There is a great concern about the potential for people to leak private information on social networks. There are many anecdotal examples of this, but few quantitative studies. This research explores the activity of sharing mobile numbers on OSNs, in particular via public posts. In this work, we understand the characteristics and risks of mobile numbers sharing behaviour on OSNs either via profile or public posts and focus on Indian mobile numbers. We collected 76,347 unique mobile numbers posted by 85,905 users on Twitter and Facebook and analyzed 2,997 numbers, prefixed with +91. We observed that most users shared their own mobile numbers to spread urgent information; and to market products, IT facilities and escort business. Fewer females users shared mobile numbers on Online Social Networks. Users utilized other social networking platforms and third party applications like Twitterfeed and TweetDeck, to post mobile numbers on multiple OSNs. In contradiction to the user's perception of numbers spreading quickly on OSN, we observed that except for emergency, most numbers did not diffuse deep.
To assess risks associated with mobile numbers exposed on OSNs, we used numbers to gain sensitive information about their owners (e.g. name, Voter ID) by collating publicly available data from OSNs, Truecaller, Open government data repository (OCEAN). On using the numbers on WhatApp, we obtained a myriad of sensitive details (relationship status, BBM pins, travel plans) of the mobile number owner. We communicated the observed risks to the owners by calling them on their mobile number. Few users were surprised to know about the online presence of their number, while few users intentionally posted it online for business purposes [http://precog.iiitd.edu.in/Publications_files/cosn039s-jain.pdf]. We observed that 38.3% of users who were unaware of the online presence of their number have posted their number themselves on the social network. With these observations, we highlight that there is a need to monitor leakage of mobile numbers via profile and public posts. To the best of our knowledge, this is the first exploratory study to critically investigate the exposure of Indian mobile numbers on OSNs.
Full report: http://arxiv.org/abs/1312.3441
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Call Me MayBe: Understanding Nature and Risks of Sharing Mobile Numbers on Online Social Networks
1. Call Me MayBe:
Understanding Nature and Risks of
Sharing Mobile Numbers on Online Social
Networks
Prachi Jain
M.Tech. Thesis Defense
14th November 2013
Committee:
Dr. Ponnurangam Kumaraguru, IIIT-Delhi (Chair)
Dr. Alessandra Sala, Alcatel Lucent (Bell Labs), Dublin
Dr. Amarjeet Singh, IIIT-Delhi
2. Problem Statement
Characterize mobile number sharing behavior on
Online Social Networks.
Examine risk of collation of mobile number’s
owner data from multiple online public data
sources.
Propose a systematic approach for risk
communication.
2
3. Achievements
Paper:
Call Me MayBe: Understanding Nature
and Risks of Sharing Mobile Numbers on
Online Social Networks, Conference
on Online Social Networks (COSN) 2013
Poster:
Flash of Two Worlds, Security and
Privacy Symposium (SPS) 2013
3
7. Research Motivation
46% of Internet users post original (self created)
content on internet.
User Generated Content (UGC) has high similarity with
offline interactions of user.
Concerns on (un)intentional mention of sensitive
information on OSN profile.
Mobile phone number is an example of identifiable
information with which a real-world entity can be
associated uniquely, in most cases.
7
8. How many of you have posted
mobile numbers on Online Social
Networks?
How many of you have seen
mobile numbers being posted on
Online Social Networks?
8
14. Characterize mobile number
sharing behavior on Online
Social Networks
Focus on Indian Mobile Numbers
“India has the fastest growing telecom
market in the world.“
Focus on two most popular social
networks – Facebook & Twitter
14
18. Personally Identifiable Information
(PII)
An attribute that itself or in combination of other
attributes can connect an online user account
with a real world entity.
Email address (Balduzzi et al, 2010)
Phone numbers (Magno et al, 2012; Jain et al, 2013)
18
19. Indian Mobile Number format
10 digit number, start with 7 / 8 / 9
Country code: +91 ( Example: +91 9123456789 )
Trunk Code: 0 ( Example: 0 9123456789 )
No standard
way of sharing mobile numbers on OSN!
+91- 9123456789
91.91.23.456.789
+91- 91-2345-6789 (91)23.456.789
0 9123456789
(91234)56789
19
21. Literature review
Identity information disclosure on OSNs.
Consequences of identity information disclosure on
OSNs.
Communicating the risk of identity information
disclosure.
