• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Call Me MayBe: Understanding Nature and Risks of Sharing Mobile Numbers on Online Social Networks
 

Call Me MayBe: Understanding Nature and Risks of Sharing Mobile Numbers on Online Social Networks

on

  • 215 views

There is a great concern about the potential for people to leak private information on social networks. There are many anecdotal examples of this, but few quantitative studies. This research explores ...

There is a great concern about the potential for people to leak private information on social networks. There are many anecdotal examples of this, but few quantitative studies. This research explores the activity of sharing mobile numbers on OSNs, in particular via public posts. In this work, we understand the characteristics and risks of mobile numbers sharing behaviour on OSNs either via profile or public posts and focus on Indian mobile numbers. We collected 76,347 unique mobile numbers posted by 85,905 users on Twitter and Facebook and analyzed 2,997 numbers, prefixed with +91. We observed that most users shared their own mobile numbers to spread urgent information; and to market products, IT facilities and escort business. Fewer females users shared mobile numbers on Online Social Networks. Users utilized other social networking platforms and third party applications like Twitterfeed and TweetDeck, to post mobile numbers on multiple OSNs. In contradiction to the user's perception of numbers spreading quickly on OSN, we observed that except for emergency, most numbers did not diffuse deep.

To assess risks associated with mobile numbers exposed on OSNs, we used numbers to gain sensitive information about their owners (e.g. name, Voter ID) by collating publicly available data from OSNs, Truecaller, Open government data repository (OCEAN). On using the numbers on WhatApp, we obtained a myriad of sensitive details (relationship status, BBM pins, travel plans) of the mobile number owner. We communicated the observed risks to the owners by calling them on their mobile number. Few users were surprised to know about the online presence of their number, while few users intentionally posted it online for business purposes [http://precog.iiitd.edu.in/Publications_files/cosn039s-jain.pdf]. We observed that 38.3% of users who were unaware of the online presence of their number have posted their number themselves on the social network. With these observations, we highlight that there is a need to monitor leakage of mobile numbers via profile and public posts. To the best of our knowledge, this is the first exploratory study to critically investigate the exposure of Indian mobile numbers on OSNs.

Full report: http://arxiv.org/abs/1312.3441

Statistics

Views

Total Views
215
Views on SlideShare
215
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Call Me MayBe: Understanding Nature and Risks of Sharing Mobile Numbers on Online Social Networks Call Me MayBe: Understanding Nature and Risks of Sharing Mobile Numbers on Online Social Networks Presentation Transcript

