Call Me MayBe: Understanding Nature and Risks of Sharing Mobile Numbers on Online Social Networks

Call Me MayBe: Understanding Nature and Risks of

Sharing Mobile Numbers on Online Social Networks

Prachi Jain

M.Tech. Thesis Defense

14th November 2013

Committee:

Dr. Ponnurangam Kumaraguru, IIIT-Delhi (Chair)

Dr. Alessandra Sala, Alcatel Lucent (Bell Labs), Dublin

Dr. Amarjeet Singh, IIIT-Delhi

Problem Statement

Characterize mobile number sharing behavior on Online Social Networks.

Examine risk of collation of mobile number’s owner data from multiple online public data sources.

Propose a systematic approach for risk communication.

2

Achievements

Paper: Call Me MayBe: Understanding Nature and Risks of Sharing Mobile Numbers on Online Social Networks, Conference on Online Social Networks (COSN) 2013

Poster:

Flash of Two Worlds, Security and Privacy Symposium (SPS) 2013

3

Achievements

4

5

Research

motivation

Research Motivation

46% of Internet users post original (self created)

content on internet.

User Generated Content (UGC) has high similarity with offline interactions of user.

Concerns on (un)intentional mention of sensitive information on OSN profile.

Mobile phone number is an example of identifiable information with which a real-world entity can be associated uniquely, in most cases.

7

8

How many of you have posted mobile numbers on Online Social

Networks?

How many of you have seen mobile numbers being posted on

Online Social Networks?

Sample posts

9

Sample posts

10

Sample posts

11

Sample posts

12

Is it a good idea?

14

Characterize mobile number sharing behavior on Online

Social Networks Focus on Indian Mobile Numbers

“India has the fastest growing telecom market in the world.“

Focus on two most popular social

networks – Facebook & Twitter

Background

Twitter 101

16

Tweet

Retweet = Tweet exposed to new audience

Whom I follow Who

follow me

User description

Screen name Name

Facebook 101

Post

People I am friends with

Name

User attributes Public !

17

Personally Identifiable Information (PII)

An attribute that itself or in combination of other

attributes can connect an online user account with a real world entity.

Email address (Balduzzi et al, 2010)

Phone numbers (Magno et al, 2012; Jain et al, 2013)

18

Indian Mobile Number format

10 digit number, start with 7 / 8 / 9

Country code: +91 ( Example: +91 9123456789 )

Trunk Code: 0 ( Example: 0 9123456789 )

No standard way of sharing mobile numbers on OSN!

+91- 9123456789 91.91.23.456.789 0 9123456789

+91- 91-2345-6789 (91)23.456.789 (91234)56789

19

Literature Review

Literature review

Identity information disclosure on OSNs.

Consequences of identity information disclosure on OSNs.

Communicating the risk of identity information disclosure.

21

1. Identity information disclosure on OSNs

22

Zheleva et al, 2009 Group membership

Balduzzi et al, 2010 Email address

Burger et al, 2011 Gender

Dey et al, 2012 Age

Magno et al, 2012; Chen et al, 2012; Jain et al, 2013

Phone numbers

No quantitative study on mobile numbers sharing behavior on OSN.

1. Identity information disclosure on OSNs

Chen et al, 2012

Observed 2% Facebook users (in their dataset) share

their mobile number as a profile attribute.

Magno et al, 2012

Observed users share their mobile number as profile

attribute on Google+

Single Indian males share most mobile numbers

23

We dive deeper to understand characteristics of exposed mobile numbers on Facebook and Twitter posts and user

descriptions.

Krishnamurthy et al, 2012

Auxiliary information collected from online sources might help in

connecting an online profile with an offline entity.

2. Consequences of identity information disclosure on OSNs

Jagatic et al, 2007

Social phishing

24

Chen et al, 2012

Linkage attack

Mao et al, 2011

Privacy attack

We explore if Indian mobile numbers leaked from OSNs can be used to gain a wider profile by linking it with

e-government data and truecaller.

2. Consequences of identity information disclosure on OSNs

Schrittwieser et al, 2012

Mobile numbers can be used

to exploit smart phone

messaging services.

