Before gathering up the mob and handing out the torches and pitchforks, you should probably establish what the facts actually are. I don't think the author of this post has really done that.
The way these systems should work, and appear to work in Facebook's case, is that the amount of information revealed depends on risk analysis.
For example, I just tried recovery from an IP I've used Facebook from, and from a fresh IP from a low reputation hosting provider located in a country unrelated to the account. The first case reveals the user's name, but that's pretty reasonable since the request has a decent amount of affinity for the account. The risky looking recovey does not reveal the name,
Both logins show the first letter of the local part of the email address, which is basically no information leakage at all. (Though honestly, if you show just one letter even for non-risky recovery attempts, why bother? It can't possibly be of any significant help to the users.)
I can't tell whether the profile picture changes based on the risk analysis outcome or not, since I don't have a test account with one.
(It's still possible that this is a bad implementation; e.g. if it were to be revealing my username for any recovery attempt from the correct country, that'd be unreasonable since it's trivial to figure out the country from the phone number. But even so one should still establish what the relevant parameters are, so that we can figure out whether the behavior is reasonable.)
It actually says right there on the screenshot "You can see your name and profile picture because you're using a computer network you've logged in on before." So this is only working because the author has used this computer (or one on the same subnet) to log in to his FB account before (private browsing mode does not obscure the IP address). It will not work in the general case.
If not, you could possibly use the domain facebook displays for the recovery email (for example x@cornell.edu) to direct you to the network you need to retry from
The author is a bit late to the party - this used to be a thing. IIRC you could just enter the phone in fb search and it would spit out the name + fb link even for private profiles.
Someone I knew scanned down a whole country's numbers in a couple of months (there was some rate limiting and that's about it) - and that guy just did it for fun. I'm sure there were plenty of shady companies doing the same thing.
After a while FB started cracking down on this. They even admitted they knew about it for years. Can't find a link but IIRC that was 4-5 years ago.
> if you show just one letter even for non-risky recovery attempts, why bother? It can't possibly be of any significant help to the users.
It's of much help to me.
I use different email addresses for different services, and any help the service can give me to ensure I'm giving it the right email I use on it is helpful.
> if you show just one letter even for non-risky recovery attempts, why bother? It can't possibly be of any significant help to the users.
It can be, if you have just a handful of email accounts. Also if you don't recognize the first letter you know you definitely have messed up something.
> (Though honestly, if you show just one letter even for non-risky recovery attempts, why bother? It can't possibly be of any significant help to the users.)
Why? I use multiple email addresses and on these occasions seeing that single letter (at beginning or end) helps me know which account to check for recovery steps. This is significant to me.
Y'all know we used to publish everybody's phone number in a book along with their address and then distribute copies to every household, right?
We did it for many decades and it was fine. Every pay phone, which was a phone anyone with a couple coins could make anonymous calls from, had this giant book right there for your reference. Everyone knows this, right?
If you didn't know someone's number you could look it up and call them. They wouldn't have caller ID so you'd identify yourself and then you could talk to them.
This was 99.99% of the time not a problem.
We need to stop freaking out about a "security vulnerability" that does 1/50th of a system that everyone used mostly without incident for decades.
Besides, none of this information is actually private now, it's all still for sale. These companies freak out about this stuff because your data is their product, it's not supposed to be free.
I'm sure not everyone knows this, because there are are people on this site who have not grown up with phone books.
The article talks about a reverse phone book: according to the author, given a phone number, you are able to look up name (and profile picture). To my understanding there were no reverse-lookup phone books like that back in the day.
-In the good old days (sixties, presumably also earlier) police forces in at least some countries had phone books sorted both by address and by number.
(Source - flea market find, a Norwegian book on the state of the art in criminology, published c. 1965)
Edit: Oh, I just remembered that locally, the athletic union published a phone book with all subscribers in the municipality listed by number.
This was c.1990 - after call ID was an option if you bought a decoder (or was an ISDN subscriber), before Internet phone directories were a thing.
