Scammers abused Facebook phone number search

Facebook was warned by security researchers that attackers could abuse its phone number and email search facility to harvest people’s data.

On Wednesday, the firm said “malicious actors” had been harvesting profiles for years by abusing the search tool.

It said anybody that had not changed their privacy settings after adding their phone number should assume their information had been harvested.

One security expert told the BBC the attack had been possible “for years”.

How did the attack work?

Until Wednesday, Facebook let people search for their friends’ profiles by typing in a phone number or email address.

The company has now disabled the ability to search by phone number.

If I’ve got your number, so has Facebook

Suddenly lots of people are waking up and asking themselves questions about Facebook. How much data am I sharing with the social media giant? Did I really give permission for it to be collected and stored?

And, even more seriously, have I handed over my friends’ data to be stored on some Californian server?

I am one of those people and what I’ve discovered has left me somewhat shocked. Over the weekend I got hold of my Facebook data. It’s easy enough, you go to settings, then general account settings and click on download my data.

An hour or so later an email arrived with a link to click and I was downloading a 675MB folder chronicling all of my life on the network since I signed up in 2007.

Big numbers

At first sight there was nothing very troubling – I would expect all the photos and videos I’d ever posted to be there, and scrolling down my timeline provided an entertaining glimpse of my life over the last decade.

I did notice that for some years every song I’d listened to on Spotify was listed, a handy reminder that when you link any external app to Facebook it then gathers a lot more data about you.

But then I clicked on a file called contacts. I was taken aback to find my entire contact list, thousands of phone numbers. Now this was not limited to Facebook friends and included many people in the public eye who might be disturbed to find that their private numbers were stored in this way.

  • Tech Tent: Facebook’s data privacy crisis
  • Facebook’s biggest challenge yet
  • WhatsApp co-founder says it is time to delete Facebook
  • Zuckerberg in 2009: Facebook privacy is central

    I cannot remember what happened when I set up my Facebook account back in 2007 – in those naive days I could well have clicked yes when invited to upload my contacts so that I could see who else was part of this new young community. So, my fault I suppose.

    Then I noticed that at the top of the list were some numbers that cannot have been sucked into the Facebook machine a decade ago because I had only added them in recent weeks. They included, ironically, the mobile number of Carole Cadwalladr, the journalist who has blown open the whole story of Cambridge Analytica and Facebook.

    So this means that every time I enter a new number into my phone’s database, it somehow ends up with Facebook – the company is in effect monitoring me.

    This is not the most startling example of Facebook’s data collection. At least one user has reported that all of his text messages from an Android phone have somehow ended up being stored by Mark Zuckerberg’s company.

    Even if Facebook users agree to share this data, their friends whose numbers or text messages are being collected almost certainly have not. And even if those people have never joined Facebook – or have decided to delete their accounts – it looks as though some of their data will stay with the social network as long as the people who provided it remain.

    Facebook says that uploading your contacts is a normal part of signing up with many messaging or social apps – and insists that users are given a clear choice.

    People are expressly asked if they want to give permission to upload their contacts from their phone – it’s explained right there in the apps when you get started. People can delete previously uploaded information at any time.

    The company is right to say this is common practice. And if you think it is creepy that Facebook is storing this information, what about Apple’s iCloud where millions store their iPhone data, including their contacts?

    In any case, Facebook insists it never shares this data with anyone else. The problem is that its business model, unlike Apple’s, depends on exploiting its users’ data. And given what they have learned over the last week about how that information may have been used, many Facebook users may not be inclined to give it the benefit of the doubt.

Tumblr deletes ‘Russian troll’ accounts

Blogging platform Tumblr has deleted 84 accounts it says Russian propagandists used to spread disinformation during the 2016 US election.

The accounts are believed to have been used by Russia’s Internet Research Agency (IRA) – an organisation linked to many different web-based campaigns.

Tumblr said it had uncovered the fake accounts while helping an official investigation into the IRA’s influence.

Last month, 13 Russians linked with the IRA were indicted by the US government.

The individuals were charged with trying to manipulate American voters via social media.

‘Incendiary claims’

Tumblr said after discovering the accounts’ Russian connections, it had:

  • shut them down
  • deleted all the posts they had made
  • notified US law enforcement agencies

    But the continuing official investigation into the activities of the IRA had prevented it releasing details before now.

    Tumblr said it would also let anyone who had interacted with the fake accounts know what had happened.

    “We’re committed to transparency and want you to know everything that we know,” it said in a statement.