21
22. 1. Identity information disclosure
on OSNs
Zheleva et al, 2009
Group membership
Balduzzi et al, 2010
Email address
Burger et al, 2011
Gender
Dey et al, 2012
Age
Magno et al, 2012;
Chen et al, 2012;
Jain et al, 2013
Phone numbers
No quantitative study on mobile numbers sharing
behavior on OSN.
22
23. 1. Identity information disclosure
on OSNs
Chen et al, 2012
Observed 2% Facebook users (in their dataset) share
their mobile number as a profile attribute.
Magno et al, 2012
Observed users share their mobile number as profile
attribute on Google+
Single Indian males share most mobile numbers
We dive deeper to understand characteristics of exposed
mobile numbers on Facebook and Twitter posts and user
descriptions.
23
24. 2. Consequences of identity
information disclosure on OSNs
Jagatic et al, 2007
Social phishing
Chen et al, 2012 Mao et al, 2011
Linkage attack
Privacy attack
Krishnamurthy et al, 2012
Auxiliary information collected from online sources might help in
connecting an online profile with an offline entity.
We explore if Indian mobile numbers leaked from OSNs
can be used to gain a wider profile by linking it with
e-government data and truecaller.
24
25. 2. Consequences of identity
information disclosure on OSNs
Schrittwieser et al, 2012
Mobile numbers can be used
to exploit smart phone
messaging services.
Address book resolution
Impersonation, SMS spam,
Phone number enumeration
attack, Status message forgery
attack
Cheng et al, 2013
Address book resolution
Randomly picked mobile
numbers used to integrate
accounts on WeChat and
MiTalk.
Aggregate information
about users in China.
25
26. 2. Consequences of identity
information disclosure on OSNs
We link exposed Indian mobile numbers on
Facebook and Twitter profile with their
WhatsApp profiles.
We study comprehensiveness of additional
information obtained.
26
27. 3. Communicating the risk of
identity information disclosure
Krishnamurthy et al, 2012
Privacy leaks could be prevented by alerting the users
about information sharing vulnerabilities.
We communicate the risk to a set of users by calling them
with the help of an IVR system.
We also study their reactions.
27
30. System architecture
Facebook
Graph
API
Public users /
posts
with mobile
numbers
Category
+91
Regex
patterns
Category 0
Category
void
call ring
Mobile
number
validation
Keyword
Selection
contact
Indian
Mobile
Number
Database
Category
void
Twitter
Stream
API
Keyword selection
Public Bio/Tweets
with mobile
numbers
Regex
patterns
Category 0
Category
+91
Data collection
Data validation
30
31. System architecture
Facebook
Graph
API
Public users /
posts
with mobile
numbers
Category
+91
Regex
patterns
Category 0
Category
void
call ring
Mobile
number
validation
Keyword
Selection
contact
Indian
Mobile
Number
Database
Category
void
Twitter
Stream
API
Keyword selection
Public Bio/Tweets
with mobile
numbers
Regex
patterns
Category 0
Category
+91
Data collection
Data validation
31
32. Data statistics
Twitter:
12th October 2012 – 20th October 2013
Facebook:
16th November 2012 – 20th April 2013
Numbers
Category +91
Category 0
Category void
Twitter Facebook Twitter Facebook Twitter
Mobile
885
Numbers
2,191
User
profiles
2,663
1,074
100%
14,909 8,873
85%
17,913 9,028
Total
Facebook Twitter Facebook
25,566 25,294
41,360 36,358
85%
31,149 25,406
49,817 36,588
32
35. Ownership analysis: Methodology
Owner posted
the number
Post
Has 1st
person
pronoun
Frequent
action
words
Bio /
Name
Y
Y
Has 2nd / 3rd
person
pronoun
N
Phrasal
search
Y
Non-owner posted
the number
35
36. Ownership Analysis: Results
Social Network Mechanism
Mobile
Numbers
Total
Twitter:
Owner
Bio
155
291/885 (33%)
Tweet
136
Non-owner
Tweet
18
18/885 (0.02%)
Facebook:
Owner
Post
468
485/2191 (22%)
Name
17
Non-owner
Message
25
25/2191
(0.01%)
Users share their own mobile numbers on OSNs!
36
38. Source analysis: Results
Which applications are used
Which applications are used
to share mobile numbers on
to share mobile numbers on
Twitter?
Facebook?
