
Columnist asked researchers what they could find out from just his cell number - sneeze-slayer
https://www.nytimes.com/2019/08/15/technology/personaltech/i-shared-my-phone-number-i-learned-i-shouldnt-have.html
======
skrause
> _A hacker could try to reset my password for an online account by answering
> security questions like “What is your mother’s maiden name?” or “Which of
> the previous addresses did you live at?”_

That's why you don't answer those questions honestly. My mother's maiden name
is always a random 32 character string living in my KeePass database...

~~~
perspective1
I'm not sure that's any safer. It should protect you from the automated
prompt-response systems, where an absolute match is required. But call-center
workers see those answers in plaintext. Eventually an attacker will probably
reach one where answering, "It's a lot of random letters and numbers. I forgot
what they were but the real name is Smith!" will be enough to pass.

~~~
nesadi
So what's your solution? You have to put in _something_ , and putting in the
real maiden name seems like the worse option to me. Social engineering is
going to be the weakest point no matter what you do, so I don't see how
anything you do could defend against it and why you should account for it if
there isn't anything you can do.

~~~
rgacote
I use nonsense terms which are easily readable. Mother's maiden name: Lady of
Amberly, first maid of countess Blue, inheritor of the golden bull.

~~~
close04
Putting an actual name in there is probably a lot safer than anything that
might be described by a human as "just some gibberish". Pick an uncommon name,
maybe from another country, maybe spell it in a different way, as long as it's
still recognizable as a plausible name. Most operators wouldn't fall for it if
the attacker says "just some random characters". The important part is to not
reuse the name between registrations.

Combine this with similar unique answers to other questions and the chances of
someone guessing them all become really small.

One thing I never tried is to just put something like
_Anyone_trying_to_reset_this_password_is_a_hacker_DQWIqw12E^1 &UTFD@&$_. Might
be an inconvenience if you actually need to reset yourself.

~~~
orev
If you use any kind of name you run the risk of it being guessed. Use a
passphrase generator to get something completely random and easy to say over
the phone.

~~~
RussianCow
There are thousands if not millions of possible names you could use. As long
as you don't use something very common, you should be okay.

------
dopylitty
All of the information the "hacker" found using the reporter's cell number
could have been found using just the reporter's name and rough location.

It seems strange to me that peoples names, addresses, and phone numbers used
to be freely distributed in a large book to every house in town yet now any
one of those details can be used to assume someone's "identity." It seems the
only thing stopping this from happening en-masse is that nobody has tried.

~~~
jhbadger
Times change. When I was an undergrad in the 1980s (in the US) my professors
would post the results of exams on their office doors labeled by social
security number (for "privacy"). Nobody at the time saw a problem with it,
although we would today.

~~~
kobbe
As a swede I don't really see a problem with this, SSN is publicly available
in Swedden to anyone.

~~~
jbarberu
As a Swede living in the US, the difference is in Sweden the SSN is your
username, in the US it's become the password.

~~~
stenl
In Sweden, the password is BankId, a two-factor authentication app that
everybody has on their phones. It’s used by all government agencies, banks and
insurance companies etc to establish identity. You literally use your ssn as
username to login, plus a pin, to generate a one-time passcode (which happens
behind the scenes so you don’t have type it in).

~~~
umanwizard
What if you don’t have a phone?

~~~
swebs
I know when you make an account with Nordea, they give you a page with several
hundred codes printed on it. Each time you authenticate, you have to use the
next code in the list. If you use any other code on the page, it's considered
invalid. They instruct you not to mark the page so if someone takes your code
page they do not know which one is the current code.

~~~
grimjack00
But then, how does the _account holder_ know which is the current one?

~~~
swebs
In theory, by remembering the last one you used.

In practice, by just marking the damn pages.

