Today BBC published a story about Truecaller, an app that will give names to phone numbers of people you do not know.
"If you download Truecaller you will never have to worry about saving contacts to your phone book, everything will be in the cloud." says Alan Mamedi, chief executive and co-founder of Truecaller.
But there is a small trick. Where do you think those numbers are coming from? Of course from your contact list. Once you’ve shared your contacts with the app, the company will use them to detect calls from your friends to other people.
"We have 200 million users globally. Just last year we went from 100 million users to 200 million. We've definitely seen an exponential growth globally, especially in the emerging markets", the company says.
This approach has some privacy concerns. No doubt. But let’s talk about its security value. If we can identify person by his/her phone number and cross-match it with real person’s name, we probably can use this app to brute-force phone numbers and get phone-name pairs. This means, we can perform targeted attack against this person (actually all 200 million of them). We can use social networks to make a complete profile with pictures, habits, friends, etc. just by having phone number and name. It would be not that easy without the phone number.
Besides there is still number of websites that use phone number as a security question when resetting user’s passwords.
The bottom line, Truecaller seems to be a very great app for fraudsters, who use social engineering to scam other people.
