Massive Facebook users' phone numbers leaked and the risk of SIM swapping scams!

avatar
(Edited)

Facebook just got into the headlines for the wrong reason again! This time over 419 million records of Facebook users were found online on a password-less database. Each record contains an unique Facebook ID and a corresponding mobile number. According to Techcruch, there are 133 million records from US, 18 million records from UK and another 50 million records from Vietnam! According to Engadget, Facebook responded to them and said that the dataset contains quite a number of duplicated data. Hence, the actual affected users should be about half of 419 million.

45207833585_cd61b17b02_z.jpg

Source

Still, to put things into proper perspective. Considering that USA's population is slightly under 330 million, 133 million records represent over 40% of the population! UK's population is about 67.5 million, which means about 26% of population is affected. But the worst hit seems to be Vietnam, with a population of about 97 million and a 50 million records leaked, it means that over half of Vietnam's population is affected! Even if we consider the duplicated records and halve those numbers, the figures are still quite staggering.

SIM Swapping Scam

You may think that exposing your phone number is no big deal. You might want to think again. By exposing your phone number alone may not be of much harm. However, in this case, the database also contains the victims Facebook ID, gender and country. All these combined with a little social engineering may lead to a successful SIM swapping scam.

image.png
Source

Here is a summary of how SIM Swapping Scam works. Credits to Fraud.org:

The “SIM swap” scam is a two-step process. First, identity thieves gather the information they need to convince your wireless provider that they are you. This information can include your name, Social Security Number, street address, and the name of your wireless provider. This information can be gathered from a legitimate-looking phishing email. Other fraudsters have also employed a phone scam where they call and impersonate your mobile provider and ask you a series of questions to coax you into revealing the needed data....

After the identity thieves obtain your information, they create a falsified document such as a driver's license and head to your wireless provider’s retail store. Once there, the thieves will claim that they lost “their” phone or damaged “their” SIM card and that it needs to be replaced. After answering a few questions and providing the falsified documents, the fraudsters will be allowed to pick out a new phone (or phones) and your actual phone will stop working immediately...

Once your number is taken over, there are multitude of things the fraudster can do. The most direct way to make use of your number is to charge purchases (e.g. for a new phone) to your number. If they somehow also compromised your passwords and you are using your phone as a second factor authentication, then they would have compromised your account totally. Some sites use mobile OTP as a mean to reset your password, taking over your phone number also means taking control of those accounts. The recent hack on Jack Dorsey's (Twitter's CEO) Twitter account was also likely due to Sim Swapping. In addition, Sim Swapping technique was also used to compromise multiple high value Instagram accounts and to steal cryptocurrencies.

Such scams are especially effective in countries that do not impose very strong process controls to acquire or replace SIM cards. For example developing countries like Vietnam. Vietnam is like my second home and this phone number leak got me worried for the people there. The Vietnamese are avid users of Facebook. Many of them use Facebook for the fun and convenience. Sadly, not many are aware of the potential risks around personal data leaks and privacy issues. If you are Vietnamese reading this post, do help to spread the word!

image.png

Source

Protect Yourselves

There are a few ways to mitigate SIM Swapping scams. First, the most effective way is to set a PIN for your SIM. Many service providers allow a PIN to be set on your SIM card and in order to replace it, you will need your PIN. A 4 digit PIN may not be the strongest defense but it is still quite an effective one to deter fraudsters who just want to try their luck indiscriminately. Unfortunately not many people are aware that they can set a PIN for their SIM card. I won't attempt to teach you how to set the PIN as different phones have different ways to do it, you will have to Google for the steps meant for your phone.

Next, be aware of social engineering attempts. A seemingly innocent call from a stranger posing to be from the telecom company to get your information might be a social engineering attempt. Always make it a point to not divulge personal information to unsolicited callers/emails before ascertaining the identity of the other party.

Finally, use a stronger second factor authentication and avoid using your phone number as the second factor authentication. Things like Google authenticator and separate hardware tokens are better alternatives to just a phone number. A phone number is never meant to be a secure mean to identify someone. Somehow or rather, phone numbers become a way to identify an individual even though it was not designed to be. Hence, whenever possible, use a stronger second factor authentication method.

The world is a dangerous place. So, do stay safe and vigilant! Do not fall victim to such scams and cause your hard earned money/investments to go down the drain.

The "Raise to 50" Initiative

Under 50 SP and finding it hard to do much on this platform? I might just be able to raise your SP to 50. Check this post to find out more!