------
tshtf
This type of phone number intelligence is essentially free. In a few seconds,
for just ten cents, one could use NextCaller (YC14) and get all of this:

[https://hackernoon.com/nextcaller-what-does-your-phone-
numbe...](https://hackernoon.com/nextcaller-what-does-your-phone-number-say-
about-you-1bc894d48c66)

Although I think NextCaller no longer has this Twilio integration, there are
similar services that provide these details at this price point.

~~~
rootusrootus
Does anyone offer a monitoring service for consumers? I would pay a nominal
fee to be able to dip in to the big databases like this to find out what they
think they know about me. If it's so cheap on a per-lookup basis, maybe
someone could offer a consolidated view. Pay us X dollars and we will go dip
into the top 50 databases right now and see what they say.

Of course, they probably contractually cannot do this and would get cut off
immediately if they did.

Edit: Didn't know, nextcaller is a YC company. LOL

~~~
mxuribe
On the surface, this sounds like a great idea (I certainly would pay for such
a service)...But wouldn't that create an incentive for the data brokers to
double-dip, and sell YOUR data to existing ad/marketing/scammer customers,
PLUS sell YOU your OWN data?

(I should caveat, I'm having a "pessimist day" today, so even sunshine and
rainbows aren't as pretty today as they normally are.)

~~~
rootusrootus
> PLUS sell YOU your OWN data

Yeah, sounds like credit bureaus :).

With the shear quantity of data analysis that goes on behind the scenes and
affects citizens, I think we need a much better handle on transparency. We
already have some level [inadequate IMO] of control over the established
credit bureaus, I think that should be expanded to all data brokers that sell
personal data like this. If I can't keep it from being sold, then I should at
least be able to see what it is and make sure it's accurate.

Maybe it's time to look into how to pollute the data set instead.

~~~
mxuribe
Yep, you're right on all points!

------
ineedasername
They make such a big deal of getting this from a cell number, but none of what
they listed is very difficult from simply a name and general idea of who a
person is.

I recently found a lost wallet. The only things in it were cash and some
credit cards (and a Kohl's loyalty card). The person had a semi unique name,
only 4 in my state, and it was easy to find all of the data listed in this
article about them. Whitepages-style sites usually have age, relatives,
sometimes phone numbers and addresses, and you can put together the pieces
from different sites:

I found the wallet at a Dude Perfect Tour show with my kids, so out of the
matches I found, I assumed it was less likely to be the 67 year old. Another
came up repeatedly for crimes: Domestic Assault & Battery, and drug crimes. I
doubted this was the owner, and wasn't sure I wanted contact with anyone like
that. Anyway, that left two people. The first one I called had lost the
wallet, and I mailed it to him.

Again, all I needed was a name.

------
tunap
I have been living in the park & taking calls at the lottery hotline for 25+
years, according to all but my guv, insurance provider & LEOs. Some others may
get a PO Box, but if X doesn't fall under the umbrella of the former
mentioned, they get all the mis-info I can feed them. Sadly, today the
institutions I must rely on sell all that info to the highest bidders, anyway.

In the list of info gleaned from your phone # the writer forgot your online
purchase history, vehicle VIN & plate number and pretty much EVERY MOVE YOU
MAKE day-to-day thanks to O/L retailers, your cell provider, your TV/provider,
your DMV, your insurance provider, your city/county/state/Fed & everyone else
under the sun selling your info. Many ask for your phone # "for security
reasons" and then immediately sell it. TFA states it is better than your "full
name"... that's nothing, as I have >7 same-names in my metro alone. It is,
indeed, better than your social security #(in the States, anyway).

------
razormouse
Very ironic article on a site that requires you to log in via social media
just so you can read it.

------
lwansbrough
No mention of the ability to obtain an exact real-time location, which is made
possible by phone companies providing your real-time data to advertisers and
other third parties.

------
fromthestart
Whenever possible I use the burner app if I need to provide a number to sign
up for a service that I'm not particularly worried about losing access to,
that sends a confirmation code on login. Especially when its something I only
need to use once, like anonymously downloading a file from a website that
requires a Google or Facebook login, for example.

------
lota-putty
Problem is the 'public records' not 'sharing phone#'.

Layers of security-levels to access records and appropriate log trails for
audit shouldn't be that difficult to set up in this day & age.

I suppose, it's hard to implement in pure capitalistic economy.

------
LinuxBender
How many here have set their LinkedIn profile to not be discovered if someone
knows your number?

------
DaniloDias
“Twilio, a communications company that works with phone carriers on combating
robocalls.”

\- The New York Times

------
NoblePublius
I can’t read this article because the alleged bastion of journalistic
integrity requires its readers to be tracked.

~~~
zajio1am
Does not. You can just read it with disabled javascript.