Address book resolution

Impersonation, SMS spam,

Phone number enumeration

attack, Status message forgery

attack

25

Cheng et al, 2013

Address book resolution

Randomly picked mobile

numbers used to integrate

accounts on WeChat and

MiTalk.

Aggregate information

about users in China.

26

We link exposed Indian mobile numbers on Facebook and Twitter profile with their

WhatsApp profiles.

We study comprehensiveness of additional information obtained.

2. Consequences of identity information disclosure on OSNs

3. Communicating the risk of identity information disclosure

Krishnamurthy et al, 2012

Privacy leaks could be prevented by alerting the users

about information sharing vulnerabilities.

27

We communicate the risk to a set of users by calling them with the help of an IVR system.

We also study their reactions.

Methodology

Approach

Keyword Selection

Data Extraction / Collection

Data Validation

29

System architecture

30

Keyword

Selection

Facebook

Graph

API

Twitter

Stream

API

Public users /

posts

with mobile

numbers

Public Bio/Tweets

with mobile

numbers

Category

+91

Category

+91

Category 0

Category

void

Mobile

number

validation

Indian

Mobile

Number

Database

Keyword selection Data collection Data validation

Regex

patterns

Regex

patterns

Category

void

Category 0

call

contact

ring

System architecture

31

Keyword

Selection

Facebook

Graph

API

Twitter

Stream

API

Public users /

posts

with mobile

numbers

Public Bio/Tweets

with mobile

numbers

Category

+91

Category

+91

Category 0

Category

void

Mobile

number

validation

Keyword selection Data collection Data validation

Regex

patterns

Regex

patterns

Category

void

Category 0

call

contact

ring Indian

Mobile

Number

Database

Data statistics

32

Twitter: 12th October 2012 – 20th October 2013

Facebook: 16th November 2012 – 20th April 2013

Numbers Category +91 Category 0 Category void Total

Twitter Facebook Twitter Facebook Twitter Facebook Twitter Facebook

Mobile Numbers

885 2,191 14,909 8,873 25,566 25,294 41,360 36,358

User profiles

1,074 2,663 17,913 9,028 31,149 25,406 49,817 36,588

85% 100% 85%

Analysis

Ownership Analysis

Ownership analysis: Methodology

35

Post Owner posted

the number

Non-owner posted the number

Has 1st person

pronoun

Has 2nd / 3rd person

pronoun

Frequent action words

Phrasal search

Y

N

Y

Y

Bio / Name

Ownership Analysis: Results

36

Social Network Mechanism Mobile Numbers

Total

Twitter: Owner

Bio 155 291/885 (33%)

Tweet 136

Non-owner Tweet 18 18/885 (0.02%)

Facebook: Owner

Post 468 485/2191 (22%)

Name 17

Non-owner Message 25 25/2191 (0.01%)

Users share their own mobile numbers on OSNs!

Source Analysis

Source analysis: Results

32%

26%

26%

11%

5%

Which applications are used to share mobile numbers on

Twitter?

Facebook

Twitterfeed

Google

LinkedIn

TweetDeck

38

50%

15%

14%

8%

12%

1%

Which applications are used to share mobile numbers on

Facebook?

FacebookmobileFacebook foriPhonesPhotos

Facebook forAndroidHootSuite

Twitterfeed

Users posted same mobile numbers on multiple OSNs !

32% numbers on Twitter were pushed from

Facebook

Topographical Analysis

Topographical analysis: Methodology

Indian Mobile number

XXXX - NNNNNN

Network operator Subscriber number

Telecom Zone/Circle

Metro A Circle B Circle C Circle (High density) (Largest (Smallest population coverage) population coverage)

(Source: http://www.trai.gov.in) 40

Telecom Circle Category # of Mobile Numbers

Delhi Metropolitan 582

Mumbai Metropolitan 312

Karnataka “A” Circle 233

Punjab “B” Circle 226

Rajasthan “B” Circle 171

Andhra Pradesh “A” Circle 164

Kerala “B” Circle 158

Maharashtra “A” Circle 140

Gujarat “A” Circle 135

Tamil Nadu “A” Circle 102

Topographical analysis: Results

41

Users of metropolitan cities in India actively posted mobile numbers on OSNs !