While this is factually correct, what you are missing is the point that most people have mobile phones these days, and their phone numbers are tied to a ton of other accounts and services. These include second factor auths (using text or voice calls) for other websites, bank accounts, social security ids (I'm not talking about the US), insurance policies - the list goes on. You would not want your number to be available to the general public - because that makes you vulnerable to social engineering attacks.
Here in Finland many if not most mobile phone numbers are in the phone book. Well, no physical book has been printed for years, but you can call directory enquiries or look them up online. Even reverse look-ups are possible. (Only an ever shrinking minority of households still owns a landline.)
How exactly would that subvert 2FA via SMS? Except for calling and ask please read the SMS you just received for me. While that will work with some people, I am not worried in my case.
It subverts 2FA and SMS because of SIM hijacking. If a bad actor has your mobile number and you use that for 2FA, they can socially engineer (or bribe) a rep from your mobile company to assign your number to a new SIM/phone.
I did this recently in my own number after loosing the sim card. I just called up the phone company and convinced the customer service agent to assign the number to a new sim card I had just bought from the petrol station near my house.
I provided no authentication for this and they had no way to prove I was the owner of the account.
The phone book was always opt-in in Germany, and reverse lookup was declared illegal after some time too. They suggested in when you signed the contract, but it was a clause you could easily not accept, at no extra cost.
Part of the issue is the meaning of privacy now. Decades were spent fighting for the right to not receive, or to receive targeted phone calls.
We're now (at least my cohort) in a world where no one, ever answers the phone. Either you're in my phone book, or I'm never answering the phone. It's rather liberating.
That's not really a privacy issue, though. That's marketing issue. That is, we let marketers destroy phones as a medium of communication. The answer to that isn't to legislate hiding your phone number. The answer to that should be to legislate this type of marketing away.
Advertising is cancer, and I'm constantly surprised by the ends to which people go to justify its continued existence.
US until very recently wasn't even trying. EU is, and our phones are quite usable. Things could be improved - I wish there was a way to get rid of the few marketers that find their ways to skirt the regulatory boundary. It doesn't seem impossible to achieve.
That's only because calling is the new fax. Would you ignore an SMS from an unknown number? Let's say the content was "Hey, how've you been? It's been a while!"
Actually yes. I ignore all SMSes. WhatsApp is the go-to communication method in Israel. SMS is only for government services and a company from whom I've ordered from in the past.
I get zero advertising now that I moved. It's liberating.
Yes they get ignored because that's the entry point for scammers building lists of active numbers. Same as one should mute but not disconnect spam voice calls as that gives them info about your presence.
I’ve heard this “active number” and “active email” thing for a while, but isn’t the fact that the message wasn’t “returned” undeliverable a sign already? If I send an email to a GMail account that doesn’t exist, Google will reply that the account doesn’t exist. It’s the same with calling (every carrier) and texting (at least with AT&T; I just tested it)
It might depend on your IP and other factors. I tried to make a new one about a year ago and could not do it without phone verification.
Maybe they'll let you sign up without a phone number via Tor or something though.
It's not just Facebook that requires a phone verification now, I can't even make a Google or Yahoo Japan account without it. At least on these services you can "reuse" previously used numbers by unlinking them, at least a few times. But services like Discord lets you verify with each number once and only once as far as I know.
On the one hand I get that there's a room for abuse by spams, but on the other hand, I really wish I could freely sign up to services.
I have an old Facebook account without a phone number linked to it. Every time I log on they badger me to link a phone number. Recently the field is pre-filled with a phone number I use that I never explicitly gave them...
If it is possible to make a new account without a number I am assuming it is not made easy.
I would be very surprised if it weren't browser prefilled. Although scummy things like that are not unusual when it comes to facebook, maybe they took it from instagram or whatsapp.
