Opening the Door to Hackers

At the DEF CON security conference earlier this month, researcher Martin Vigo demonstrated a technique using open-source intelligence (OSINT) to compile a target’s phone number through public sources and password reset functions.

If you forget a password for an online account, it is standard practice to request a password reset through either your email address or phone number. In the latter case, you are usually presented with a partial selection of digits from your phone number.

This results in a partial and intentional disclosure of PII that varies between online service providers. For example, eBay offers the first three and last two digits, PayPal prompts the first and last four digits, and LastPass leaks the last four digits.

An attacker is able to submit multiple password recovery requests to different providers it orders obtain up to seven out of 10 digits with relative ease.

Vigo says that it is possible to “reduce the possibilities of guessing your phone number from one billion possibilities to one thousand” through this technique.

The leak of a phone number and connected email account can lead to SIM-swapping, user tracking, caller ID spoofing, and social engineering attacks.

Original Article source: Charlie Osborne | The Daily Swig