Gender Analysis

Gender analysis: Results

43

Facebook Twitter

Total users 2,663 1,074

Gender available (G) 1,438 29

Females (F) 220 6

Males (M) 1,218 23

F/G 15% 20%

Females are conservative while sharing mobile numbers on OSNs !

Cross Syndication

Context Analysis

Context Analysis: Results

Facebook Tag Cloud

Twitter Tag Cloud

Emergency, marketing, escort

and entertainment business are major context on OSNs !

45

Risk Assessment

Risk of Collation: Experiment 1

47

Mobile Number

Store in Phone Address Book

Install and open

WhatsApp

Last Seen time

Status

Methodology

Penetration rate:

prate =userexposed

usertotal

= 1,071 / 3,076 = 34.8 %

Risk of Collation: Experiment 1

48

Sample Status

Risk of Collation: Experiment 2

49

Details User 1

Mobile Number

+9198xxxx5485

Full Name xxxxxx Jeswani

Age 53

Gender Male

Father’s Name

x x Jeswani

Address ***, Mig Flats, *-block, xxxxx Vihar Phase-I

ID Driving License: DL/04/xxx/222668

Shared by Owner?

Yes

OCEAN:

Open Government

Data Repository

User 2

+9199xxxx2708

x Gambhir

23

Male

xx Gambhir

***, xxxx Bagh, Delhi

Voter ID: NLNxxx5696

No

8 Delhi Users

Identified Uniquely

Risk Communication

Experiment: IVR System Setup

51

(2,492)

52

Call the Number

Disconnect the Call

Disconnect the Call

Call picked Call not picked

Leave Feedback

Posted purposefully

Listen message

Listen Options

Didn’t know FORM 1

Disconnect the Call

Disconnect the Call

Disconnect the Call

0.35 (867) 0.65 (1625)

0.61 (988) 0.39 (637)

0.48 (479)

0.20 (102)

0.21 (107) 0.59 (300)

0.23 (47) 0.77 (60)

1.0 (47)

0.52 (509)

Result: Callee Decision Tree

Feedback

“Thank you for information, I have deleted, I will not post my number online.”

“I want to know how to remove my number and I don't know, I haven't put my number purposely but if it is

there, where exactly it is there I would also like to know that. Please get in touch with me asap. Thank you!”

“It is a very nice process that you are doing and making people aware about online frauds and telephone number frauds but your system is basically calling

business houses”

53

Understanding user’s response: Ownership analysis

Ownership analysis on posts from users who said that they did not know that their number can be leaked (IVR option 1)

38.3% (41/107) of mobile numbers were posted publicly by their owners.

Inability of users to manage their privacy settings.

OR

Inadvertent disclosure of personal information (mobile number)

54

Evaluation: Interview

Mobile numbers from profiles on

OSNs

Collating with e-government

data repository (OCEAN)

8 users identified uniquely

55

Interview questions

Interviewed 8 people whom we uniquely identified.

To validate the information we had about them.

Inquire if they posted mobile number on OSN. If yes than why? If no then we informed them about the profile revealing

their number. And asked if they knew the person.

Will they remove the number and Why?

Feedback?

56

Interview results

57

# of callee

True positive (Valid information) 5/8

False positive 1/8

Denied to get interviewed 1/8

Did not pick 1/8

Interview Response

Suspected if we got the information via offline sources.

Called their service provider to confirm what bad we can do with this information about them.

58

Interview Response

Posted mobile number to be in touch with friends and relatives.

Expressed concerns of getting calls from unwanted people.

Posted mobile number to promote a small scale business.

Inquired and suggested some countermeasures.

59

Take Aways

Take Aways

Users share their own mobile numbers on OSNs.

Users post same mobile numbers on multiple OSNs.

Females are conservative while sharing mobile numbers on OSNs.

A publically shared mobile number can expose sensitive details (age, ID, family details and full address) of its owner, from multiple sources.

We should communicate the risks of sharing mobile numbers

online, to their owners. Few users were unaware of the online presence of their number.