Attitudes have changed. A friend recently posted a newspaper clipping from nearly 40 years ago when he won some sort of "attractive baby" competition in Guildford, UK. The paper included his name and full address. Can you imagine that now and the "BUT WHAT ABOUT THE PEDOS!" response it would illicit!
I get it that the right to privacy has not been such a priority in the past, especially outside Europe, but there's nothing wrong in trying to strengthen it.
What was maybe fine a couple decades ago is no longer fine in a world where anyone from any jurisdiction in the world can abuse your privacy for fun and profit.
There's a reason why the most famous confidence tricks have names that go back hundreds of years (eg, spanish prisoner) and there's fun named people like Soapy Smith that mastered things like mock auctions https://en.wikipedia.org/wiki/Soapy_Smith or "Kid Dropper" named after his love of the "drop swindle" scam: https://en.wikipedia.org/wiki/Nathan_Kaplan
The idea that we need to "lockdown" things because we live in unprecedented times relies on someone not really reading any history. Things are relatively pretty safe these days.
The fact that these risks existed a century ago is a poor argument for suggesting they shouldn't be taken seriously in the present.
We live in an era where things can be done instantly online with sufficient information. A sophisticated conman from the 1800's can now execute fraud in seconds instead of plotting for weeks, and they can do so in an automated fashion. The risk isn't anywhere near the same.
A white pages phone book hooked up to pay phone is bound to the region in which it is distributed. A bug on a website that links phone number to full name is exposed on a global scale. Not to mention, a landline number is not anything like a mobile phone number, which is a unique identifier to tons of PII.
Right but if I presented this problem to you without using the word "phone" I'm pretty sure the answer would be "throttle and rate limit" and ban for abuse, not kill off the feature.
These lists are still available for purchase and thus they are still available. I'm not a criminal so I don't know what websites to go to but I'd be shocked if a file with a name like "US-ATT-SUBSCRIBERS-2020-12.sql.gz" doesn't exist.
As an example, my friends pool together as a "family plan" and we get a discount. I frequently get texts and calls from people asking for the person who pays the account. I don't use their name in anything I sign up for and they don't use my number. We don't even live at the same address - the phone bill is literally the only paper trail that connects us.
Therefore, the only way this mistake is possible is if these marketers bought the subscriber list or found a copy online somewhere.
There was also opt-out, even decades ago. You could tell the phone company that you wanted an unlisted number, and you would be excluded from the phone book.
You can do that with Facebook, too. In fact, Facebook does not know and has never known my phone number.
Or rather, I'm sure it does know because my friends have me in their contact lists and shared that with Facebook, but it's not tied to my account in any UI way. I didn't have to opt out because I never even opted in.
> Y'all know we used to publish everybody's phone number in a book along with their address and then distribute copies to every household, right?
By user choice. You had to register your phone number and address to be in that book.
It was immediately obvious to everyone what was going on: everybody received the same complete book of information and knew how that was published, with at least a system of opting-out (it was always opt-in, from what I remember).
A number of years ago I trialled a reverse look-up using this method (for both mobile numbers and email) as a grey hat project for a data aggregator I contracted to validate existing email / phone pairings (bad email and numbers gets you banned quickly by dispatch partners).
It worked because the returned "is this you" image at the time returned a filename that was a base64 encoding of the users ID for the graph interface, which at the time pulled back a surprising amount of info if you query the key directly (obtaining the key generally required you to be a friend-of-friend or closer).
I got hit rates of about 70% for a sample of ~100,000 email/mobile pairs (that were already suspected to be valid).
Sounds like the trick to get the key has been resolved (I was too early in my career to feel comfortable disclosing my research) but I am surprised a similar vector exists almost a decade on - especially after the whole Cambridge Analytica fiasco.
I have a shell script named 'lookup' that lets me know (through twilio) the location, mobile carrier, and registered name of a phone number.
I wrote it to quickly identify mobile vs. non-mobile numbers that I might text - also from the command line.
