Upload
prachi-jain
View
360
Download
0
Tags:
Embed Size (px)
DESCRIPTION
There is a great concern about the potential for people to leak private information on social networks. There are many anecdotal examples of this, but few quantitative studies. This research explores the activity of sharing mobile numbers on OSNs, in particular via public posts. In this work, we understand the characteristics and risks of mobile numbers sharing behaviour on OSNs either via profile or public posts and focus on Indian mobile numbers. We collected 76,347 unique mobile numbers posted by 85,905 users on Twitter and Facebook and analyzed 2,997 numbers, prefixed with +91. We observed that most users shared their own mobile numbers to spread urgent information; and to market products, IT facilities and escort business. Fewer females users shared mobile numbers on Online Social Networks. Users utilized other social networking platforms and third party applications like Twitterfeed and TweetDeck, to post mobile numbers on multiple OSNs. In contradiction to the user's perception of numbers spreading quickly on OSN, we observed that except for emergency, most numbers did not diffuse deep. To assess risks associated with mobile numbers exposed on OSNs, we used numbers to gain sensitive information about their owners (e.g. name, Voter ID) by collating publicly available data from OSNs, Truecaller, Open government data repository (OCEAN). On using the numbers on WhatApp, we obtained a myriad of sensitive details (relationship status, BBM pins, travel plans) of the mobile number owner. We communicated the observed risks to the owners by calling them on their mobile number. Few users were surprised to know about the online presence of their number, while few users intentionally posted it online for business purposes [http://precog.iiitd.edu.in/Publications_files/cosn039s-jain.pdf]. We observed that 38.3% of users who were unaware of the online presence of their number have posted their number themselves on the social network. With these observations, we highlight that there is a need to monitor leakage of mobile numbers via profile and public posts. To the best of our knowledge, this is the first exploratory study to critically investigate the exposure of Indian mobile numbers on OSNs. Full report: http://arxiv.org/abs/1312.3441
Citation preview
Call Me MayBe: Understanding Nature and Risks of
Sharing Mobile Numbers on Online Social Networks
Prachi Jain
M.Tech. Thesis Defense
14th November 2013
Committee:
Dr. Ponnurangam Kumaraguru, IIIT-Delhi (Chair)
Dr. Alessandra Sala, Alcatel Lucent (Bell Labs), Dublin
Dr. Amarjeet Singh, IIIT-Delhi
Problem Statement
Characterize mobile number sharing behavior on Online Social Networks.
Examine risk of collation of mobile number’s owner data from multiple online public data sources.
Propose a systematic approach for risk communication.
2
Achievements
Paper: Call Me MayBe: Understanding Nature and Risks of Sharing Mobile Numbers on Online Social Networks, Conference on Online Social Networks (COSN) 2013
Poster:
Flash of Two Worlds, Security and Privacy Symposium (SPS) 2013
3
Achievements
4
5
Research
motivation
Research Motivation
46% of Internet users post original (self created)
content on internet.
User Generated Content (UGC) has high similarity with offline interactions of user.
Concerns on (un)intentional mention of sensitive information on OSN profile.
Mobile phone number is an example of identifiable information with which a real-world entity can be associated uniquely, in most cases.
7
8
How many of you have posted mobile numbers on Online Social
Networks?
How many of you have seen mobile numbers being posted on
Online Social Networks?
Sample posts
9
Sample posts
10
Sample posts
11
Sample posts
12
Is it a good idea?
14
Characterize mobile number sharing behavior on Online
Social Networks Focus on Indian Mobile Numbers
“India has the fastest growing telecom market in the world.“
Focus on two most popular social
networks – Facebook & Twitter
Background
Twitter 101
16
Tweet
Retweet = Tweet exposed to new audience
Whom I follow Who
follow me
User description
Screen name Name
Facebook 101
Post
People I am friends with
Name
User attributes Public !
17
Personally Identifiable Information (PII)
An attribute that itself or in combination of other
attributes can connect an online user account with a real world entity.
Email address (Balduzzi et al, 2010)
Phone numbers (Magno et al, 2012; Jain et al, 2013)
18
Indian Mobile Number format
10 digit number, start with 7 / 8 / 9
Country code: +91 ( Example: +91 9123456789 )
Trunk Code: 0 ( Example: 0 9123456789 )
No standard way of sharing mobile numbers on OSN!
+91- 9123456789 91.91.23.456.789 0 9123456789
+91- 91-2345-6789 (91)23.456.789 (91234)56789
19
Literature Review
Literature review
Identity information disclosure on OSNs.