    Tumblr said it would let individual users decide whether they wanted to delete the chains of links and comments they had added to the Russian posts, which were “often challenging or debunking the false and incendiary claims in the IRA-linked original post”.

    • Reddit dragged into Russian propaganda row
    • Facebook to expose Russian fake news pages
    • Russia posts ‘reached 126m Facebook users’

      And it would step up monitoring of its own service in an attempt to stop future abuse by state-backed trolls and propaganda units.

      Other social media services have purged themselves of allegedly IRA-backed accounts in recent months.

      Last year, Facebook said 120 Russian-backed pages had created 80,000 posts received by more than 29 million Americans directly.

      The information reached many more as those initial viewers passed them on to others.

      In December, Facebook introduced a tool that it said would let users know if they had interacted with the IRA-backed accounts.

      Earlier this month, social-news network Reddit said it had removed “hundreds” of accounts it suspected of being used by the IRA.

      In February, Twitter removed many thousands of so-called “‘bot” accounts it said were being used to artificially inflate the importance of messages sent by Russian social-media workers.

Billion euro cyber-suspect arrested in Spain

A cyber-crime mastermind suspected of stealing about £870m (€1bn) has been arrested in Spain.

The individual is alleged to be the head of the organised crime gang that ran the Carbanak and Cobalt malware campaigns that targeted banks.

Europol said the group had been active since 2013 and infiltrated more than 100 banks in that time.

Cash was siphoned off via bank transfers or dispensed automatically through cash machines.

Luxury goods

The arrest was a “significant success” against a top cyber-crime group, Steven Wilson, head of Europol’s Cyber-Crime Centre (EC3), which co-ordinated the long-running, cross-border investigation into the group. said in a statement.

“The arrest of the key figure in this crime group illustrates that cyber-criminals can no longer hide behind perceived international anonymity,” he said.

The cyber-thieves got their malware on to bank networks by sending key staff booby-trapped phishing emails, said Europol. The gang used three separate generations of malware, each one more sophisticated than the last, to penetrate and then lurk on financial networks.

Once the machines of key staff were compromised, the gang used their remote access to banking networks to steal money in several different ways.

  • cash machines were ordered to remotely dispense money at specific times – letting mules and other gang members scoop up the notes
  • inter-bank money transfer systems were instructed to move cash into criminal accounts
  • databases were altered to increase account balances. Mules then removed the money via cash machines

    Money was laundered via crypto-currencies and payment cards, which were used to buy luxury goods including cars and houses.

    Europol, the FBI, cyber-security firms and polices forces in Spain, Romania, Belarus and Taiwan all collaborated to track down the gang, said the European policing agency.

Sensor firm Velodyne ‘baffled’ by Uber self-driving death

The firm that designed the sensors on the Uber self-driving car that killed a woman this week has said its technology was not to blame.

San Jose-based Velodyne told the BBC it was “baffled” by the incident, adding its equipment was capable of seeing in the dark.

Elaine Herzberg, 49, was struck by the car late on Sunday night in Tempe, Arizona. She died in hospital.

The investigation into what caused her death is ongoing.

Video of the incident was published by investigators earlier on Wednesday. It showed Ms Herzberg walking with her bicycle, away from a pedestrian crossing. Neither the car – nor its human driver – reacted.

A spokeswoman for Uber told the BBC it would not comment on Velodyne’s view while the inquiry took place.

‘Can see perfectly well’

Velodyne’s Lidar sensors are used by a number of companies testing self-driving cars on public roads today.

Lidar is a type of radar that essentially gives the car the ability to “see” what is around it.

Velodyne Lidar president Marta Hall told the BBC it would not be advising its customers to halt tests in the wake of the Arizona death because “we do not believe the accident was due to Lidar”.

Instead, the company is pointing to Uber’s on-board computer as potentially being to blame, Ms Hall said.

“Our Lidar can see perfectly well in the dark, as well as it sees in daylight, producing millions of points of information.

“However, it is up to the rest of the system to interpret and use the data to make decisions. We do not know how the Uber system of decision-making works.”

Software accusation

While it makes use of third-party hardware, Uber’s self-driving cars use software developed in house.

Uber has suspended its self-driving programme – which was taking place in four US cities – until it knows more about what happened.

The firm’s chief executive Dara Khosrowshahi said of the incident: “We’re thinking of the victim’s family as we work with local law enforcement to understand what happened.”

Velodyne said it had not been in contact with Uber about the incident, but was in the process of preparing to speak to investigators.