    • Call Me MayBe: Understanding Nature and Risks of Sharing Mobile Numbers on Online Social Networks Prachi Jain M.Tech. Thesis Defense 14th November 2013 Committee: Dr. Ponnurangam Kumaraguru, IIIT-Delhi (Chair) Dr. Alessandra Sala, Alcatel Lucent (Bell Labs), Dublin Dr. Amarjeet Singh, IIIT-Delhi
    • Problem Statement  Characterize mobile number sharing behavior on Online Social Networks.  Examine risk of collation of mobile number’s owner data from multiple online public data sources.  Propose a systematic approach for risk communication. 2
    • Achievements  Paper: Call Me MayBe: Understanding Nature and Risks of Sharing Mobile Numbers on Online Social Networks, Conference on Online Social Networks (COSN) 2013  Poster: Flash of Two Worlds, Security and Privacy Symposium (SPS) 2013 3
    • Achievements 4
    • 5
    • Research motivation
    • Research Motivation  46% of Internet users post original (self created) content on internet.  User Generated Content (UGC) has high similarity with offline interactions of user.  Concerns on (un)intentional mention of sensitive information on OSN profile.  Mobile phone number is an example of identifiable information with which a real-world entity can be associated uniquely, in most cases. 7
    • How many of you have posted mobile numbers on Online Social Networks? How many of you have seen mobile numbers being posted on Online Social Networks? 8
    • Sample posts 9
    • Sample posts 10
    • Sample posts 11
    • Sample posts 12
    • Is it a good idea?
    • Characterize mobile number sharing behavior on Online Social Networks  Focus on Indian Mobile Numbers “India has the fastest growing telecom market in the world.“  Focus on two most popular social networks – Facebook & Twitter 14
    • Background
    • Twitter 101 Name Screen name User description Whom I follow Who follow me Tweet Retweet = Tweet exposed 16 to new audience
    • Facebook 101 Name People I am friends with User attributes Public ! Post 17
    • Personally Identifiable Information (PII) An attribute that itself or in combination of other attributes can connect an online user account with a real world entity.  Email address (Balduzzi et al, 2010)  Phone numbers (Magno et al, 2012; Jain et al, 2013) 18
    • Indian Mobile Number format  10 digit number, start with 7 / 8 / 9  Country code: +91 ( Example: +91 9123456789 )  Trunk Code: 0 ( Example: 0 9123456789 ) No standard way of sharing mobile numbers on OSN! +91- 9123456789 91.91.23.456.789 +91- 91-2345-6789 (91)23.456.789 0 9123456789 (91234)56789 19
    • Literature Review
    • Literature review  Identity information disclosure on OSNs.  Consequences of identity information disclosure on OSNs.  Communicating the risk of identity information disclosure. 21
    • 1. Identity information disclosure on OSNs Zheleva et al, 2009 Group membership Balduzzi et al, 2010 Email address Burger et al, 2011 Gender Dey et al, 2012 Age Magno et al, 2012; Chen et al, 2012; Jain et al, 2013 Phone numbers No quantitative study on mobile numbers sharing behavior on OSN. 22
    • 1. Identity information disclosure on OSNs Chen et al, 2012 Observed 2% Facebook users (in their dataset) share their mobile number as a profile attribute. Magno et al, 2012 Observed users share their mobile number as profile attribute on Google+ Single Indian males share most mobile numbers We dive deeper to understand characteristics of exposed mobile numbers on Facebook and Twitter posts and user descriptions. 23
    • 2. Consequences of identity information disclosure on OSNs Jagatic et al, 2007 Social phishing Chen et al, 2012 Mao et al, 2011 Linkage attack Privacy attack Krishnamurthy et al, 2012 Auxiliary information collected from online sources might help in connecting an online profile with an offline entity. We explore if Indian mobile numbers leaked from OSNs can be used to gain a wider profile by linking it with e-government data and truecaller. 24
    • 2. Consequences of identity information disclosure on OSNs Schrittwieser et al, 2012 Mobile numbers can be used to exploit smart phone messaging services. Address book resolution Impersonation, SMS spam, Phone number enumeration attack, Status message forgery attack Cheng et al, 2013 Address book resolution Randomly picked mobile numbers used to integrate accounts on WeChat and MiTalk. Aggregate information about users in China. 25
    • 2. Consequences of identity information disclosure on OSNs We link exposed Indian mobile numbers on Facebook and Twitter profile with their WhatsApp profiles. We study comprehensiveness of additional information obtained. 26
    • 3. Communicating the risk of identity information disclosure Krishnamurthy et al, 2012 Privacy leaks could be prevented by alerting the users about information sharing vulnerabilities. We communicate the risk to a set of users by calling them with the help of an IVR system. We also study their reactions. 27
    • Methodology
    • Approach Keyword Selection Data Extraction / Collection Data Validation 29
    • System architecture Facebook Graph API Public users / posts with mobile numbers Category +91 Regex patterns Category 0 Category void call ring Mobile number validation Keyword Selection contact Indian Mobile Number Database Category void Twitter Stream API Keyword selection Public Bio/Tweets with mobile numbers Regex patterns Category 0 Category +91 Data collection Data validation 30
