Our digital fingerprints are composed of all the records we leave behind when using Internet-supported services. We have reached a point where these records allow us to identify ourselves almost uniquely. E-mail and telephone numbers are part of our digital identity and leave a trace of our identity every time we use them. The close relationship that currently exists between people and their phone number/email makes it possible to use these attributes to characterize or identify users. For this reason, it is common for digital service platforms to make use of these elements as authentication factors. In this paper we explore these two attributes: email and telephone number.
E-mail address
An e-mail address is the way in which incoming and outgoing message points are identified, which are associated with unique entities such as individuals, companies or organizations. Each e-mail address can only be assigned once, ensuring uniqueness in its access and consumption.
Nowadays it is almost impossible to access digital services without an email, being one of the most representative means of communication. It is a central point in our relationship with entities and people (i.e. banks, social networks, online payment systems, government entities, etc.). It is not common, therefore, to change the personal email address due to the cumbersome process of updating this data with the third parties with whom I interact.
Using the right tools, it is possible to extract information related to the use of an email, which allows to some extent to characterize its owner. These email profiling tools are valuable in the process of identifying and assessing risk, as long as they use open/legal information and comply with local data protection regulations.
Below, we list the information that can be obtained using mail profiling tools:
- Validity and existence of the email. Very useful in registration and onboarding processes to know if the email address really exists and it is not a fake or robotized registration attempt.
- Age of the e-mail address. An address that has been created recently may be more suspicious than one for which there is a record of use going back several years. An old usage record can be obtained, for example, from security leaks of databases.
- Social networks. It is possible to verify whether the e-mail address has been used to register on some social network platforms. Even on some of them – if the user has allowed its access – it is possible to extract name, date of registration and photograph. All this information can increase trust in an individual and the data they are providing.
- Presence on blacklists. In search of fraud prevention, private and public companies are increasingly open in sharing information about fraud or scams to strengthen the digital ecosystem. In many opportunities, blacklists containing e-mails related to scams and frauds are created. By searching these blacklists, it is possible to identify high-risk email addresses.
Phone Number
Similar to email, the phone number is linked to our digital fingerprint. In fact, it has become popular as a second authentication factor using OTPs (one-time passwords) sent via text message. In 2019, Google revealed security statistics on the use of the phone number as a second authentication factor [GOOGLE 2019]. According to the research, 100% of automated bots, 96% of mass phishing attacks and 76% of targeted attacks were blocked [GOOGLE 2019].
In addition to its potential as an authentication factor, it is also possible to profile the phone number to find related information about its bearer that can be used to identify risks or generate the necessary trust to access a product or service. Below, we list the information that can be obtained using phone number profiling tools:
- Number validity/existence.
- Service carrier.
- Country and in some cases city where the service is provided.
- Social Networking. It is possible to know the accounts that have the associated telephone number and from the accounts extract other information of a public nature (i.e. names, date of registration, nationality, profile picture, etc.).
Conclusion
Email and phone number are part of our digital footprint. Both are used as authentication strategies in conjunction with OTPs to strengthen the security of the digital ecosystem. From them it is also possible to extract information from a user to strengthen the identification and identity validation process, thus avoiding potential fraud.
Rubén Manrique
Bibliography
[PACHECO2021] El atributo digital como elemento de identificación. (https://reconoserid.com/el-atributo-digital-como-elemento-de-identificacion/) [GOOGLE2019] New research: How effective is basic account hygiene at preventing hijacking (https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html)