The National Traffic Safety Board said it was working on a preliminary report to be published within the next few weeks – a fuller conclusion will not be made for several months.

Ms Hall added: “We are very sad, sorry, and worried for the future of a project which is intended to save lives.”


Follow Dave Lee on Twitter @DaveLeeBBC

Do you have more information about this or any other technology story? You can reach Dave directly and securely through encrypted messaging app Signal on: +1 (628) 400-7370

Elon Musk pulls Tesla and SpaceX from Facebook

Entrepreneur Elon Musk has had the official Facebook pages for his Tesla and SpaceX companies deleted.

The #deletefacebook movement has grown after data firm Cambridge Analytica was accused of obtaining the personal information of about 50 million users.

Mr Musk had poked fun at speaker brand Sonos after it said it would suspend advertising on Facebook for one week.

His followers challenged him to have his own companies’ pages deleted, which he did within minutes.

Skip Twitter post by @elonmusk

What’s Facebook?

— Elon Musk (@elonmusk) March 23, 2018


End of Twitter post by @elonmusk

Mr Musk said he “didn’t realise” that his SpaceX brand had a Facebook page. “Literally never seen it even once,” he wrote on Twitter. “Will be gone soon.”

  • How to protect your Facebook data
  • WhatsApp co-founder: Time to delete Facebook

    Another follower pointed out his firm Tesla also had a profile on the social network.

    “Looks lame,” he replied. Both profiles disappeared within minutes of his posts.

    The pages had more than 2.5 million followers each before they were deactivated.

    In 2016, Facebook used SpaceX to launch a new communications satellite valued at more than $200m (£150m).

    However, the rocket exploded on the launch pad and destroyed the satellite.

    After a reporter tweeted that “@elonmusk blew up Mark Zuckerberg’s satellite”, Mr Musk replied: “Yeah, my fault for being an idiot. We did give them a free launch to make up for it and I think they had some insurance.”

    He said he would continue to use Facebook-owned Instagram for the time being, but lamented “FB influence is slowly creeping in”.

Tech Tent: Facebook’s data privacy crisis

What have we learned this week about the dangers of sharing our lives on Facebook – and can we now take back control?

  • Stream or download the latest Tech Tent podcast
  • Listen live every Friday at 15:00 GMT on the BBC World Service

    This week’s Tech Tent explores how the biggest crisis in the social media company’s history has unfolded – and asks what might happen next. Will Facebook really change its ways, or will regulators have to step in and make it be more transparent about how it uses our data?

    After all, according to one of our guests Emma Mulqueeny, it and other platforms “utilised the easiest business model they could and closed their eyes and crossed their fingers that it would be too annoying, too complicated or too late by the time people started wanting to take control of their own data”.

    Some people have now decided to take to the courts to assert their rights over their own data. Among them is a US citizen, Prof David Carroll. He is taking Cambridge Analytica to court in the UK to get access to data he says it holds on him.

    The company, which acquired the Facebook profiles of 50 million people from an academic researcher, boasted in the past that it had 4,000-5,000 data points on just about every American citizen.

    Prof Carroll tells Tech Tent that this boast inspired him to demand his file but what he received from the company was “alarming but not complete”, a model of the political beliefs he probably held and his likelihood to vote.

    Convinced that there must be far more data, he went to court to seek it – not in the United States but in the UK where the law is more friendly to this kind of case. With Europe’s major new data protection law GDPR arriving in May we can expect more cases to cross the Atlantic.

    In the meantime, some people have decided the only answer is to get off Facebook – although. whether the fact that #deletefacebook has been trending says anything about the numbers actually leaving is open to doubt.

    And for many people in developing countries where Facebook is synonymous with the internet that will not look like a good option, But Marieme Jamme, a Senegal-born entrepreneur and founder of a movement which aims to give African girls skills in computing and technology, that is another reason why Facebook’s power needs to be curbed.

    She tells us that governments across Africa have seen just how much influence the social network has and are spending big money to use it to try to swing elections. “We open our doors to Facebook,” she tells us. “The average African spends six to seven hours on it, I’m not saying it’s 100% bad but we need to regulate it and at the moment there is no regulation.”

    In Africa and elsewhere, there are now growing calls for Facebook’s wings to be clipped. The coming weeks will show whether this really has been a lightbulb moment where two billion Facebook users wake up to the dangerous bargain they have struck with the social network – or whether they go on sharing their data with not a care in the world.

