SIM Card without permission by changing the number on the dashboard. Every primary carrier SIM card is available online, so criminals buy 100s of them and then rent logins to change this information. These logins are available for as little as 10k from the dark web.
The port-out attack is when criminal changes your carrier, which requires your account #, Zip Code & PIN in a few cases. Other information can be fake, so it isn't required. Port out must be completed within hours, and carriers have automated the process.
So how does Efani guarantee against it? I've been a victim of SIM Swap and have dealt with hundreds of incidents. No one is perfect, but we're just better at dealing with such attacks.
We authenticate clients using multiple ways and treat every request as fraud. It isn't an automated process & even within the company, it's taken very seriously and has to be approved by multiple resources. Our authentication methods include notary public and video authentication, and clients can also request a unique authentication process. We employ US Citizens who're security cleared and don't outsource support or operations. A lot of our staff isn't public due to security reasons. They are well paid compared to regular CS staff and are well-trained against these attacks. Our SIM cards are not publicly available, eliminating the risk of anyone obtaining them. Information on the account is pseudonymized, so if a client has compromised himself, we're able to stop the impersonation. Cool-off period - In case of high risk, we put a 14-day cool-off period to any request to ensure the client isn't compromised
We follow a few other methods in addition to the above and constantly. We've been able to stop all the attacks so far and are confident in our ability to deliver on the promise; Efani Secure Mobile is also securing clients with $5M Insurance. If you ever get compromised, you'll receive an apology, so we went beyond to ensure peace of mind.
Please let me know if further clarification is required.
Have you had a user get swapped, yes or no?
Guarantee is a word that has weight to it, I'm not seeing anything substantiating a guarantee other than the claim. I'm trying to understand the spirit of its use in this context by asking this.
The real service being sold here is the idea that in exchange for a premium, a company will train employees correctly and enforce strong security policies. which would be skipped by a normal telco because they want as much profit as possible off the top of your 30$ a month.
I mean, layers could be as simple as:
1. Does last name match?
2. Does first name match?
3. Does middle name match?
4. Does name suffix match?
5. Does country match?
6. Does state match?
7. Does city match?
8. Does street match?
9. Does house number match?
10. Does apartment number match?
11. Does phone number match?
I don't mean to make too fine of a point from it; the combination of missing pages and slightly "off" formatting (mixed capitalization of the company name, other company logos embedded without rounding or blending) sets off my phishing alarm.
When I was SIM Swapped 4-times, I only got a courtesy call saying Sorry for the inconvenience caused.
I thought having $5M Insurance on top of guarantee will be better
I think this is cool, but also think it's important to be clear what's being offered.
About insurance, it's limited to Sim Swap/Port outs
It's like We guarantee it and you get upto $5M
It looks like this is targeted towards crypto whale hopefuls who, for whatever reason, store sizeable value in a hot wallet/CEX that's controllable using a phone number/SMS 2FA. The price point of $99/mo supports this hypothesis.
Honestly, not a bad idea. These people clearly have more money than sense.
Plus it's not $99/month on top of your plan but it replaces your current phone plan + gives $5M Insurance policy too. Our other plans are even higher but the security they provide isn't required by 99.9% of the population so we don't even mention them on the site
Not sure if I'd be compelled to send my information to any service that is literally called "Doxx Me" either.... :)
Do you've any suggestions ?
Between that and a crypto bro founder / CEO this seems more like a pretext to harvest mobile numbers.
It looks legit to me, and a good business idea.
- Your Crypto Bro
(My phone number is public, but it doesn't show up in any of these public DBs. I have no idea why.)
* Confirms that a number is a live subscriber;
* If there are N possible identities tied to the number, it strongly suggests that the most recent one is the "current" one;
* Links my phone number to a browser session, which provides further information.
Edit: It also fundamentally turns a passive source of information (a DB of phone numbers, of unknown quality) into an active one (people are actively confirming that some of these numbers are real and currently subscribed).
We are a cybersecurity company and our entire leadership team has a decent online presence. You can just look any of us up.
Edit: Whoops meant to reply to the comment below
More details at https://www.efani.com/company
The "doxx me score" gauge is cheesy, and I have a negative reaction toward seeing those from disreputable banner ads around the internet.
It's not clear to me how the service you are selling (SIM swapping protection) and the privacy report are related.
Do you want to clarify what data you are recording as part of offering this service?
> We only retain collected information for as long as necessary to provide you with your requested service. What data we store, we’ll protect within commercially acceptable means to prevent loss and theft, as well as unauthorized access, disclosure, copying, use or modification.
