“LOST MY PHONE!!! GIVE ME YOUR DIGITS!”
Sound familiar? For years, many people who have recently lost their phones have turned to Facebook to reunite with their friends. But rather than use the site’s integrated phone directory (which is probably more comprehensive than you think) they take a different approach: a new Facebook group declaring that their address book is gone for good. These groups often wind up with over a dozen phone numbers from friends who leave their numbers on the group’s wall. Turns out, that’s often a bad idea — in some cases it’s incredibly easy for spammers to harvest these phone numbers from Facebook. All it takes is a little Google trickery.
Earlier today we received a tip showing just how easy this ‘hack’ was to execute, yielding many thousands (perhaps even millions) of phone numbers. I quickly alerted Facebook to the issue, hoping that they might do something to somehow fix it before I wrote anything. But it doesn’t look like that’s going to happen — Facebook’s view is that users shouldn’t be using these groups (at least not public ones) to share their phone numbers. And Google has cached many of these numbers, so it’s unlikely they could do much anyway. From a Facebook spokesman:
We certainly agree that people should be careful when posting their phone number to any public forum (and if they do decide to do it, they should probably delete the number once it’s been used for the intended purpose).
The trick itself is very simple, yielding hundreds of thousands of Facebook groups, many of which have multiple phone numbers listed that are tied to each user’s real name. We’re not going to actually include the directions (giving spammers a slightly more difficult hurdle), but here’s what a page of results on Google looks like:
It’s also possible to do a query with similar results on Facebook itself, so this isn’t solely a problem with search engines. And this isn’t tied to spammers alone either — it’s easy to tweak the ‘hack’ to look for an individual’s phone number.
The issue here is that people are sharing private data in groups that have been marked public, rather than private groups that can only be viewed by group members. Facebook has obviously noticed that this is a trend, because if you try to create a group and include certain keywords (like “phone number”) the site will actually recommend that you use the Facebook phone number directory instead. But there are plenty of people who still do it anyway.
Thing is, the problem doesn’t just lie with user error — Facebook deserves some of the blame. When you create a group, you are presented with three options: ‘Open’, ‘Closed’, and ‘Secret’. People generally choose the first setting for these phone groups, because it means they don’t have to manually invite or approve every friend they have. Here’s how Facebook describes the ‘Open’ setting:
In this case it isn’t clear what exactly anyone really means. Are groups only exposed to other Facebook users? Or do search engines have access to the data too? Obviously, it’s the latter. Perhaps more important: the language doesn’t do anything to convey that sharing this information with the world might be a dumb idea. Thankfully, Facebook is planning to make this more clear:
While there are some differences between this information being available through a Facebook search by any of our 300 million users and a search on Google, the more important issue here is that users are choosing to create open groups for this purpose…. We’re working on language changes that will hopefully make it even more clear how large an audience this is. In the meantime, we fully support you educating your readers on this point.
This all ties back to my concerns over the looming Facebook Privacy Fiasco that will strike once Facebook eventually flips the switch on its privacy overhaul and begins encouraging users to share their information with the world (don’t remember that? It was announced way back in July and is apparently still in the works). The fact of the matter is that Facebook has established trust with millions of users who believe it has at least some degree of privacy. Any time Facebook invites users to share information with the world, it needs to make it abundantly (perhaps even annoyingly) clear what implications that could have.
Thanks to Eric Fulton for the tip
Next week: Public Phone Books Are A Spammer’s Delight
Do you put your cell phone number in the phone book?
Scoble’s number is on Twitter, and he’s certainly not alone.
It’s not like we’re talking about credit card numbers, or SSN’s. What’s the worst that could happen? A few annoying prank calls?
Pat – the focus of the article isn’t that phone numbers are public, it’s obvious some numbers are meant to be shared with the world. It’s the broken trust of assumed privacy when using Facebook. Many people think ‘open to everyone’ means it’s open to all friends, not all people who can use Google, because Facebook is (was?) seen as a way for an individuals collective of friends to stay in contact. Most users think Facebook runs off the ethos of private online club, not realizing the new direction it has taken.
Prank calls are one thing, but imagine the consequences of a person running from abuse, or stalking, and having their new phone number meant for friends being found by the very person they run from. Some people require privacy, some don’t. It would be nice to at least have the option to choose.
Agreed. Also, with reverse look-up data bases you are giving up much more than your phone number.. you name, home address, etc…
The worse it the newest form of spam via mobile. A person’s mobile is used to flood with spam text. Those with unlimited plans may be annoyed but those on monthly plans will get hammered with fees.
Also if you are willing to share your cell number via a group often times you can be socialed out of other information.
Im betting I could call your cell and with little other background peices of data, socially engineer you out of an email address, a home address or for some a financial data.
Dont underestimate the impact.
live mobile phone number are currently selling about $100 per 1000 for automated spamming bots.
wow that is quite disturbing. I usually dont post on the walls and just send the person a message or something but I probably was lazy once or twice.
luckily I have never given my google voice number out!
Do the spammers then use the numbers to fill out scamville type mobile offers on their own websites or cpa ad networks?
You can’t do that because you need to verify those offers.
I only give out my GV number, ever.
Maybe, but normal ‘teens looking for “free” virtual coins in scamville type games could just enter in multiple of those cellphone #’s too.
We’ve got a number of ppl at work who ended up with false charges on their cell bills lately.
i don’t give a crap about this….Rogers is selling my number to bastards anyways….
Wow that is so dirty. How is this legal?
hmm, cuz they are public groups maybe? geez
“I quickly alerted Facebook to the issue, hoping that they might do something to somehow fix it before I wrote anything”
youre writing for a tech blog and didnt know that these groups on facebook existed since the existence, AND suggested facebook didnt know about it?
You’re probably as stupid as your OS. The point of the article was not that these groups existed, but rather that the information can be accessed publicly.
I see a lot of implications of this. Not only can you get a lot of spam, but there are a ton of services out there now where you can enter a phone number online, and find out exactly who the number belongs to and where they live. THIS would be my main concern.
Some Facebook users are educated about the consequences of entering information online, but there are also two extremes–the grandma who has established a FB account to talk to her grandkids who has no idea of security and the young High School kid who doesn’t worry about security because they think nothing bad can happen (”it’s only Facebook”).
Security is a topic that Facebook needs to openly address and educate it’s audience about.
Cheers
The problem with the sites phone book is that people don’t put stuff in there.
I have many friends that place 111-111-1111, 000-000-000 or 999-999-9999 in there or just nothing making the group is easier than going through the phone book and figuring out who has a real phone number in there.
this is OLD news dude, there were many articles hitting this precise topic as far back as late 07 and early 08 (ex: orlando sentinel story in feb 08, http://blogs.or...my-phone-g.html)
….and i’m soooo sorry, but is this really a secret???
site:facebook.com
inurl:group
“lost my phone”
…those simple constraints yield many, many results….this is not a “hack” as you describe it, it’s just a site specific search on keywords, doesn’t even require advanced help or anything!
Agree. It took 2 seconds to figure out the search string for Google. Like that is any kind of hurdle for spammers.
Spammers wouldn’t even use Google, they would write a script to scrape all of the groups automatically. Really, it’s just ill-informed people utilizing the Internet without regard to security.
You can take control of your number and manage access with services like..
inumbr: http://www.inumbr.com
letscallme: http://www.letscallme.com
It can be safe to make your number available online as long as it is a “virtual front” to your actual phone number.
That is so true! i knw many guys who just use FB for spamming and spamming only!..its a real paradise for them…but IMO FB did this itself…
Steve
http://www.isopurewater.com/