This article is created on the Steem blockchain. Check this series of posts to learn more about writing on an immutable and censorship-resistant content platform:

security cybersecurity facebook leak privacy palnet scams steemleo vietnam vn
0
0
0.000
21 comments
avatar

Hi @culgin!

Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your UA account score is currently 4.040 which ranks you at #3866 across all Steem accounts.
Your rank has improved 37 places in the last three days (old rank 3903).

In our last Algorithmic Curation Round, consisting of 124 contributions, your post is ranked at #21.

Evaluation of your UA score:
  • Some people are already following you, keep going!
  • The readers appreciate your great work!
  • Try to work on user engagement: the more people that interact with you via the comments, the higher your UA score!

Feel free to join our @steem-ua Discord server

0
0
0.000
Reply
avatar

Hello my dear @culgin, thanks for sharing this information.

Once again Facebook in the eye of the hurricane, I wonder if this will not negatively affect your project with the cryptocurrency. If cryptocurrencies are based on people's trust, then Libra will be born surrounded by distrust.

Do you think this affects the project?

0
0
0.000
Reply
avatar

I doubt there will be much of an impact to the Libra project because of this. In fact this leak is not directly Facebook's fault. Well technically it's a fault which they have corrected

0
0
0.000
Reply
avatar

Hi @culgin

The problem is already created. I think Facebook can't come and say the following:

I quote:

Facebook responded to them and said that the dataset contains quite a number of duplicated data. Hence, the actual affected users should be about half of 419 million.

Be it a single user or two, or failing 419 million. That mistake was already made. How much more information will be compromised of all the millions of users that we have an account in FB and do not know what they do with our data.

As you summarize the way scams are made, I tell you in Venezuela they already apply, and the most unfortunate thing is that the data is taken by criminals and is delivered by staff of the same government. Nothing serious, in fact it is well known worldwide that those who occupy many positions in government positions are criminals.

If that happens in a country. Of course, it can happen with a company that lets you filter such important information.

and they are shielded in a statement that is empty of any argument that is truly valid.

0
0
0.000
Reply
avatar

hi @culgin

It's unbelievable that FB is still standing and doing quite well. Recently they were bombarded with negative PR, they lose trust of large amount of their users and investors and yet, they are still standing.

I'm guessing they are just to big to fail and to well connected to ever really be in risk of closing down.

Strong upvote on the way :)
Yours, Piotr

0
0
0.000
Reply
avatar

Thanks for the comment my friend. I think it's going to take much more than a few negative PR to bring down Facebook

0
0
0.000
Reply
avatar

That's really promising for Libra... Now it's phone numbers what if it's bank accounts or even Libra balances...

0
0
0.000
Reply
avatar

Howdy dear friend @culgin.

It will always be a matter of risk to provide personal information online. Even if we talk about recognized companies that can inspire confidence.
We have already been witnesses of cases where renowned Exchanges have used or trafficked with the information of their clients obtained in the processes of KYC.
Particularly Facebook has never inspired me confidence, so giving this type of information to this company would not be an option.

This SIM Swapping Scam sounds like something real and it can have consequences at full scale.
The term "Social Engineering" also caught my attention. I will have to read a little more about this.

Thanks for sharing.

Your friend, Juan.

0
0
0.000
Reply
avatar

Thanks for your comment my friend. Social engineering is one of the top risks in cybersecurity and one of the most common social engineering techniques is phishing. You might want to find out more from one of my previous posts here

0
0
0.000
Reply
avatar

Thanks for being so helpful.
I am very interested in this theme of Social Engineering.
I will check your posts.

0
0
0.000
Reply
avatar

What gets me is who is FB's greatest enemy. Blockchain folk aren't generally going to like it but I do not seem them attacking. The government has it in its regulatory sites so who hack it. I am figuring maybe China's social media company. Chinese powers have been vocal about not liking FB, and it seems their mode for sanctions are through hacking.

0
0
0.000
Reply
avatar

In this case, no one hacked FB. Rather, their previously loose privacy policies and controls allowed data to be mined too easily. It's just that the mined data is now exposed

As to who FB's enemies are, I think it will be the privacy activists. They are also getting in the government's radar as they are becoming too big and influential. Potentially undermining the governments' effectiveness

0
0
0.000
Reply
avatar

I was just rambling. Truly a big issue. You helped with clarity and in putting these words together:

crypto users will also be privacy advocates

0
0
0.000
Reply
avatar

Just FYI there was an email from a random person saying they got fined/sued by the owner of the scrabble picture and were saying to be careful. We told them we're just a social media platform but i also said we'd pass along the message.

0
0
0.000
Reply