    • Stream or download the latest Tech Tent podcast

KeepVid scraps YouTube-ripping function in favour of legal approach

A popular website that let people save or “rip” videos from services such as YouTube has unexpectedly turned into a copyright advocacy site.

KeepVid let people download copies of videos that could not officially be saved from YouTube, Vimeo and others.

But the service has now been removed from its website and replaced by a page of guidance on terms and conditions.

The terminology used suggests it has now become aware of legal restrictions on downloading from sharing sites.

Journey of discovery

In an update to its website, KeepVid said it had discovered that ripping videos from YouTube was against the site’s terms and conditions.

“KeepVid unveils that users aren’t allowed to download videos from YouTube,” it said.

It revealed that “there are many video-sharing sites in the market” and offered to “introduce” visitors to services such as Netflix and Spotify.

It said it had “found out” that Netflix was “a very popular place to watch and download videos to your computer”.

Download by subscription

KeepVid was often the top search result for people who were looking for a way to rip videos from YouTube and Vimeo.

For a majority of videos, YouTube does not offer an official way for people to download and keep them.

However, subscribers to its premium tier, YouTube Red, can download videos to watch offline within the YouTube app.

KeepVid operated its service for free on its website and through paid software called KeepVid Pro. Both services have been discontinued.

The company has not explained why it has decided to close its service. However, it said it hoped the video market would be “organised to meet people’s requirements”.

“Video downloading will become possible if the video download tools and video sharing platforms reach an agreement about downloading videos,” it said.

DeepMind explores inner workings of AI

As with the human brain, the neural networks that power artificial intelligence systems are not easy to understand.

DeepMind, the Alphabet-owned AI firm famous for teaching an AI system to play Go, is attempting to work out how such systems make decisions.

By knowing how AI works, it hopes to build smarter systems.

But researchers acknowledged that the more complex the system, the harder it might be for humans to understand.

The fact that the programmers who build AI systems do not entirely know why the algorithms that power it make the decisions they do, is one of the biggest issues with the technology.

It makes some wary of it and leads others to conclude that it may result in out-of-control machines.

Complex and counter-intuitive

Just as with a human brain, neural networks rely on layers of thousands or millions of tiny connections between neurons, clusters of mathematical computations that act in the same way as the neurons in the brain.

These individual neurons combine in complex and often counter-intuitive ways to solve a wide range of challenging tasks.

“This complexity grants neural networks their power but also earns them their reputation as confusing and opaque black boxes,” wrote the researchers in their paper.

According to the research, a neural network designed to recognise pictures of cats will have two different classifications of neurons working in it – interpretable neurons that respond to images of cats and confusing neurons, where it is unclear what they are responding to.

To evaluate the relative importance of these two types of neurons, the researchers deleted some to see what effect it would have on network performance.

They found that neurons that had no obvious preference for images of cats over pictures of any other animal, play as big a role in the learning process as those clearly responding just to images of cats.

They also discovered that networks built on neurons that generalise, rather than simply remembering images they had been previously shown, are more robust.

“Understanding how networks change… will help us to build new networks which memorise less and generalise more,” the researchers said in a blog.

“We hope to better understand the inner workings of neural networks, and critically, to use this understanding to build more intelligent and general systems,” they concluded.

However, they acknowledged that humans may still not entirely understand AI.

DeepMind research scientist Ari Morcos told the BBC: “As systems become more advanced we will definitely have to develop new techniques to understand them.”

Craigslist drops dating ads after new law

Classified advertising website Craigslist has closed its dating ads section in the US, in response to a new bill against sex trafficking.

The bill states that websites can now be punished for “facilitating” prostitution and sex trafficking.

Ads promoting prostitution and child sexual abuse have previously been posted in the “personals” section of Craigslist.

The company said keeping the section open in the US was too much of a risk.

In a statement, Craigslist said the new law would “subject websites to criminal and civil liability when third parties (users) misuse online personals unlawfully”.

“Any tool or service can be misused. We can’t take such risk without jeopardising all our other services, so we are regretfully taking Craigslist personals offline,” it said.

In March, US congress passed the Allow States and Victims to Fight Online Sex Trafficking Act (Fosta). It will apply to all states in the US.

Websites are not usually held responsible for the content that members post – as long as illegal material is removed as soon as the service provider is made aware.

However, the bill states that “websites that facilitate traffickers in advertising the sale of unlawful sex acts” should not be protected.

It imposes fines and prison terms for those who own or operate a website that facilitates prostitution.

On Thursday, social network Reddit also banned its escorts message board.

It said “paid services involving physical sexual contact” were against its latest policies.