32% numbers on Twitter
were pushed from
Facebook
5%
Facebook
mobile
Facebook for
iPhones
Photos
1%
Facebook
11%
32%
Twitterfeed
12%
8%
Google
26%
LinkedIn
26%
TweetDeck
14%
50%
15%
Facebook for
Android
HootSuite
Twitterfeed
Users posted same mobile numbers on multiple OSNs !
38
40. Topographical analysis:
Methodology
Indian Mobile number
XXXX - NNNNNN
Network operator
Subscriber number
Telecom Zone/Circle
Metro
(High density)
A Circle
(Largest
population coverage)
B Circle
C Circle
(Smallest
population coverage)
(Source: http://www.trai.gov.in)
40
41. Topographical analysis: Results
Telecom Circle
Category
# of Mobile Numbers
Delhi
Metropolitan 582
Mumbai
Metropolitan 312
Karnataka
“A” Circle
233
Punjab
“B” Circle
226
Rajasthan
“B” Circle
171
Andhra Pradesh
“A” Circle
164
Kerala
“B” Circle
158
Maharashtra
“A” Circle
140
Gujarat
“A” Circle
135
Tamil Nadu
“A” Circle
102
Users of metropolitan cities in India actively posted mobile
numbers on OSNs !
41
45. Context Analysis: Results
Twitter Tag Cloud
Facebook Tag Cloud
Emergency,
marketing, escort
and entertainment
business are major
context on OSNs !
45
47. Risk of Collation: Experiment 1
Methodology
Mobile
Number
Penetration rate:
Store in Phone
Address Book
Install and
open
WhatsApp
Status
userexposed
prate =
usertotal
= 1,071 / 3,076
= 34.8 %
Last Seen
time
47
49. Risk of Collation: Experiment 2
OCEAN:
Open
Government
Data
Repository
Details
User 1
User 2
Mobile
Number
+9198xxxx5485
+9199xxxx2708
Full Name
xxxxxx Jeswani
x Gambhir
Age
53
23
Gender
Male
Father’s
Name
x x Jeswani
Address
***, Mig Flats, *-block,
xxxxx Vihar Phase-I
8 Delhi
Male
Users
xx Gambhir
Identified
Uniquely
***, xxxx Bagh,
Delhi
ID
Driving License:
DL/04/xxx/222668
Voter ID:
NLNxxx5696
Shared by
Owner?
Yes
No
49
52. Result:
Callee
Decision
Tree
0.35 (867)
Call the
Number
0.65 (1625)
Call not
picked
Call picked
0.61 (988)
Listen
message
Disconnect
the Call
0.48 (479)
0.52 (509)
Listen Options
0.21 (107)
FORM 1
0.39 (637)
Didn’t know
0.23 (47)
Leave
Feedback
Disconnect
the Call
0.20
(102)
0.59 (300)
Posted
purposefully
Disconnect
the Call
0.77 (60)
Disconnect
the Call
1.0 (47)
Disconnect
the Call
52
53. Feedback
“Thank you for information, I have deleted, I will not
post my number online.”
“I want to know how to remove my number and I don't
know, I haven't put my number purposely but if it is
there, where exactly it is there I would also like to know
that. Please get in touch with me asap. Thank you!”
“It is a very nice process that you are doing and making
people aware about online frauds and telephone
number frauds but your system is basically calling
business houses”
53
54. Understanding user’s
response: Ownership analysis
Ownership analysis on posts from users who said that
they did not know that their number can be leaked (IVR
option 1)
38.3% (41/107) of mobile numbers were posted
publicly by their owners.
Inability of users to manage their privacy settings.
OR
Inadvertent disclosure of personal information (mobile
number)
54
56. Interview questions
Interviewed 8 people whom we uniquely
identified.
To validate the information we had about them.
Inquire if they posted mobile number on OSN.
If yes than why?
If no then we informed them about the profile revealing
their number. And asked if they knew the person.
Will they remove the number and Why?
Feedback?
56
57. Interview results
# of callee
True positive (Valid information) 5/8
False positive
1/8
Denied to get interviewed
1/8
Did not pick
1/8
57
58. Interview Response
Suspected if we got the information via
offline sources.
Called their service provider to confirm
what bad we can do with this information
about them.
58
59. Interview Response
Posted mobile number to be in touch with friends
and relatives.
Expressed concerns of getting calls from
unwanted people.
Posted mobile number to promote a small scale
business.
Inquired and suggested some countermeasures.
