Fun to see this issue get talked about. Ancedote- I bought some car parts from a semi-scammer. Not a full-on scam but the guy wouldn't ship the complete order even though he had my money for several weeks. We had communicated on a few different platforms. Each platform offered up a little piece of his identity. Last four of this. First four of that. It was enough to piece it all together.
I gave him a call at his place of employment which happened to be in the exact same industry as the parts that were being sold. I asked him to ship the parts and casually asked if his employer was involved in the sale. He perked right up and the next day he shipped everything I had bought and a few extras.
There's one missing piece in that article, and it's the CNAM database (US only).<p>CNAM is the database that carriers use to give you alphanumeric caller ID ("SMITH JOHN" instead of "+1 (555) 123-4567"). Many carriers don't display this data as far as I believe, but most of them make it available.<p>Querying that database isn't free, but you could probably find a way to do it for a few hundred numbers relatively cheaply. People's names and emails are often similar, so you could probably figure out an algorithm to give you the most likely candidates.<p>The data is often wrong in interesting ways (I've seen everything from deadnames to people's exes they still share a plan with), but it is still pretty useful.
I use my real name as my email (as many of us do). And my phone number is publicly listed in many phonebooks. In Sweden it's standard practice for everyone to have their address and phone number searchable unless you opt out. Basically what used to be in the phone books in the 80s (which was everyone) just moved online in the 90s so now everyone's adress and phone number is publicly searchable. This can be really useful, but of course it can be used for evil as well.<p>But one of the really positive things about having so much "public PII" (SSNs, Addresses, phone numbers, birth days) is that people don't have to treat this information as some sort of secret. Everyone needs proper ID and eID because knowing someones digits doesn't make it any easier to impersonate them.<p>If someone wants my phone number, they take my email which has first- and last name, go to any of the N search sites and they find 100 people sharing my first and last name. If they know a city and approximate age (Which they can easily get from a social platform) they can narrow it down to just a couple of people. Public records then shows my birthdays, my cars, my income, who's also registered on the address, and so on. It's not difficult doing OSINT in Sweden...
lol<p>> Paypal, which displays five digits including area code to anyone knowing the email address (but only three if the attacker knows the target’s password), decided this is working as designed and will not take action.<p>Wild.<p>Does anyone know how scammers are getting numbers off of LinkedIn? Or correlating them to numbers from elsewhere? I know a company whose employees are constantly getting fake CEO texts.
> If it is a requirement, consider using a virtual number like Google Voice or even a dedicated SIM that you only use for this purpose and never give the number away.<p>For the second SIM option, that requires a dual-SIM device, which are still fairly niche in the US.<p>When it comes to VOIP numbers, unfortunately, many sites look up phone numbers and block VOIP providers, which sucks because Android still has no good way of sending/receiving carrier texts on the desktop (and before someone suggests the Google Messages web interface, it "forgets" my device too often for me to take it seriously). Occasionally, this can create a catch 22, where the VOIP blocking is implemented after the fact and prevents you from ever using the account again because the VOIP blocking was also implemented on the SMS 2FA.<p>And then there's services which don't even bother to check if they can actually reach a number before accepting it. Harris Teeter pharmacies, for example, will happily accept a VOIP number, but their system is unable to call or text VOIP numbers, so you never get your prescription notices. (And I'd bet this applies to all Kroger brands since they share a lot of systems.)
"Good morning class. A certain agitator, for privacy's sake let's call her Lisa S... No, that's too obvious. Let's say L. Simpson."
This kind of uncoordinated leaking is a deeper problem. Many share the last four digits of a SS#. Okay. But often the first five are easy to guess from the birthday and the birth state. The first few digits tell the state where the number was issued.
One thing I've always wondered is how security researchers feel justified in releasing tools like the one in this blog post to the public. I can almost certainly say that the number of bad or creepy uses for an automated email to phone number generating tool massively outweighs the good reasons for having one. Does he get a pass because he's doing this for "research" and it's a grey area anyways? Does he feel better because he talked to the companies who exposed the vulnerability and it's neutered now?
I check GitHub's Trending page for Python projects every day or so. I was a little confused why this repo was trending today, particularly because the note at the top indicates that a lot of the services patched the exploit long ago.<p>It's interesting to see that this being posted here on Hacker News is presumably enough to push the GitHub repo to the trending page for Python.
As an Australian I can only ever recall seeing the last 2 or 3 digits of my mobile number. The first 2 digits of all mobile numbers are the same and you can't send text messages to landlines.
Related:<p><i>Email to Phone Number Osint Tool</i> - <a href="https://news.ycombinator.com/item?id=30476792">https://news.ycombinator.com/item?id=30476792</a> - Feb 2022 (2 comments)