Consequences of identity information disclosure on OSNs.
Communicating the risk of identity information disclosure.
21
1. Identity information disclosure on OSNs
22
Zheleva et al, 2009 Group membership
Balduzzi et al, 2010 Email address
Burger et al, 2011 Gender
Dey et al, 2012 Age
Magno et al, 2012; Chen et al, 2012; Jain et al, 2013
Phone numbers
No quantitative study on mobile numbers sharing behavior on OSN.
1. Identity information disclosure on OSNs
Chen et al, 2012
Observed 2% Facebook users (in their dataset) share
their mobile number as a profile attribute.
Magno et al, 2012
Observed users share their mobile number as profile
attribute on Google+
Single Indian males share most mobile numbers
23
We dive deeper to understand characteristics of exposed mobile numbers on Facebook and Twitter posts and user
descriptions.
Krishnamurthy et al, 2012
Auxiliary information collected from online sources might help in
connecting an online profile with an offline entity.
2. Consequences of identity information disclosure on OSNs
Jagatic et al, 2007
Social phishing
24
Chen et al, 2012
Linkage attack
Mao et al, 2011
Privacy attack
We explore if Indian mobile numbers leaked from OSNs can be used to gain a wider profile by linking it with
e-government data and truecaller.
2. Consequences of identity information disclosure on OSNs
Schrittwieser et al, 2012
Mobile numbers can be used
to exploit smart phone
messaging services.
Address book resolution
Impersonation, SMS spam,
Phone number enumeration
attack, Status message forgery
attack
25
Cheng et al, 2013
Address book resolution
Randomly picked mobile
numbers used to integrate
accounts on WeChat and
MiTalk.
Aggregate information
about users in China.
26
We link exposed Indian mobile numbers on Facebook and Twitter profile with their
WhatsApp profiles.
We study comprehensiveness of additional information obtained.
2. Consequences of identity information disclosure on OSNs
3. Communicating the risk of identity information disclosure
Krishnamurthy et al, 2012
Privacy leaks could be prevented by alerting the users
about information sharing vulnerabilities.
27
We communicate the risk to a set of users by calling them with the help of an IVR system.
We also study their reactions.
Methodology
Approach
Keyword Selection
Data Extraction / Collection
Data Validation
29
System architecture
30
Keyword
Selection
Graph
API
Stream
API
Public users /
posts
with mobile
numbers
Public Bio/Tweets
with mobile
numbers
Category
+91
Category
+91
Category 0
Category
void
Mobile
number
validation
Indian
Mobile
Number
Database
Keyword selection Data collection Data validation
Regex
patterns
Regex
patterns
Category
void
Category 0
call
contact
ring
System architecture
31
Keyword
Selection
Graph
API
Stream
API
Public users /
posts
with mobile
numbers
Public Bio/Tweets
with mobile
numbers
Category
+91
Category
+91
Category 0
Category
void
Mobile
number
validation
Keyword selection Data collection Data validation
Regex
patterns
Regex
patterns
Category
void
Category 0
call
contact
ring Indian
Mobile
Number
Database
Data statistics
32
Twitter: 12th October 2012 – 20th October 2013
Facebook: 16th November 2012 – 20th April 2013
Numbers Category +91 Category 0 Category void Total
Twitter Facebook Twitter Facebook Twitter Facebook Twitter Facebook
Mobile Numbers
885 2,191 14,909 8,873 25,566 25,294 41,360 36,358
User profiles
1,074 2,663 17,913 9,028 31,149 25,406 49,817 36,588
85% 100% 85%
Analysis
Ownership Analysis
Ownership analysis: Methodology
35
Post Owner posted
the number
Non-owner posted the number
Has 1st person
pronoun
Has 2nd / 3rd person
pronoun
Frequent action words
Phrasal search
Y
N
Y
Y
Bio / Name
Ownership Analysis: Results
36
Social Network Mechanism Mobile Numbers
Total
Twitter: Owner
Bio 155 291/885 (33%)
Tweet 136
Non-owner Tweet 18 18/885 (0.02%)
Facebook: Owner
Post 468 485/2191 (22%)
Name 17
Non-owner Message 25 25/2191 (0.01%)
Users share their own mobile numbers on OSNs!
Source Analysis
Source analysis: Results
32%
26%
26%
11%
5%
Which applications are used to share mobile numbers on
Twitter?
Twitterfeed
TweetDeck
38
50%
15%
14%
8%
12%
1%
Which applications are used to share mobile numbers on
Facebook?
