During a recent trip out of town, I met with a real estate broker to inquire about home prices in the area and also get a contact for a local attorney who may be able to help with purchasing property in a non-traditional, private manner. The broker I met worked for a well known firm, one that caters to high end clients worldwide. For the purpose of this article, her name was “Megan”, and she proved to be very knowledgeable about the area I visited and her business in general.
During my conversations with Megan she shared some general details about her her life, her history with her company, and some specific knowledge she had learned while living in the area. There was nothing unusual about her rapport building with a potential new client; she highlighted some areas of interest that we had in common, and shared just enough about herself to keep the conversation professional while still making the interaction unique and genuine. Of course, as a student of social engineering I paid close attention to the details she chose to share. And as an OSINT investigator, I found the last part of our interaction quite interesting. She thanked me for stopping in and handed me her business card. Printed on the card was a cell phone number. The area code for that number I recognized as a local area code in another State where she told me she had moved from prior to being hired at this real estate agency.
To be clear, she had not hand written the cell phone number on her business card…as if to only give it me. It was her official business card, and the only number printed on the card was a cell phone. Due to the area code, I guessed that it may be her actual personal cell number, probably one she had used for many years. This may be standard for some real estate brokers to do actually, so there’s nothing too unusual here. Until of course, that number falls into the hands of someone with a little knowledge about what a critical piece of information a cell phone number may be.
When I do privacy and security training, I always highlight the fact that a person’s cell phone number is often the digital equivalent to a fingerprint. Most people only have one cell phone number, and that account is likely tied to to their real name, real address, other online and offline accounts that are also in their real name, etc, etc. For many people, the same phone number they have on file with their bank, is also the same number that is tied to their social media accounts, other online accounts, their utilities, their emergency contact number, or the phone number on their business card that is handed to strangers on a daily basis.
A recent New York Times article described a cell phone number as “A 10 Digit Key Code To Your Private Life”. Please take a moment to read that article. It describes the many ways that a cell phone number can be the gateway to all sorts of other information about your life. As an investigator (or identity thief), if I had the choice of knowing either your Social Security Number or your personal cell phone number…I would always choose the cell phone number. Someone with the goal of obtaining information about you can compile a staggering amount of information based on that number alone. That personal information can be used to locate you, and do a lot of damage. Plus the information you give up by sharing your cell phone number is just down right creepy when you know that strangers have access to it.
I only spent about 10 minutes researching Megan’s cell phone number just to confirm my suspicion that it was in fact linked to real information. I reverse searched the number at https://www.truepeoplesearch.com/ and immediately saw that it was her personal number. The information returned with her complete current address and 20 years of previous addresses and phone numbers. It listed the names of her family members and their addresses and phone numbers. Within a few seconds I had all of this information including personal email addresses, work history, information about her neighbors, and inks to her social media accounts. This was all from just one online database. Google searches revealed even more; other online accounts, street maps, and seven years worth of personal photographs on her Instagram and Facebook profiles all of which were tagged with date/time/location information. During my conversation with Megan she mentioned that she owned a red Jeep, had a dog, and she showed me a video she had recently taken on her phone of the local scenery. She said the video was taken from her “bedroom window” within the past few days. The home address I researched on her (based on her phone number) combined with the street view of the area with a red Jeep in the driveway, confirmed which window she took the video from….and that same video had been posted to her social media account for reference (analysis) along with photos of her dog (good boy). My 10 minute exercise into her life quickly took me across several different online databases, connecting the dots and data points, and would have easily filled 30 pages of information and photos about her personal life. If I had spend another 10 minutes, or 10 days…imagine the amount of information that could be learned. Scary.
It should be noted that Megan did not own the property where she lived, and likely did not have utilities in her name . There was no pubic record of her being at her current address because she was a renter. Her current address was linked to her cell phone number across many databases though, which is one reason why that information was so easily found. Many renters falsely assume that their address is “hidden” because they are not a property owner. If their address is known to their cell phone provider or exists in other databases though, it is likely found online somewhere as a result.
Including a cell phone number on a business card is pretty common. Have a separate business number for that purpose, and don’t share your personal number. I know people who work in professions where their threat level is much higher than that of a real estate agent, who include their personal cell phone number on their business cards or in their email signatures. This is a terrible OPSEC if you are in a high risk profession like law enforcement, or if you value your privacy and want to better protect your personal information. Remember, a cell phone number can be the digital equivalent to a fingerprint…the gateway to volumes of personal information about you.
Compartmentalize which companies and which individuals have your information. If you only have one cell phone number, then your options are severely limited when someone asks you for this critical piece of information. Have multiple options available. Utilize apps like Sudo ( https://sudoapp.com/ ) which gives you multiple phone numbers for use in your privacy strategy. I hope this information encourages you to think carefully about how and who you share your cell phone number with, and also how you can change your approach to better protect your personal information.