Facebook really wants your phone number, asking you to get one as soon as you join. This is not a bad thing because it can help protect your account with two-factor authentication. On flipside, this makes it easy to disclose anyone's private phone numbers on Facebook, including celebrities and politicians. We will look at how a criminal can do this and how you can protect yourself.
Many Facebook users may not even know that their personal phone numbers are connected to their Facebook account, forgetting that they have done so. Facebook is not allowed to remove your number from your phone, but they can do what I call an "Internet-based app" by repeatedly asking you to verify and save your number each time you open Facebook.
Facebook's default privacy setting allows anyone to search your phone number once you've installed it. This is not a new problem. It has been around for a long time as a Facebook Graph search, but Facebook prefers to see the issue as a feature, as a book found by Belgian researcher Inti De Ceukelaire shows.
Indeed, some people, such as celebrities and politicians, should be more concerned about others than revealing their secret number online. However, anyone can have a cyberstalked or hacker targeted at them. Once the giant has your phone number and name, they can quickly use the open-source intelligence (OSINT) tools we have integrated into Null Byte to access other public information such as an employee, employer, spouse, relationship, or any other public information.
A criminal can use this information to further his or her civil assault by driving you directly. Think of the old "Microsoft tech support" scam, the only caller who tries to trick you into knowing your name and details about your private life. Armed with this, it is easy to make the target think that the shooter is legitimate.
How could a criminal go about finding your number? In theory, if they had more time, they would just search for all the possible numbers of 9,999,999,999 until they stumble upon yours. Obviously, this doesn't work well, so let's look at the right way to do it. In a practice article, I will use DC Mayor Muriel Bowser (2017) as a random city official. In the examples below, his number was changed to protect his real number.
Step 1: Use the Area Code
If you consider the phone number identified as one of all US 10-digit phone numbers, you can quickly see that North America's 10 billion phone numbers are the largest list you can search for. Luckily for the hacker, he can reduce this because of the North American Numbering (NANP) system that sets guidelines for phone numbers in the US.
Let's take an example: 234-235-5678. If we look at the NANP, we see that the first three numbers (234) are area code, and the system allows 2–9 as the first number and 0-9 for the second and third digits. That information exists when it removes billions of numbers from a list of hijackers.
Don't Miss: How to Hack Android Phone Remotely 2020
A criminal can quickly take advantage of this if he or she knows or can take the educated guess where you live, as easily as Google search. By doing this, a criminal could remove another 9,990 billion numbers from the list of possible speculations.
The next three numbers after the area code in our example (235) are the beginning of the middle office. Also, the system requires 2-9 in the first digit and 0-9 in both the second and third digits, but with a caveat.
In area codes where the second digit is 1, the third can also be 1. This also removes a large number of phone numbers from the hijacker list. The last four digits of the phone number is the phone number, in this case, 5678.
I took the educated guess that the DC Mayor will have a DC location code, and the criminal can look at the targeted Facebook account and find the current home city or town where he or she lives or works. Some big cities like Los Angeles will have a lot of local codes within them, but no matter how many local codes are "separated", it still greatly reduces the incoming list of available numbers.
Step 2: Find Last Numbers
Now that I know my target number is 202 - ??? - ????, I want to try to remove as many of those question marks as possible, making it easier to do Facebook search over time. Thankfully, Facebook has our back and made it the easiest step, after using the area code. To get the last two digits, we just have to go a few steps in the password reset process.
To do this, the hacker goes to the main Facebook page and clicks on "Forgot account" to begin the process.
Next, they enter the name of the target they have in mind and click the "Search" button.
The giant is then provided with a list that includes a paired face with each of the same accounts that helps them quickly identify their goal. There is our target up high!
Facebook kindly provides the culprit with the last two numbers of the target number, as well as other information about the email accounts associated with their Facebook account, such as the first and last letter, and sometimes email.
That got to the point where the criminal had to go. They do not reset the password actually, and it is not necessary for the target to never receive any kind of notification to give them a tip.
Step 3: Use External Sources
With over 218 million users, PayPal and other services can help add to the information the attacker has collected so far. In this case, if the target is a PayPal user, the hacker can get two additional digits of the phone number we want.
In the picture above, you may have noticed that the first email listed is a Gmail account starting with "M" and ending with "R."
That's funny, because my real name starts with "M," and his last name ends with "R." To the hacker, this shouts "I used my name as my email!" Suspiciously, I checked it in Gmail by typing it.