FacebookmobileFacebook foriPhonesPhotos
Facebook forAndroidHootSuite
Twitterfeed
Users posted same mobile numbers on multiple OSNs !
32% numbers on Twitter were pushed from
Topographical Analysis
Topographical analysis: Methodology
Indian Mobile number
XXXX - NNNNNN
Network operator Subscriber number
Telecom Zone/Circle
Metro A Circle B Circle C Circle (High density) (Largest (Smallest population coverage) population coverage)
(Source: http://www.trai.gov.in) 40
Telecom Circle Category # of Mobile Numbers
Delhi Metropolitan 582
Mumbai Metropolitan 312
Karnataka “A” Circle 233
Punjab “B” Circle 226
Rajasthan “B” Circle 171
Andhra Pradesh “A” Circle 164
Kerala “B” Circle 158
Maharashtra “A” Circle 140
Gujarat “A” Circle 135
Tamil Nadu “A” Circle 102
Topographical analysis: Results
41
Users of metropolitan cities in India actively posted mobile numbers on OSNs !
Gender Analysis
Gender analysis: Results
43
Facebook Twitter
Total users 2,663 1,074
Gender available (G) 1,438 29
Females (F) 220 6
Males (M) 1,218 23
F/G 15% 20%
Females are conservative while sharing mobile numbers on OSNs !
Cross Syndication
Context Analysis
Context Analysis: Results
Facebook Tag Cloud
Twitter Tag Cloud
Emergency, marketing, escort
and entertainment business are major context on OSNs !
45
Risk Assessment
Risk of Collation: Experiment 1
47
Mobile Number
Store in Phone Address Book
Install and open
Last Seen time
Status
Methodology
Penetration rate:
prate =userexposed
usertotal
= 1,071 / 3,076 = 34.8 %
Risk of Collation: Experiment 1
48
Sample Status
Risk of Collation: Experiment 2
49
Details User 1
Mobile Number
+9198xxxx5485
Full Name xxxxxx Jeswani
Age 53
Gender Male
Father’s Name
x x Jeswani
Address ***, Mig Flats, *-block, xxxxx Vihar Phase-I
ID Driving License: DL/04/xxx/222668
Shared by Owner?
Yes
OCEAN:
Open Government
Data Repository
User 2
+9199xxxx2708
x Gambhir
23
Male
xx Gambhir
***, xxxx Bagh, Delhi
Voter ID: NLNxxx5696
No
8 Delhi Users
Identified Uniquely
Risk Communication
Experiment: IVR System Setup
51
(2,492)
52
Call the Number
Disconnect the Call
Disconnect the Call
Call picked Call not picked
Leave Feedback
Posted purposefully
Listen message
Listen Options
Didn’t know FORM 1
Disconnect the Call
Disconnect the Call
Disconnect the Call
0.35 (867) 0.65 (1625)
0.61 (988) 0.39 (637)
0.48 (479)
0.20 (102)
0.21 (107) 0.59 (300)
0.23 (47) 0.77 (60)
1.0 (47)
0.52 (509)
Result: Callee Decision Tree
Feedback
“Thank you for information, I have deleted, I will not post my number online.”
“I want to know how to remove my number and I don't know, I haven't put my number purposely but if it is
there, where exactly it is there I would also like to know that. Please get in touch with me asap. Thank you!”
“It is a very nice process that you are doing and making people aware about online frauds and telephone number frauds but your system is basically calling
business houses”
53
Understanding user’s response: Ownership analysis
Ownership analysis on posts from users who said that they did not know that their number can be leaked (IVR option 1)
38.3% (41/107) of mobile numbers were posted publicly by their owners.
Inability of users to manage their privacy settings.
OR
Inadvertent disclosure of personal information (mobile number)
54
Evaluation: Interview
Mobile numbers from profiles on
OSNs
Collating with e-government
data repository (OCEAN)
8 users identified uniquely
55
Interview questions
Interviewed 8 people whom we uniquely identified.
To validate the information we had about them.
Inquire if they posted mobile number on OSN. If yes than why? If no then we informed them about the profile revealing
their number. And asked if they knew the person.
Will they remove the number and Why?
Feedback?
56
Interview results
57
# of callee
True positive (Valid information) 5/8
False positive 1/8
Denied to get interviewed 1/8
Did not pick 1/8
Interview Response
Suspected if we got the information via offline sources.
Called their service provider to confirm what bad we can do with this information about them.
58
Interview Response
Posted mobile number to be in touch with friends and relatives.
Expressed concerns of getting calls from unwanted people.