I won't paste the entire script here (mostly authentication and argument parsing) but the meat of it is:
/usr/local/bin/curl -X GET "https://lookups.twilio.com/v1/PhoneNumbers/$number?Type=carrier&Type=caller-name" -u $accountsid:$authtoken
I use this several times weekly.
EDIT: by "location" I mean their mobile country code - not their actual location which, of course, you cannot get without (ab)using SS7 which is beyond the scope of twilio ...
In countries which have number portability this may not always be right. For example my phone number returns Vodafone, which was the carrier it was originally assigned to 15 years ago, but I've been on other networks for over a decade.
When Finland got number portability some 15 years ago it also got a free look-up service to see the real operator of every number. This was required for price transparency. Calling within your own network can be cheaper than to a competitor and you should be able to know so before making the call.
Not sure how other countries have handled that. The US had the different approach, callee pays for the mobile part.
I once caught a thief who stole my Nokia MS Windows phone using this feature. Apparently they didn't reset the phone in the start, but put their sim in, and some of their SMS started syncing to my other phone before it occurred to them to reset. One of the message was a Facebook password reset helper message, which had the clear phone number and link to a page which had instructions on how to reset the password.
Clicking on that link, also set a cookie IIRC on my laptop, Facebook started showing their DP as one of the options to login (it would still ask for their password so I was not able to log in to their account). Their DP URL has their user ID embedded in it which was enough to find their profile. Turns out they were friend with another person who was in my college (and where my phone was stolen from). We caught that person, involved the university administration, and made him give us the phone back. It was the whole scandal for a while. University expelled that person later on.
(Going to police was not really an option since this was in India, I wanted to resolve matter on my own if possible even when I had phone number).
When I still had a social life, Facebook was returning the account simply by searching the phone number or email.
So useful.
I also loved the first release of graph search (not the dumbed down version they released shortly after) which was letting you specify very specific queries.
I managed to find a girl I met on a train (whose number I stupidly didn't ask) just with her first name, university and knowing something she liked.
Later on, trying to replace graph search, I had to write some hacky scripts to scrape data across a network of friends (likes, groups, friends, who interacted with you on your public profile + recursively scrape data from friends of friends) to find people.
TFA is terribly irresponsible advice due to how many calls are spoofed. I don't need someone tracking me down and raining hellfire down on me over a spoofed number that happened to be mine.
I do this all the time: Don't recognize number, add to contacts, check Whatsapp picture. Doing this I found out an old aunt I hadn't talked to in a long time was pocket calling me recently :)
How about parents / siblings / spouse / significant other? Nobody has you as a contact? None of them have installed Facebook / Messenger / Instagram / Whatsapp? Do you use any app / website on your phone that uses Facebook for ads? Is there anyone else in your home who shares your IP and uses Facebook?
Feel free to believe what you want, but I don't think you have the privacy you think you do.
I once tracked down a Craigslist scammer by looking up their phone number (it was a groove number) within google voice. It showed his name, google profile, and photo. Their name helped me find their Facebook and Instagram. Long story short, I got my money back.
Iirc: Google used to enable allowing people to look you up by your phone number (it was something along the lines of: help your friends find your account). This used to be on by default, it doesn’t seem to be anymore.
Try looking up your friend’s google voice numbers in google voice and see if they have the option enabled.
So called "Identity Graph" or "Identity Resolution" providers integrate with thousands of CRM systems and harvest the customer data in bulk, then sell the combined profiles back to the companies integrating them. Get an API access, provide one piece, like a phone number, and they resolve it to names, home addresses, email addresses, social media usernames and so on.
I mean i don't like facebook, but this topic is small fish
This doesn't seem like something which is of concern but on a tangential note, I wanted to check how you guys maintain your phone number privacy. Consider the cases:
- I absolutely hate giving phone number to new ecommerce sites as it is just a database that will eventually get leaked. The only one I can trust here is Amazon probably.
- Phone number on packages. A person can read your name, address and phone number from a package which seems like a lot of info. Address is required but phone number shouldn't be as you can very well redirect the call using custom pins.
