Many Facebook users may not even realize that their private phone number is connected to their Facebook account, having forgotten that they did so. Facebook isn't allowed to simply extract your number from your phone, but they can do what I refer to as the "app equivalent of cyberbullying" by repeatedly asking you to confirm and save your number each time you launch Facebook.
The default privacy setting on Facebook allows anyone to search for you by your phone number once you add it. This is not a new issue. It has been around as long as the Facebook Graph search, but Facebook chooses to see this issue as a feature, as a letter received by Belgian researcher Inti De Ceukelaire shows.
Certainly, some people, such as celebrities and politicians, should be more concerned than others about revealing their private number online. However, anyone could potentially have a cyberstalker or hacker target them. Once a hacker has a phone number and your name, they can quickly use open-source intelligence (OSINT) tools that we've covered on Null Byte to grab further public data like occupation, employer, spouse, relationship, any other public info.
A hacker could use the information to further social-engineering attacks by calling you directly. Think of the classic " Microsoft tech support" scam, only the caller trying to trick you knows your name and intimate details of your personal life. Armed with these, it's easy to make the target think the caller is legitimate.
How would a hacker actually go about finding your number? In theory, if they had a lot of time, they could just search all 9,999,999,999 potential numbers until they stumbled upon yours. Clearly, this isn't very efficient, so let's see the right way of doing it. For a practice subject, I'll be using DC Mayor Muriel Bowser (2017) as a random city official. In the examples below, her number was changed to protect her real number.
Step 1: Use the Area Code
If you think of a target's phone number as one of all the possible 10-digit US phone numbers, you can quickly see that 10 billion North American phone numbers it far too large a list to effectively search through. Luckily for the hacker, he can cut this down thanks to the North American Numbering Plan (NANP) which lays out the guidelines for phone numbers in the US.Let's take an example: 234-235-5678. Looking at the NANP, we can see that the first three numbers (234) are the area code, and the plan allows for 2–9 as the first digit and 0-9 for the second and third digits. That information right there eliminates one billion possible numbers from the hacker's list.
The hacker can also quickly take advantage of this if they know or can take an educated guess at where you live, as it's as easy a Google search. By doing this, the hacker can remove a further 9 billion 990 million numbers from the list of potential guesses.
In area codes where the second digit is 1, the third can't also be 1. This yet again removes a large number of phone numbers from the hacker's list. The last four digits of the phone number is the line number, in this case, 5678.
I took the educated guess that the Mayor of DC would have a DC area code, and a hacker could also look up the target's Facebook account and likely find a hometown or the current city the target lives in or works from. Some larger cities like Los Angeles will have multiple area codes within them, but no matter how many "split" area codes there are, it still greatly reduces the hacker's list of possible numbers.
Step 2: Get the Last Numbers
Now that I know my target's number is 202-???-????, I want to try and remove as many of those question marks as possible, making it easier to do a Facebook search later on. Thankfully, Facebook has our back and has made this probably the second easiest step, after using the area code. In order to get the last two numbers, we just have to go a few steps into the password reset process.To do this, the hacker goes to the main Facebook page and clicks "Forgot account" to start the process.
Step 3: Use Outside Sources
With over 218 million users, PayPal and other services can help add to the information the attacker has collected so far. In this case, if the target is a PayPal user, the hacker can get two additional digits of the phone number we're looking for.In the picture above, you may have noticed that the first email listed is a Gmail account that starts with "M" and ends with "R."
That's funny, since my targets first name starts with an "M," and her last name ends with an "R." To a hacker, this screams "I used my name as my email!" Suspecting this was the case, I checked it on Gmail by typing it in.
Step 4: Brute-Force It the Smart Way
At this point, a hacker could just start throwing numbers into the Facebook search bar, but that still wouldn't be that efficient. So what does a lazy hacker do? They take advantage of a Facebook feature that allows you to conduct a bracket search.Facebook allows you to upload lists of contacts in CSV format, and then tells you if they are on Facebook so you can add them as friends. By constructing my own contact list of potential numbers, I can quickly rule out large chunks of wrong numbers.
In this case, I know the number has to be in the range from 202-000-6969 to 202-999-6969. By cutting that in half and creating a list of numbers from 202-000-6969 to 202-500-6969, I can effectively rule out half of my list, as the target will only be in one of the two half lists created. Then, I can upload the list and instantly determine if they are on it or not.
To create this list, I went to Google Contacts and clicked "Export" to get a sample CSV file to work from.
In the excel formula below, I start by taking the lowest value phone number, in this case, 2020006969, then I add 10,000 to it in order to increase the fifth place digit by 1. This formula will repeat as many times as needed, but we shouldn't do it more than 1,000 times because there are only a thousand numbers in our list to guess. If the target hadn't had a PayPal account to help us derive the third and fourth place digit, then we would be adding 100 to increase the third digit instead.
=(ROW()*10000) +2020006969From there, it is simple to sign into a Facebook account and go to the Friend Finder feature. Click on the Gmail logo and then "Find Friends."
Step 5: Test the Last Few Numbers
Once that hacker has it down to a handful of numbers, they can go to the Facebook search bar and type them in one by one. To do so, just type the number into the search bar with no hyphens. If the requests are going too fast, or if they search for too many, Facebook starts to rate-limit them with a CAPTCHA.Step 6: Protect Yourself
The simplest way to protect yourself is to never connect your phone to Facebook. If you still want to use two-factor authentication, Facebook allows you to use a USB U2F device without having to rely on your phone.If you absolutely must have your phone connected, navigate to Facebook Settings, select "Privacy," then "Who can look you up using the phone number you provided?" Set this option to "Friends." Unfortunately, Facebook doesn't let you set this to "Only me."
While this still will not provide absolute protection, it will make the hacker's life much more difficult.
0 comments:
Post a Comment