The vulnerability of our data. What hackers can do with just a mobile number

What risks can accessing customer data pose? For CNN Portugal, three experts explain how access to a mobile phone number can open the door to access to a certain amount of personal information that should be non-transferable.

Let’s start this article with a hypothetical scenario. They were able to access a carrier’s SIM card management system and their customer data was exposed. Name, address, billing details. Everything has fallen into the hands of the hackers responsible for the attack who can now do what they want with it: sell, destroy or… obtain all the information possible. But, what information is it possible to extract from a simple mobile number? A lot of.

“Why is the phone a unique key that is very relevant? Because it is usually the device used to authenticate homebanking, MBway, Continente. When you put the phone number in the internet search, on the other side we will discover these accounts”explains Bruno Castro, CEO of cybersecurity company Visionware to CNN Portugal.

And not only. Using OSINT (Open Source Intelligence) techniques, i.e. legally and without resorting to hackers, by having access to information such as mobile number, e-mail and name, it is possible to discover information. And the more data you have (like taxpayer number, IBAN, address), the more things you can discover.

“We asked the internet, basically, tell me with this NIF, with this name, with this email, with this phone, what can we find on the internet? And the answer is ‘we found that you had a profile on Hi5, has an account on Facebook, on Twitter, lived here, had another address in the past. And that’s called profiling. The more information we will have, like the phone number that is a unique key, with this information we will get a lot of other information… and so on.

The information collected, it is time to “set up the profile of the person.” And then new problems begin.

Phishing, Spear Phishing and Scams

Can you count the number of phishing emails or messages you have received in the past year? Ten, fifty, a hundred? Have you lost your account (only on the CTT site there are more than 35 alerts)? Did you know that some are directly intended for you thanks to your profile created thanks to the information collected online?

“After setting up the profile person, we may target hishing attacks, spear phishing attacks or SMS scams. And this is very valuable for many criminals. There is phishing for organizations and others for individuals in particular. With this information, we are able to redirect very well-tuned content to people so that they fall into fraud”, explains the cybersecurity expert.

Rui Duro, head of Checkpoint Software Portugal, also recalls that “when it comes to hackers, you never really know”, especially if they have access “to data considered sensitive by the RGPD (the General Regulation on Data protection).

“They’re very creative. We all get phishing text messages every day. And what they do is they randomly generate text messages to numbers sequentially and people get them.”

If they receive and clear, there will be no major problems. The problem is that when people click on the links these posts bring, it gives even more access to more sensitive information that can cause even bigger problems.

Identity theft ? It happens

By giving access to more data about you, your profile will become more and more complete. The same can happen when you manage to access and steal this data from an operator (which does not seem to have been the case in the Vodafone cyberattack, but there are still no certainties to date).

When we talk about data theft, it can have several levels: “It can be data theft, i.e. simply the phone number, we can go to data theft, i.e. addresses and people and personal data of people, we can go to a more confidential level the type of access that is done through telephone calls, SMS, access to the Internet (links)”.

But the biggest problem isn’t the theft, it’s what you do with them after they’re stolen, who they’re sold to (“Many times it’s not the person stealing it uses is the person who sells it to other forums, like criminals who will use this data to attack the victims, to attack again”, recalls Bruno Castro) and what is achieved.

“Typically personal data is stolen, in this case phone numbers and personal data, has many possible attack vectors. They know the address, they know the phone number. If they know the type of use they do for calls or online shopping they do, they can do a set of people profiling and then approach them directly with a lot of credibility with the recipient of the contact.They can steal your identity, get a telephone number, an address, the type of contact you establish by telephone, what type of use you make of the data card, with this information from your profile as a person, as an individual, you can set up a set of fraud operations specifically for you”.

“The biggest risk is knowing where people have been”

In turn, Ricardo Negrão, a specialist in the field of cyber risk, said, in an interview with CNN Portugal, that “the greatest risk that exists is not keeping the number, address and telephone number people”.

“The biggest risk is, essentially, knowing where people have been with their cellphones in the past six months.” That is, if they have access to customer information, attackers can take this data, find out, for example, the Prime Minister’s number. [caso seja cliente desta operadora] and detect what should not be common knowledge.

“They can pick it up and say, ‘I know this is our Prime Minister’s number and I want to know where he has been for the last six months.’ And they know in detail where he has been for the last six months. , geographically”. everyone”he clarifies, explaining that it is not necessary that geolocation services be activated for this.

“As long as I have a mobile network, I know where I am. In certain places with an accuracy of less than 30 meters”. But why does an operator have this information? And, more importantly, why are you keeping it for six months?

“Operators are required to keep this information for six months for legal reasons in the event of a crime. The judicial police may have access to this data to create evidence and facts as evidence of a crime.”

Therefore, for the Cyber ​​Risk specialist, “the risk of data theft from an operator is that this information is stolen”. “It’s not stealing the company’s bill. It’s unpleasant, but it’s not the biggest problem.”

Georeferencing, how does it work?

But, will it be so easy to understand where a person has gone just to access information from mobile network antennas? Rui Duro says no.

“I don’t believe the server logs indicated the exact location there. They must have the number of a BTS, which are the mobile antennas, which then have the cells where the cell phones connect. Probably this which is in the log is a time, a cell phone number and BTS. And that would require hackers to have access to BTS’s location number to triangulate. Eventually, it would be possible.

Log servers, BTS, logs. What did this exchange for Portuguese that you can understand? The specialist explains: “Each time a mobile phone accesses, there is a set of support servers which help to know where the mobile phones are, which register the mobile phones, which validate for example if the mobile phone has a balance or not. in order to allow communication on the network”.

That is, every time you make a call, your cell phone connects to one of the nearest antennas, which in turn has a location code and takes an x-ray of your customer profile and records that call. . Whether outside or inside the house. And then there can also be network issues if it gets compromised.

Lock the door as much as possible

If you have subscribed to a tv + net + voice (or no voice) service and you have a box at home, be aware that the operator can access the equipment remotely. Which means that if the network is compromised, so can the attacker. In other words, from the moment there is an intrusion into the central core of the operator – which in the case of Vodafone has interrupted the services -, if there is access to the “television management systems IP – and even home or work IP networks – then, effectively, there will be remote access to all home networks.”

Therefore, there is also the possibility of “having access to home networks and home appliances”: phones, computers, TVs, tablets, which are inside home networks.

This does not mean, however, that there is access to documents, but to systems that are not effectively secured – computers without passwords, for example – and allow the monitoring of the home network itself.

“As long as you have access to my home network, you can monitor my network’s access to the Internet – whether you access home banking, whether you access professional websites, employer networks .this vehicle, after having been compromised, is in the hands of those who want to hear what is going on,” explains Bruno Castro.

And speaking of eavesdropping, be aware that devices that have IP cameras online, on the home network, that are unprotected, are also accessible to those who shouldn’t and that, most of the time, users don’t realize I’ve been the target of an attack.

“If done well, monitoring is invisible. At home, they are passive, they will only listen to what is happening on the network. It is invisible to the home client,” warns the specialist, noting that, where possible, they should use “defense mechanisms” such as firewalls and anti-virus software.

Leave a Comment