- Talking to new people on dating apps. I don't use IG, so phone number is something I have to exchange. Now I would never give my number to an anon on internet but on dating apps I have to for my own benefit.
Do you guys maintain burner phone numbers for these cases?
I maintain dual sims in my iphone. For dates this means that my "burner number" also has blue text messages, revealing to them it is an iphone and that other features are available like facetime and airdrop in the future.
I also maintain google voice numbers to set up additional accounts on places and more easily filter spam.
Right now, my one device has three numbers on it. (2x sim, 1x google voice).
WhatsApp is the only one that makes it inconvenient. Perhaps Signal is one identity too, and therefore less convenient.
But you can always at the very least set up the accounts, using your browser on a PC.
You just won't get chat notifications for multiple numbers on one device.
Telegram app lets you have 3 accounts logged in, the only similarity being that setting up a Telegram account requires phone number authentication. But the similarity ends because a Telegram account on your device doesn't need to be linked with a phone number accessible from your device.
I'm not really focusing on the dating use case and have already solved that for myself, and for you, and I'm not sure why you are overthinking it aside from your upcoming expensive of buying a new phone and additional cellular plan. The practicality is already there.
You can install WhatsApp and WhatsApp Business, with a number on each. WhatsApp business has some extra functions for businesses, but is otherwise the same.
It does show you are texting with a business account which might just seem weird to the other person. If they didn't find not having IG shady before, I am sure they will now.
I’m aware of people that immediately ask for social media, and rationalize it with trying to disprove infidelity or an assurance they wont get murdered, I can tell you that most people I’ve dated over the past two years did not ask for that. At this point I think there is a level of maturity involved in not asking questions you don't really want the answer to, as they too would prefer not to lead with their social media.
Its pretty much the same as introducing a date to your friends. You don't typically lead with that. YMMV.
The IG thing was just in response to the WhatsApp thing. But you are right, no point overthinking and complicating it. I will upgrade to a dual sim phone and use the other sim for new stranger communication.
Though I think a lot of people do want to see IG, just to get an idea about your life, friends etc. Like a way to know about you without prodding too much. I anyway don't use IG anymore so I just say I don't have it, and as you said they seem to be fine with it.
For commerce I use an SMS to email gateway and automatically file those emails into a separate mailbox.
It started attracting spam after about a year. I found that I never need to be alerted about anything via SMS though.
The only time I use it is when I know I should have just received a message, which is at the top of the inbox above all this week’s spam.
I’m quite aware that I’m side stepping a lot of two factor policies by doing this. (My phone mail client can read all my email accounts.) One has to be careful not to do anything silly and I’m glad GitHub steered away from SMS 2FAC.
if you use email as some kind of account key, you can generally find out whether that email has signed up (if not the username)
automatic password reset and email verification are good for businesses and users in a lot of ways so this is a tradeoff
if FB is showing the specific account linked to an SMS that's IMO negligent but shrug, they employ more lawyers than I do and they've never been investigated by the FTC for privacy issues
Yes this is the correct answer. I've seen some systems respond with "if there's an account registered to this email address you will receive a password reset email" whether or not the address is registered
I why not actually always send an email to that address? If the email isn't registered, change the message to suggest that perhaps they signed up with a different email, or they'd like to sign up instead?
I’ve seen this obfuscated by some systems by always just throwing the user a message saying the reset email has been sent so that there’s no indication whether or not the email is associated with an account or not.
Of course, that doesn’t help someone who can’t remember if they’d signed up or not but it’s probably the safer way to go in general.
In most cases attackers can use the signup flow to see if an email is registered so as long as it isn’t less protected (with a captcha etc) it isn’t any more of a privacy leak in that regard.
oh yeah other than the one time. but if they had done anything really bad there would have been some kind of 5 billion dollar for the deceptive disclosure and settings and some kind of toothless compliance council involving the board of directors
It's hard for me to understand what you're saying. I can't tell whether you're saying the FTC has investigated facebook a ton and that means facebook is bad, or that the FTC hasn't investigated facebook enough and that means the FTC is bad.