    • System architecture Facebook Graph API Public users / posts with mobile numbers Category +91 Regex patterns Category 0 Category void call ring Mobile number validation Keyword Selection contact Indian Mobile Number Database Category void Twitter Stream API Keyword selection Public Bio/Tweets with mobile numbers Regex patterns Category 0 Category +91 Data collection Data validation 31
    • Data statistics Twitter: 12th October 2012 – 20th October 2013 Facebook: 16th November 2012 – 20th April 2013 Numbers Category +91 Category 0 Category void Twitter Facebook Twitter Facebook Twitter Mobile 885 Numbers 2,191 User profiles 2,663 1,074 100% 14,909 8,873 85% 17,913 9,028 Total Facebook Twitter Facebook 25,566 25,294 41,360 36,358 85% 31,149 25,406 49,817 36,588 32
    • Analysis
    • Ownership Analysis
    • Ownership analysis: Methodology Owner posted the number Post Has 1st person pronoun Frequent action words Bio / Name Y Y Has 2nd / 3rd person pronoun N Phrasal search Y Non-owner posted the number 35
    • Ownership Analysis: Results Social Network Mechanism Mobile Numbers Total Twitter: Owner Bio 155 291/885 (33%) Tweet 136 Non-owner Tweet 18 18/885 (0.02%) Facebook: Owner Post 468 485/2191 (22%) Name 17 Non-owner Message 25 25/2191 (0.01%) Users share their own mobile numbers on OSNs! 36
    • Source Analysis
    • Source analysis: Results Which applications are used Which applications are used to share mobile numbers on to share mobile numbers on Twitter? Facebook? 32% numbers on Twitter were pushed from Facebook 5% Facebook mobile Facebook for iPhones Photos 1% Facebook 11% 32% Twitterfeed 12% 8% Google 26% LinkedIn 26% TweetDeck 14% 50% 15% Facebook for Android HootSuite Twitterfeed Users posted same mobile numbers on multiple OSNs ! 38
    • Topographical Analysis
    • Topographical analysis: Methodology Indian Mobile number XXXX - NNNNNN Network operator Subscriber number Telecom Zone/Circle Metro (High density) A Circle (Largest population coverage) B Circle C Circle (Smallest population coverage) (Source: http://www.trai.gov.in) 40
    • Topographical analysis: Results Telecom Circle Category # of Mobile Numbers Delhi Metropolitan 582 Mumbai Metropolitan 312 Karnataka “A” Circle 233 Punjab “B” Circle 226 Rajasthan “B” Circle 171 Andhra Pradesh “A” Circle 164 Kerala “B” Circle 158 Maharashtra “A” Circle 140 Gujarat “A” Circle 135 Tamil Nadu “A” Circle 102 Users of metropolitan cities in India actively posted mobile numbers on OSNs ! 41
    • Gender Analysis
    • Gender analysis: Results Cross Syndication Facebook Twitter Total users Gender available (G) 2,663 1,438 1,074 29 Females (F) Males (M) F/G 220 1,218 15% 6 23 20% Females are conservative while sharing mobile numbers on OSNs ! 43
    • Context Analysis
    • Context Analysis: Results Twitter Tag Cloud Facebook Tag Cloud Emergency, marketing, escort and entertainment business are major context on OSNs ! 45
    • Risk Assessment
    • Risk of Collation: Experiment 1 Methodology Mobile Number Penetration rate: Store in Phone Address Book Install and open WhatsApp Status userexposed prate = usertotal = 1,071 / 3,076 = 34.8 % Last Seen time 47
    • Risk of Collation: Experiment 1 Sample Status 48
    • Risk of Collation: Experiment 2 OCEAN: Open Government Data Repository Details User 1 User 2 Mobile Number +9198xxxx5485 +9199xxxx2708 Full Name xxxxxx Jeswani x Gambhir Age 53 23 Gender Male Father’s Name x x Jeswani Address ***, Mig Flats, *-block, xxxxx Vihar Phase-I 8 Delhi Male Users xx Gambhir Identified Uniquely ***, xxxx Bagh, Delhi ID Driving License: DL/04/xxx/222668 Voter ID: NLNxxx5696 Shared by Owner? Yes No 49
    • Risk Communication
    • Experiment: IVR System Setup (2,492) 51
    • Result: Callee Decision Tree 0.35 (867) Call the Number 0.65 (1625) Call not picked Call picked 0.61 (988) Listen message Disconnect the Call 0.48 (479) 0.52 (509) Listen Options 0.21 (107) FORM 1 0.39 (637) Didn’t know 0.23 (47) Leave Feedback Disconnect the Call 0.20 (102) 0.59 (300) Posted purposefully Disconnect the Call 0.77 (60) Disconnect the Call 1.0 (47) Disconnect the Call 52
    • Feedback “Thank you for information, I have deleted, I will not post my number online.” “I want to know how to remove my number and I don't know, I haven't put my number purposely but if it is there, where exactly it is there I would also like to know that. Please get in touch with me asap. Thank you!” “It is a very nice process that you are doing and making people aware about online frauds and telephone number frauds but your system is basically calling business houses” 53
    • Understanding user’s response: Ownership analysis Ownership analysis on posts from users who said that they did not know that their number can be leaked (IVR option 1) 38.3% (41/107) of mobile numbers were posted publicly by their owners. Inability of users to manage their privacy settings. OR Inadvertent disclosure of personal information (mobile number) 54