59
61. Take Aways
Users share their own mobile numbers on OSNs.
Users post same mobile numbers on multiple OSNs.
Females are conservative while sharing mobile numbers on
OSNs.
A publically shared mobile number can expose sensitive details
(age, ID, family details and full address) of its owner, from
multiple sources.
We should communicate the risks of sharing mobile numbers
online, to their owners.
Few users were unaware of the online presence of their number.
61
62. Future work
Build a generic technological,
people and process oriented
solutions to forewarn users and
raise awareness towards risks of
exposing mobile numbers on
OSNs.
62
64. Publications and poster
Prachi Jain, Paridhi Jain, Ponnurangam
Kumaraguru. Call Me MayBe: Understanding
Nature and Risks of Sharing Mobile Numbers on
Online Social Networks. ACM Conference on Online
Social Networks (COSN) 2013
Prachi Jain, Ponnurangam Kumaraguru. Flash of
Two Worlds. Security and Privacy Symposium (SPS)
2013
64
65. References
1.
Paul 2010, Broken promises of privacy: Responding to the surprising
failure of anonymization. UCLA Law Review, 57:1701, 2010.
2.
Prachi Jain, Paridhi Jain, and Ponnurangam Kumaraguru. Call me maybe:
understanding the nature and risks of sharing mobile numbers on online
social networks. In Proceedings of the first ACM conference on Online
social networks, pages 101-106. ACM, 2013.
3.
Gabriel Magno, Giovanni Comarela, Diego Saez-Trumper, Meeyoung Cha,
and Virgilio Almeida. New kid on the block: Exploring the google+ social
graph. In Proceedings of the 2012 ACM conference on Internet
measurement conference, pages 159-170. ACM, 2012.
4.
Latanya Sweeney. k-anonymity: A model for protecting privacy.
International Journal of Uncertainty, Fuzziness and Knowledge-Based
Systems, 10(05):557-570, 2002.
5.
Marco Balduzzi, Christian Platzer, Thorsten Holz, Engin Kirda, Davide
Balzarotti, and Christopher Kruegel. Abusing social networks for
automated user proling. In Recent Advances in Intrusion Detection, pages
422-441. Springer, 2010.
65
66. References
6.
Ratan Dey, Cong Tang, Keith Ross, and Nitesh Saxena. Estimating age privacy
leakage in online social networks. In INFOCOM, 2012 Proceedings IEEE, pages
2836-2840. IEEE, 2012.
7.
John D Burger, John Henderson, George Kim, and Guido Zarrella.
Discriminating gender on twitter. In Proceedings of the Conference on
Empirical Methods in Natural Language Processing, pages 1301-1309.
Association for Computational Linguistics, 2011.
8.
Tom N Jagatic, Nathaniel A Johnson, Markus Jakobsson, and Filippo Menczer.
Social phishing. Communications of the ACM, 50(10):94-100, 2007.
9.
Terence Chen, Mohamed Ali Kaafar, Arik Friedman, and Roksana Boreli. Is
more always merrier?: a deep dive into online social footprints. In
Proceedings of the 2012 ACM workshop on Workshop on online social
networks, pages 67-72. ACM, 2012.
10. Huina Mao, Xin Shuai, and Apu Kapadia. Loose tweets: an analysis of privacy
leaks on twitter. In Proceedings of the 10th annual ACM workshop on Privacy
in the electronic society, pages 1-12. ACM, 2011.
66
67. References
11. Sebastian Schrittwieser, Peter Fruhwirt, Peter Kieseberg, Manuel Leithner,
Martin Mulazzani, Markus Huber, and Edgar Weippl. Guess whos texting you?
evaluating the security of smartphone messaging applications. In
Proceedings of the 19th Annual Symposium on Network and Distributed
System Security, 2012.
12. Yao Cheng, Lingyun Ying, Sibei Jiao, Purui Su, and Dengguo Feng. Bind your
phone number with caution: automated user proling through address book
matching on smartphone. In Proceedings of the 8th ACM SIGSAC symposium
on Information, computer and communications security, pages 335-340.
ACM, 2013.
13. Balachander Krishnamurthy. Privacy and online social networks: Can colorless
green ideas sleep furiously? IEEE Security & Privacy, 11(3):14-20, 2013.
14. Zeynep Tufekci. Can you see me now? audience and disclosure regulation in
online social network sites. Bulletin of Science, Technology & Society,
28(1):20-36, 2008.
67