Lack of standardization in handling private info allows hackers to fill in the blanks

Failure to mask users’ personally identifiable information (PII) properly by multiple websites might give cybercrooks the means to connect phone number and email address records.

A lack of standardization in approaches to password reset functions by many of the biggest names on the web has created a security chasm which can be exploited by criminal hackers to obtain the full telephone numbers of targeted individuals.

At the DEF CON security conference earlier this month, researcher Martin Vigo demonstrated a technique using open source intelligence (OSINT) to compile a target’s phone number through public sources and password reset functions.

If you forget a password for an online account, it is standard practice to request a password reset through either your email address or phone number. In the latter case, you are usually presented with a partial selection of digits from your phone number.

This results in a partial and intentional disclosure of PII that varies between online service providers. For example, eBay offers the first three and last two digits, PayPal prompts the first and last four digits, and LastPass leaks the last four digits.

An attacker is able to submit multiple password recovery requests to different providers it order obtain up to seven out of 10 digits with relative ease.

Vigo says that it is possible to “reduce the possibilities of guessing your phone number from one billion possibilities to one thousand” through this technique.

Filling in the blanks

When it comes to US subscribers, the PII made available by vendors includes parts of the subscriber number and area code (NPA), but there will be three missing digits that relate to a Central Office Code, otherwise known as an exchange number.

This data can be gained through public datasets provided by the North American Numbering Plan Administrator (NANPA) and the National Pooling Administration.

Even if a US-based target only owns a few online accounts, such as an eBay and PayPal account, these public repositories can be used to fill in the gaps.

Some countries, including Iceland and Estonia, register handsets using only seven-digit numbers. In these cases, obtaining a full phone number could be possible with only an email address and password recovery requests sent to several vendors.

The leak of a phone number and connected email account can lead to SIM-swapping, user tracking, caller ID spoofing, and social engineering attacks.

It’s also possible to manually conduct attacks via Namechk, data repositories and Burp Suite brute-forcing.

However, Vigo has taken all of the labor out of the process with the release of the free ‘email2phonenumber’ tool, which performs the OSINT technique automatically.

The researcher is also working on an online service that will be able to automate the generation of lists of possible phone numbers in multiple countries.

PII pinch points

Speaking to The Daily Swig, Vigo said that while forcing through an industry standard might be deemed “overkill” to mitigate partial personal information leaks, at the very least, industry players should agree on best practices.

“Ideally we don’t leak anything to unauthorized users, such as those who simply know your email address,” Vigo says. “I don’t see why it is necessary and it poses a risk that opens you up to other threats.”

One proposal brought forward by the security researcher is the use of labels. For example, a user could label an email address based on ‘work’ or ‘personal’, and therefore when a password reset is requested, the label acts as a memory trigger in place of an extract of digits from the telephone number.

“My research shows how it is possible to recover the entire phone number by collecting digits from different sites,” Vigo added. “This is a problem across the industry that we cannot look at individually.”


RELATED Ancient technique tears a hole through modern web stacks at Black Hat 2019