    • Evaluation: Interview Mobile numbers from profiles on OSNs Collating with e-government data repository (OCEAN) 8 users identified uniquely 55
    • Interview questions Interviewed 8 people whom we uniquely identified. To validate the information we had about them. Inquire if they posted mobile number on OSN. If yes than why? If no then we informed them about the profile revealing their number. And asked if they knew the person. Will they remove the number and Why? Feedback? 56
    • Interview results # of callee True positive (Valid information) 5/8 False positive 1/8 Denied to get interviewed 1/8 Did not pick 1/8 57
    • Interview Response  Suspected if we got the information via offline sources.  Called their service provider to confirm what bad we can do with this information about them. 58
    • Interview Response Posted mobile number to be in touch with friends and relatives.  Expressed concerns of getting calls from unwanted people. Posted mobile number to promote a small scale business.  Inquired and suggested some countermeasures. 59
    • Take Aways
    • Take Aways Users share their own mobile numbers on OSNs. Users post same mobile numbers on multiple OSNs. Females are conservative while sharing mobile numbers on OSNs. A publically shared mobile number can expose sensitive details (age, ID, family details and full address) of its owner, from multiple sources. We should communicate the risks of sharing mobile numbers online, to their owners. Few users were unaware of the online presence of their number. 61
    • Future work Build a generic technological, people and process oriented solutions to forewarn users and raise awareness towards risks of exposing mobile numbers on OSNs. 62
    • Acknowledgments Paridhi Jain, PhD student, IIIT Delhi Siddhartha Asthana, PhD student, IIIT Delhi Anupama Aggarwal, PhD student, IIIT Delhi Precog family 63
    • Publications and poster Prachi Jain, Paridhi Jain, Ponnurangam Kumaraguru. Call Me MayBe: Understanding Nature and Risks of Sharing Mobile Numbers on Online Social Networks. ACM Conference on Online Social Networks (COSN) 2013 Prachi Jain, Ponnurangam Kumaraguru. Flash of Two Worlds. Security and Privacy Symposium (SPS) 2013 64
    • References 1. Paul 2010, Broken promises of privacy: Responding to the surprising failure of anonymization. UCLA Law Review, 57:1701, 2010. 2. Prachi Jain, Paridhi Jain, and Ponnurangam Kumaraguru. Call me maybe: understanding the nature and risks of sharing mobile numbers on online social networks. In Proceedings of the first ACM conference on Online social networks, pages 101-106. ACM, 2013. 3. Gabriel Magno, Giovanni Comarela, Diego Saez-Trumper, Meeyoung Cha, and Virgilio Almeida. New kid on the block: Exploring the google+ social graph. In Proceedings of the 2012 ACM conference on Internet measurement conference, pages 159-170. ACM, 2012. 4. Latanya Sweeney. k-anonymity: A model for protecting privacy. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(05):557-570, 2002. 5. Marco Balduzzi, Christian Platzer, Thorsten Holz, Engin Kirda, Davide Balzarotti, and Christopher Kruegel. Abusing social networks for automated user proling. In Recent Advances in Intrusion Detection, pages 422-441. Springer, 2010. 65
    • References 6. Ratan Dey, Cong Tang, Keith Ross, and Nitesh Saxena. Estimating age privacy leakage in online social networks. In INFOCOM, 2012 Proceedings IEEE, pages 2836-2840. IEEE, 2012. 7. John D Burger, John Henderson, George Kim, and Guido Zarrella. Discriminating gender on twitter. In Proceedings of the Conference on Empirical Methods in Natural Language Processing, pages 1301-1309. Association for Computational Linguistics, 2011. 8. Tom N Jagatic, Nathaniel A Johnson, Markus Jakobsson, and Filippo Menczer. Social phishing. Communications of the ACM, 50(10):94-100, 2007. 9. Terence Chen, Mohamed Ali Kaafar, Arik Friedman, and Roksana Boreli. Is more always merrier?: a deep dive into online social footprints. In Proceedings of the 2012 ACM workshop on Workshop on online social networks, pages 67-72. ACM, 2012. 10. Huina Mao, Xin Shuai, and Apu Kapadia. Loose tweets: an analysis of privacy leaks on twitter. In Proceedings of the 10th annual ACM workshop on Privacy in the electronic society, pages 1-12. ACM, 2011. 66
    • References 11. Sebastian Schrittwieser, Peter Fruhwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, and Edgar Weippl. Guess whos texting you? evaluating the security of smartphone messaging applications. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security, 2012. 12. Yao Cheng, Lingyun Ying, Sibei Jiao, Purui Su, and Dengguo Feng. Bind your phone number with caution: automated user proling through address book matching on smartphone. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pages 335-340. ACM, 2013. 13. Balachander Krishnamurthy. Privacy and online social networks: Can colorless green ideas sleep furiously? IEEE Security & Privacy, 11(3):14-20, 2013. 14. Zeynep Tufekci. Can you see me now? audience and disclosure regulation in online social network sites. Bulletin of Science, Technology & Society, 28(1):20-36, 2008. 67
    • Thank You!
    • Questions? prachi1107@iiitd.ac.in pk@iiitd.ac.in
    • For further information, please write to pk@iiitd.ac.in precog.iiitd.edu.in