Is this a security problem? Depends on who you ask - but I'm willing to bet it would fall into the "accepted risk" category for the Facebook security team if they had to evaluate this.
The reality is that phone number lookup services are available all over the web which provide even more information (first+last name, address, zip code, social media profile links, etc etc etc) for free (https://www.bestfreephonelookup.com/phone-number/ as an example) - these services get their info from data aggregators and usually - your carrier! I don't see how Facebook exposing (in _limited_, very specific circumstances) the first name of a persons phone number being a security issue.
All the people in this thread screaming GDPR violation don't understand that if someone decides to stop using Facebook and delete their account, this method to lookup someone will not work. Sidenote: If you're really paranoid about having your phone number expose your real name when you're using any type of service online, just sign up for a Google Voice (voice.google.com) account and link it to your cell phone - I use this whenever I sign up for anything online and it saves me a ton of spam and scam calls.
EDIT: Facebook removed the ability to use the in-app search box in Facebook to find people based on just a phone number, this has been removed for at least 2 years.
I don't know if it still works, but some time ago I used that to find the real name of someone just using their phone number. However, that person wasn't really trying to keep their identity secret.
It depends on their settings. I usually can see photo and name as soon as I add them. For my own number however people can’t see either piece of information until I add the number to my contacts.
This is a GDPR violation. I hope the author already complained to the authorities. (Since there is a German phone number is used in the example, I assume that the authors is from Germany)
Because it’s not. The author of the post is mistaken. Doesn’t stop people from claiming “big bad Facebook caught yet again” though.
If you try to search someone’s phone number, Facebook will only indicate that there’s an account with that number with steps to recover (reset) your password. Nothing else.
Go ahead. Find some random number in your contact book and search it. If there’s an account, you’ll see the email is almost completely masked out and that there’s no name given. If it didn’t work, try another number.
Facebook does show you the name if you’ve previously logged into that account on that computer.
Basically, there’s no GDPR violation because there’s no PII to get. A phone number by itself is not PII as it is not “personally identifiable information”; you can’t link it back to the person.
I will not test this, as I don't want to give valid phone numbers to Facebook.
If what you are saying is true, then OK. I was making my statement under the assumption that Facebook would indeed show profile picture and name, which then would be a violation of GDPR confidentiality and consent principles.
Have they said that? They've previously removed the ability to search for users by phone number, so they recognise the problem.
I can see why someone would have unthinkingly added the profile picture to the recovery screen, but since the downside of resetting the wrong account is so low (an SMS that can be ignored by the rightful user), it seems easily fixable.
>I don't see what the benefit of having a private phone number.
What's the benefit of having a public phone number? You get more advertisements and spam. With a private phone number only people you've given the number to will call you. You can limit who can bother you.
I don't think this is really true, because spammers call numbers at random (or perhaps, in sequence). They are not working through the published phone book.
The way these systems should work, and appear to work in Facebook's case, is that the amount of information revealed depends on risk analysis.
For example, I just tried recovery from an IP I've used Facebook from, and from a fresh IP from a low reputation hosting provider located in a country unrelated to the account. The first case reveals the user's name, but that's pretty reasonable since the request has a decent amount of affinity for the account. The risky looking recovey does not reveal the name,
Both logins show the first letter of the local part of the email address, which is basically no information leakage at all. (Though honestly, if you show just one letter even for non-risky recovery attempts, why bother? It can't possibly be of any significant help to the users.)
I can't tell whether the profile picture changes based on the risk analysis outcome or not, since I don't have a test account with one.
(It's still possible that this is a bad implementation; e.g. if it were to be revealing my username for any recovery attempt from the correct country, that'd be unreasonable since it's trivial to figure out the country from the phone number. But even so one should still establish what the relevant parameters are, so that we can figure out whether the behavior is reasonable.)