US telecoms ‘selling cellphone data showing user locations in real time’

us-telecoms-selling-cellphone-data-showing-user-locations-in-real-time

09-01-19 01:23:00,

American telecommunications giants are selling access to their customers’ location data, leaving them exposed to being tracked by bounty hunters and others, a disturbing report by Motherboard has revealed.

T-Mobile, Sprint, and AT&T are reportedly among the companies whose data is being used to track phone locations, leaving mobile network users exposed without their knowledge.

US telecommunication companies sell user data to aggregator companies who then sell this information in turn to their own customers. The data can then be re-sold on the black market, where it could fall into the hands of criminals, stalkers and others.

Motherboard reporter Joseph Cox paid a bounty hunter to geolocate a target’s T-Mobile phone in his investigation into the location tracking practice. The bounty hunter’s contact was able to track the phone to the correct Queens neighborhood within a few hundred meters of its location. This was done without any hacking or previous knowledge of the owner’s location.

Tracking the target

T-Mobile shared user location data with a data aggregator company called Zumigo, which shares information with another company called Microbilt. Microbilt sells phone geolocation services to a number of private industries, like property managers, bail bondsmen and roadside assistance, company documents and sources revealed to Motherboard.

Using just a phone number, the company’s Mobile Device Verify can bring up the target’s name, address and phone location, either in a specific instance, or as a constant tracking service.  

Finding a phone will set you back a mere $4.95, but if you sign up to a package to track more phones the cost per phone will fall. To track someone’s real time location using their phone costs $12.95. In this case, a bounty hunter got a Microbilt customer to find the target’s phone, for $300.

Also on rt.com
German cyber watchdog says no evidence that Huawei spies

Microbilt customers can sell on the information they pay for to other sources, meaning the data can end up in anyone’s hands. Motherboard reports bounty hunters also use the geolocation to track their own ex’s.

Telcos sell customers’ real time location to one set of companies, that then sell it to an array of different industries: car rental,

 » Lees verder

Company Selling Real-Time Cell Phone Tracking Ends Up Leaking Location Data

Company Selling Real-Time Cell Phone Tracking Ends Up Leaking Location Data

19-05-18 07:46:00,

On Tuesday we covered a disturbing story from the New York Times and ZDnet.com detailing how some of the country’s largest cellular providers have been selling your real-time location information, allowing a Texas-based prison technology company, Securus, to track any phone “within seconds” – all without a warrant – through an intermediary called LocationSmart. 

Now, as KrebsOnSecurity reports, in addition to a story from Motherboard on a hacker which had broken into the Securus servers and stolen the usernames, email addresses, phone numbers and other information of 2,800 users – mostly law enforcement, it turns out that a flaw in LocationSmart’s tracking demo website gave anyone the ability to surveil anyone else’s cell phone on the open web.

Several hours before the Motherboard story went live, KrebsOnSecurity heard from Robert Xiao, a security researcher at Carnegie Mellon University who’d read the coverage of Securus and LocationSmart and had been poking around a demo tool that LocationSmart makes available on its Web site for potential customers to try out its mobile location technology. –KrebsOnSecurity

The demo, which has since been taken down, was a free service that would give anyone the approximate location of their own cell phones by entering their name, email address and phone number into a form. LocationSmart’s service would then text the supplied phone number and request permission to ping that device’s nearest cellular tower. Once consent was obtained, the service would then reveal the subscriber’s approximate latitude and longitude on a Google Street View map. 

As Krebs notes, “It also potentially collects and stores a great deal of technical data about your mobile device. For example, according to their privacy policy that information “may include, but is not limited to, device latitude/longitude, accuracy, heading, speed, and altitude, cell tower, Wi-Fi access point, or IP address information.” 

But according to Xiao, a PhD candidate at CMU’s Human-Computer Interaction Institute, this same service failed to perform basic checks to prevent anonymous and unauthorized queries. Translation: Anyone with a modicum of knowledge about how Web sites work could abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups at will, 

 » Lees verder