Google welcomes it, but that doesn't mean it's a target email. The hacker can look at it by doing the same trick to reset the password they took with Facebook.
Yes, this account just happens to have a number ending in 69. I don't think so. Now that I have an email to work with, I can jump to PayPal on the new tab, and again, use the same password reset trick.
Meanwhile, when I get to the password reset screen, I get not only the four-digit line number, but also the first digit of the area code as well!
This allows me to logically make sure I'm on the right track with the area code, and confirm my previous job of getting the last few numbers. Does this mean I have the number 202 - ??? - 6969 to date. In other words, my list has gone from 10 billion selections to about a thousand in just a few minutes of work.
Step 4: Brute-Force It the Smart Way
At this point, the giant may just start throwing numbers at the Facebook search bar, but that won't work anymore. So what does a lazy criminal do? They are using a Facebook feature that lets you run a search in brackets.
Don't Miss: Turn Your Android Phone into Hacking Device
Facebook lets you upload a list of contacts in CSV format, and then tells you if it's on Facebook to add them as friends. By creating my contact list of potential numbers, I can quickly remove the piles of incorrect numbers.
In this case, I know that the number should be in the range from 202-000-6969 to 202-999-6969. By cutting that in half and building a list of numbers from 202-000-6969 to 202-500-6969, I can successfully extract half of my list, as the target will be only one list created. After that, I can upload a list and quickly decide whether they are on it or not.
To make this list, I went to Google Contacts and clicked on "Export" to get a sample of the CSV file to work on.
Facebook prefers to accept the list in Google CSV format, so I kept it from Google contacts.
From there, the hijacker can open a file in Google Spreadsheets or Excel and change the formula of the phone number column to another that will match the numbers that need to be checked, as shown in the following example.
In the advanced formula below, I start by taking the most expensive phone number, in this case, 2020006969, and then add 10,000 to it to increase the number five by 1. This formula will repeat as many times as possible, but we should not do it more than 1,000 times because there are only 1,000 numbers on our list to guess. If the target did not have a PayPal account to help us find the third and fourth place digits, then we would have added 100 to increase the third digit instead.
"= (LINE () * 10000) + 2020006969"
From there, it’s easy to sign in to a Facebook account and go to the Friend Finder feature. Click on the Gmail logo and "Find Friends."
Next, scroll to the bottom of the page and upload your CSV file containing the phone numbers you wish to try.
After it is uploaded, Facebook introduces the criminal list of friends "to add to the list. They will then be looking for their target within that list. My target does not appear to be here, so I know they are not in this section of our digital collection.
Next, instead of testing the next 500, I divided the next 500 in half and checked one of those halves. This is because I already knew that the goal would be on the second list because they were not in the first round. The criminal can continue to search in this way until the target appears in the list of phone numbers.
From there, the giant can explore the numbers of small and small numbers until he has a handful of them. I stood there with a value of almost 30 numbers. Obviously, this will take a long time if the hacker has little information about the other digits of the phone number to start with, as he will have a large number set for search. Facebook will measure the hacker's limit for five attempts a day but they can get this by signing in to another account.
Step 5: Check the last few numbers
When that judge already has a few numbers, they can go to the Facebook search bar and type them one by one. To do so, simply type a number into the search bar without hyphens. If requests go too fast, or if they want too many, Facebook begins to rate it with CAPTCHA.
However, that is not much of a defense when a criminal has 30 numbers to be tested.
All in all, it took me about 30 minutes to an hour to find out the target's number, and these same steps can be applied to anyone whose phone is connected to Facebook.
Step 6: Protect yourself
The easiest way to protect yourself is to never connect your phone to Facebook. If you still want to use two-factor authentication, Facebook allows you to use a USB U2F device without having to rely on your phone.
If your phone needs to be connected, navigate to Facebook settings, select "Privacy," and "Who can monitor you using the phone number you provided?" Set this option to "Friends." Unfortunately, Facebook does not allow you to set this "Only Me."
On mobile, you'll touch the three-line menu icon, select "Account Settings" (iOS users will have to select "Settings" first), and then tap "Privacy." You will see the same "Who to Watch" question when you can change your preferences to "Friends" only.
While this still does not provide complete protection, it will make the giant's life very difficult.
Thanks for reading! If you have any questions, you can leave a comment here
0 Comments