What services are you getting the information from?
Some of it was from family members who were apparently conflated with me, and some of it didn't ring any bells at all.
It had all of my recent addresses, and many more that I had never heard of, including cities I've only visited once or twice and two countries I've never been to in my life.
One phone number had 4 SSN's associated with it, and while the site doesn't show you the actual digits of the SSN, it does say the state it was issued in. All 4 were from different states, and none were from the state I was actually born in.
Our goal with the tool is show vulnerabilities around our numbers and how easy are they becoming alternative to SSN yet easy to be hacked
One thing your site could do but doesn't is tell me WHERE it got that information, like exactly where. Why just say "publicly available data?" I want to know precisely where you got all this on me, with annotations. Without that information, this is just a scary page that encourages me to sign up for nebulous services.
Their source must be cheap enough to do stuff like this so it probably rules out DataAxle, Elsevier and Oracle.
They thought I had 'hacked in'. My landlady at the time worked as a secretary at the FBI and misunderstood or did not know the data could be purchased legally through a third party, after I told her what I was doing at a dinner at their house which they invited me to.
I was extremely hung over when they came, I was 25, and did not at all believe they were agents I slammed the door on them (one of them had converse sneakers with their suits though). They slowly convinced me they were in fact legit, I showed them all the paperwork, and shut the site down due to caution. Gave me a good story to tell, ~2005.
Of course. We're not not allowed to know who sold our personal data to shady 3rd parties due to "privacy laws". Hilarious.
We'll have to acquire different set of licenses if we ever have to step into these industries.
Had this guy who decided to use my Gmail address for stuff and I ended up finding his phone number online to text him that is wasn’t his email address. After the failed attempt send him a yard gnome after I reset his Walmart password and was thwarted by the security code on the back of credit cards. I still think he would have been a good gnome owner.
I tried two phone numbers: my primary cell phone number gets a great 800+ score but reveals an accurate address history of 9 years.
The second one gets a poor score (415), but none of the data is accurate. Have fun: https://gist.github.com/piscisaureus/03d5ebeeb3e77922a858464....
For 2 people who claim its for safety and security, sure as hell seems like a HN fishing expedition.
2. We are a cybersecurity company. We don't want to show people how to hack others.
3. It would lend to the common belief that there is one source of data that you can simply delete or opt out of. There are hundreds of companies, databases, and sources with this information copied.
There is nothing stopping you from doing the same.
And they have their own grandiose "nobody can fool us and have your SIM swapped here" (YET).
If I received $1 for everything I've read or heard "UnHacKaBlE", I could retire immediately.
Have you considered our cybersecurity company might have made this tool and provided it for free because it is good helpful to our target customers and might even help some customers find us?
Because that is what this is. Not data harvesting. We make money on our phone plan.
Simply put, your security is NOT impenetrable. And I would heartily and easily say that your security is not up to NatSec minimums. And hell, they can't even keep their tools and data from leaking out.
You know, EternalBlue and goodies? Or how about the OMB hack. still sour about that one.
> Have you considered our cybersecurity company might have made this tool and provided it for free because it is good helpful to our target customers and might even help some customers find us?
Or you're harvesting legit HN users. Companies don't do stuff for free. There's always a reason. ALWAYS. And market research of real humans intersecting with HN is a very lucrative datasource.
Don't believe me? Please try to follow this book and check back if our tool is still finding the info in 6 months.
Feel free to check out https://haveibeenpwned.com/, I think you would like that more
Is this just the ToS of whatever data brokers you're using?
What are you trying to say here? They have the data they have regardless of whether you choose to try the service.
> If you want to build goodwill, supply the methodology to enable the people who want to do this themselves.
This sets up a false dilemma, i.e. there are other ways to build goodwill.
With that said, I suspect the data behind this is not data that the average individual would have much success in acquiring.
The subtle hostility seems unnecessary.
The alternative is that they've grabbed a full set of all data for all numbers, in advance, right?
Only data set that'll be of help if we give a bad score and it actually get hacked ( which we really don't want )
This is the best we could think of, but please let us know what would be a better approach
Having Googled my phone number many times, Doxx Me is returning similar results that a bunch of paywalled “people search” websites show as a free preview.
I don’t personally think it matters what Doxx Me does since this data is out there being used without my permission all of the time, and they certainly didn’t collect it.
We're just queries dozens of paid sources and crowdsourcing the data and displaying what we believe is accurate as it may have appeared multiple times
What do you think should be our approach given this is the situation