Posted mobile number to promote a small scale business.
Inquired and suggested some countermeasures.
59
Take Aways
Take Aways
Users share their own mobile numbers on OSNs.
Users post same mobile numbers on multiple OSNs.
Females are conservative while sharing mobile numbers on OSNs.
A publically shared mobile number can expose sensitive details (age, ID, family details and full address) of its owner, from multiple sources.
We should communicate the risks of sharing mobile numbers
online, to their owners. Few users were unaware of the online presence of their number.
61
Future work
Build a generic technological, people and process oriented
solutions to forewarn users and raise awareness towards risks of
exposing mobile numbers on OSNs.
62
Acknowledgments
Paridhi Jain, PhD student, IIIT Delhi
Siddhartha Asthana, PhD student, IIIT Delhi
Anupama Aggarwal, PhD student, IIIT Delhi
Precog family
63
Publications and poster
Prachi Jain, Paridhi Jain, Ponnurangam Kumaraguru. Call Me MayBe: Understanding Nature and Risks of Sharing Mobile Numbers on Online Social Networks. ACM Conference on Online Social Networks (COSN) 2013
Prachi Jain, Ponnurangam Kumaraguru. Flash of Two Worlds. Security and Privacy Symposium (SPS) 2013
64
References
1. Paul 2010, Broken promises of privacy: Responding to the surprising failure of anonymization. UCLA Law Review, 57:1701, 2010.
2. Prachi Jain, Paridhi Jain, and Ponnurangam Kumaraguru. Call me maybe: understanding the nature and risks of sharing mobile numbers on online social networks. In Proceedings of the first ACM conference on Online social networks, pages 101-106. ACM, 2013.
3. Gabriel Magno, Giovanni Comarela, Diego Saez-Trumper, Meeyoung Cha, and Virgilio Almeida. New kid on the block: Exploring the google+ social graph. In Proceedings of the 2012 ACM conference on Internet measurement conference, pages 159-170. ACM, 2012.
4. Latanya Sweeney. k-anonymity: A model for protecting privacy. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(05):557-570, 2002.
5. Marco Balduzzi, Christian Platzer, Thorsten Holz, Engin Kirda, Davide Balzarotti, and Christopher Kruegel. Abusing social networks for automated user proling. In Recent Advances in Intrusion Detection, pages 422-441. Springer, 2010.
65
References 6. Ratan Dey, Cong Tang, Keith Ross, and Nitesh Saxena. Estimating age privacy
leakage in online social networks. In INFOCOM, 2012 Proceedings IEEE, pages 2836-2840. IEEE, 2012.
7. John D Burger, John Henderson, George Kim, and Guido Zarrella. Discriminating gender on twitter. In Proceedings of the Conference on Empirical Methods in Natural Language Processing, pages 1301-1309. Association for Computational Linguistics, 2011.
8. Tom N Jagatic, Nathaniel A Johnson, Markus Jakobsson, and Filippo Menczer. Social phishing. Communications of the ACM, 50(10):94-100, 2007.
9. Terence Chen, Mohamed Ali Kaafar, Arik Friedman, and Roksana Boreli. Is more always merrier?: a deep dive into online social footprints. In Proceedings of the 2012 ACM workshop on Workshop on online social networks, pages 67-72. ACM, 2012.
10. Huina Mao, Xin Shuai, and Apu Kapadia. Loose tweets: an analysis of privacy leaks on twitter. In Proceedings of the 10th annual ACM workshop on Privacy in the electronic society, pages 1-12. ACM, 2011.
66
References 11. Sebastian Schrittwieser, Peter Fruhwirt, Peter Kieseberg, Manuel Leithner,
Martin Mulazzani, Markus Huber, and Edgar Weippl. Guess whos texting you? evaluating the security of smartphone messaging applications. In Proceedings of the 19th Annual Symposium on Network and Distributed System Security, 2012.
12. Yao Cheng, Lingyun Ying, Sibei Jiao, Purui Su, and Dengguo Feng. Bind your phone number with caution: automated user proling through address book matching on smartphone. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pages 335-340. ACM, 2013.
13. Balachander Krishnamurthy. Privacy and online social networks: Can colorless green ideas sleep furiously? IEEE Security & Privacy, 11(3):14-20, 2013.
14. Zeynep Tufekci. Can you see me now? audience and disclosure regulation in online social network sites. Bulletin of Science, Technology & Society, 28(1):20-36, 2008.
67
Thank You!
For further information, please write to
[email protected] precog.iiitd.edu.in