61

Future work

Build a generic technological, people and process oriented

solutions to forewarn users and raise awareness towards risks of

exposing mobile numbers on OSNs.

62

Acknowledgments

Paridhi Jain, PhD student, IIIT Delhi

Siddhartha Asthana, PhD student, IIIT Delhi

Anupama Aggarwal, PhD student, IIIT Delhi

Precog family

63

Publications and poster

Prachi Jain, Paridhi Jain, Ponnurangam Kumaraguru. Call Me MayBe: Understanding Nature and Risks of Sharing Mobile Numbers on Online Social Networks. ACM Conference on Online Social Networks (COSN) 2013

Prachi Jain, Ponnurangam Kumaraguru. Flash of Two Worlds. Security and Privacy Symposium (SPS) 2013

64

References

1. Paul 2010, Broken promises of privacy: Responding to the surprising failure of anonymization. UCLA Law Review, 57:1701, 2010.

2. Prachi Jain, Paridhi Jain, and Ponnurangam Kumaraguru. Call me maybe: understanding the nature and risks of sharing mobile numbers on online social networks. In Proceedings of the first ACM conference on Online social networks, pages 101-106. ACM, 2013.

3. Gabriel Magno, Giovanni Comarela, Diego Saez-Trumper, Meeyoung Cha, and Virgilio Almeida. New kid on the block: Exploring the google+ social graph. In Proceedings of the 2012 ACM conference on Internet measurement conference, pages 159-170. ACM, 2012.

4. Latanya Sweeney. k-anonymity: A model for protecting privacy. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(05):557-570, 2002.

5. Marco Balduzzi, Christian Platzer, Thorsten Holz, Engin Kirda, Davide Balzarotti, and Christopher Kruegel. Abusing social networks for automated user proling. In Recent Advances in Intrusion Detection, pages 422-441. Springer, 2010.

65

References 6. Ratan Dey, Cong Tang, Keith Ross, and Nitesh Saxena. Estimating age privacy

leakage in online social networks. In INFOCOM, 2012 Proceedings IEEE, pages 2836-2840. IEEE, 2012.

7. John D Burger, John Henderson, George Kim, and Guido Zarrella. Discriminating gender on twitter. In Proceedings of the Conference on Empirical Methods in Natural Language Processing, pages 1301-1309. Association for Computational Linguistics, 2011.

8. Tom N Jagatic, Nathaniel A Johnson, Markus Jakobsson, and Filippo Menczer. Social phishing. Communications of the ACM, 50(10):94-100, 2007.

9. Terence Chen, Mohamed Ali Kaafar, Arik Friedman, and Roksana Boreli. Is more always merrier?: a deep dive into online social footprints. In Proceedings of the 2012 ACM workshop on Workshop on online social networks, pages 67-72. ACM, 2012.

10. Huina Mao, Xin Shuai, and Apu Kapadia. Loose tweets: an analysis of privacy leaks on twitter. In Proceedings of the 10th annual ACM workshop on Privacy in the electronic society, pages 1-12. ACM, 2011.

66

References 11. Sebastian Schrittwieser, Peter Fruhwirt, Peter Kieseberg, Manuel Leithner,

Martin Mulazzani, Markus Huber, and Edgar Weippl. Guess whos texting you? evaluating the security of smartphone messaging applications. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security, 2012.

12. Yao Cheng, Lingyun Ying, Sibei Jiao, Purui Su, and Dengguo Feng. Bind your phone number with caution: automated user proling through address book matching on smartphone. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pages 335-340. ACM, 2013.

13. Balachander Krishnamurthy. Privacy and online social networks: Can colorless green ideas sleep furiously? IEEE Security & Privacy, 11(3):14-20, 2013.

14. Zeynep Tufekci. Can you see me now? audience and disclosure regulation in online social network sites. Bulletin of Science, Technology & Society, 28(1):20-36, 2008.

67

Thank You!

Questions?

prachi1107@iiitd.ac.in

pk@iiitd.ac.in

For further information, please write to

pk@iiitd.ac.in precog.iiitd.edu.in