Lessons from Snapchat: Using phone numbers for IMs will always be risky

While the Snapchat data breach came as bad news for users, what many may not have realised is that the really scary part was that mobile numbers of users were breached.

Ivor Soans January 04, 2014 12:00:39 IST
Lessons from Snapchat: Using phone numbers for IMs will always be risky

While the Snapchat data breach came as bad news for users, what many may not have realised is that the really scary part was that mobile numbers of users were breached. Which also means that in case a far more popular mobile IM service like WhatsApp ever gets hit by a similar breach, there could be hell to pay as WhatsApp's foundation is built on using mobile numbers for identification and contact discovery.

At Snapchat, the data that was breached and leaked was user names and phone numbers. If for instance user names and e-mail addresses were breached it may not have been as dangerous, because users often use aliases for their e-mail address--narrowing down an e-mail address to a specific individual is not a very easy task.

However, in the case of phone numbers, the danger is far greater, since narrowing it down to an individual user is far easier. Identity theft is a serious challenge for law enforcement worldwide today as organised crime sees the tremendous opportunities to profit from identity theft. And this is not just restricted to the West, but such multinational criminal gangs also operate in India. As this news report of a gang busted in New Delhi reveals, Nigerians in the gang hacked bank accounts by phishing with the help of proxy servers based in the US, while their Indian counterparts arranged or opened bank accounts using forged documents. On top of that, another team from the gang scanned the targets' social networks, including Facebook and LinkedIn profiles for extracting personal details and for forging fake ID cards. They would report loss of SIM to the mobile service provider and get a new card issued using the fake ID to wipe out bank accounts without the victim being aware as his mobile service would also be deactivated or on another SIM.

Lessons from Snapchat Using phone numbers for IMs will always be risky

The Snapchat logo is seen in this file photo. AFP

Stephen Wilson, a digital identity expert and Founder and Principal of Lockstep Consulting, explains in his blog on the Snapchat breach that such cybercriminals patiently acquire multiple data sets over many months, sometimes years, and then gradually piecing together detailed personal profiles. These data sets could include your user name, e-mail address, real name, etc.

Piecing together or re-identification is enabled by linking diverse data sets. As Wilson explains, "E-mail addresses and phone numbers are superbly valuable indices for correlating an individual's various records. Your e-mail address is common across most of your social media registrations. And your phone number allows your real name and street address to be looked up from reverse White Pages. So the Snapchat breach could be used to join aliases or e-mail addresses to real names and addresses via the phone numbers. For a social engineering attack on a call centre -- or even to open a new bank account -- an identity thief can go an awful long way with real name, street address, e-mail address and phone number." Wilson goes on to say that he believes that phone numbers are most valuable to the highly organised ID thief, for they can be used to index names in public directories, and to link different data sets, in ways that social security numbers or credit card numbers cannot.

Does that sound scary? It should. Because when you call up your mobile service provider or your bank's call centre, often all you need to provide are your birth date and your address. That also explains how the gang busted in New Delhi went about wiping out bank accounts and making a mockery of the Reserve Bank of India's SMS alerts recommendation by ensuring that even the victim's cellphone SIM has been deactivated or a new SIM issued based on a fake ID they had forged. There are more cases of a similar kind emerging in India.

If you think Wilson's concerns are only relevant to the West where technology usage is far deeper, you couldn't be more wrong. With projects like Aadhaar, the Indian government now has deep digital databases of Indian citizens and as a report in The Times of India today reveals, the situation is perhaps scarier in India than in other parts of the world. While the government may be focused on keeping Aadhaar data safe and may have failed even in that, the report reveals that various government agencies have put vast amounts of information on individuals online, that literally anyone could access quite easily. So, you could get lots of details from websites of energy companies supplying LPG for household use, from government-run telecom providers like MTNL, the Election Commission, etc. For a cybercriminal, some of these Indian websites would be a rich hunting ground.

Re-identification based on linking multiple data sets is not a new concern, as Dr Latanya Sweeney's research has proved. Dr Sweeny is Professor of Government and Technology in Residence at Harvard University and the Director of the Data Privacy Lab at Harvard. Her first contribution involved linking de-identified patient-specific medical data to a population register (a voter list, for instance) to re-identify patients by name. She then showed that 87 percent of the US population can be uniquely identified by date of birth, gender and ZIP code. Her site Aboutmyinfo.org, tells people living in the US how unique their demographics may be, and therefore how easy it is to identify them from these values. For instance, I tried using my birth date, gender and a ZIP code in Sunnyvale, California and to my shock no one else from among the nearly 46000 people living in that area shared my birth date.

Should users then ditch mobile instant messengers like WhatsApp and Snapchat which leverage mobile numbers? That's no easy task, because on the flip side, using mobile numbers also makes discovery of friends far simpler. Perhaps the answer lies in what Snapchat is now planning, an option where users can opt of the Find Friends feature that uses mobile numbers. But for platforms like WhatsApp, which only use mobile numbers the danger continues to exist. And it could only be a matter of time before the ease-of-use argument touted by WhatsApp proponents over secure mobile instant messengers like BlackBerry Messenger (BBM), comes to bite them on their backsides.

Updated Date:

also read

Prophet row: Thane Police website hacked; hacker demands apology to Muslims
India

Prophet row: Thane Police website hacked; hacker demands apology to Muslims

On opening the website, the message on the screen stated: “Hacked by one hat cyber team”

Feeling Monday blues? This man from China has the perfect solution if you're missing your bed
World

Feeling Monday blues? This man from China has the perfect solution if you're missing your bed

Amazed over Jianqiang’s innovation, a few social media users lauded him for his idea while others said that the bed would promote laziness. There were many who also found the peculiar innovation a useful one for bedridden and differently-abled individuals.

Ukraine Navy claims to have struck Russian boat carrying air defence systems in Black Sea
World

Ukraine Navy claims to have struck Russian boat carrying air defence systems in Black Sea

In a statement on social media, the Navy said that the Vasily Bekh was used to transport ammunition, weapons and personnel to Snake Island, which is vital for protecting sea lanes out of the key port of Odesa. It did not say how much damage it inflicted with the strike