Thailand Mobile Network Operators Do Not Care About Your Privacy

Translation: “Your phone has signed up with K PLUS using phone number XX-XXX-XXXX which is not the same number that your operator sent us”.

Recently, you might have heard in the news that a lot of people got tricked to subscribe to a third party subscription by just clicking on a link. Given the fact that the web server would only seeing your IP address, there are only two plausible explanation on how they could find out your real mobile number to create the subscription:

1. They generated a unique link which ties to a mobile number, then sent that unique link to each mobile number.
2. They use an “internal” API to lookup your phone number based on your IP address.

In this particular case, method 1 seems like the plausible explaination. They actually claimed that people “consented” to subscribe to their service by just clicking on the link. While that is considered “legal” (as it’s not regulated), I think it’s very shady business practice. As mobile users in Thailand, we really should not settled for this and keep asking for new regulation to control this¹.

However, I actually want to talk about the method 2: An internal (or backend API) that can be used to lookup your phone number.

Identifying the Customer

Imagine if you are running a MNO and you want your customers to be able to manage their service and billing without having to contact the customer support number.

Before the boom of the smartphone, most of the services are provided through IVR or USSD. There was no problem identifying the customer back then because you can map it via cellular network. Nowadays, many customers with smartphones are managing the service through the app, which performs (hopefully) HTTPS request through the API. In order to access the customer’s account, MNO has to create a way to identify the customer through request’s IP address so they don’t have to login using password.

Personally, I think this lookup table is acceptable for internal use. If I’m using a service provided by operator D, they should be able to have a way for their internal apps to identify my customer account based on my IP address.

However, it’s not just your operator that can lookup your phone number using your mobile internet’s IP address

Convenience vs. Privacy

I can’t argue that it’s convenient for me to not having to login when I access my MNO’s app. However, I believe it’s an issue when all Thai MNOs are providing the way for a third party to lookup my phone number from my IP address without my consent.

Thai MNOs aren’t actually advertise nor telling their customers that this feature exists. The only reason many people know this API exists because some banks actually using this “partner” API as a security feature² to match the phone number of the device that their customers are using to the one they have on file.

I believe no one outside those companies know who have access to this API, nor a documentation on how secure this API is. Given the track record, it’s hard to believe that these MNO would implement things in the most secure way possible. There’s currently no way for any customers to opt-out from this service, causing a privacy concern on who can access this data.

Here Comes the Darkness

With a good faith, I hope that MNOs do some vetting before letting anybody access this data, and that they know that how sensitive this data is³. I was able to come up with a few scenario that it’d be bad if someone could lookup your phone number when you just visiting a website:

• Advertisers can lookup your phone number from IP address, then later call or SMS spam you when you, say, look at some website (such as travel, insurance, etc.)
• Online retailers can use your phone number to match your loyalty card profile and know what you were looking for without having you to login.
• Hackers could try to phish out more information from you by using social engineering after knowing your phone number.

Light at the End of the Tunnel

Here are my suggestions on how MNOs should implement and fix this issue:

• Have a disclaimer that someone can actually identify your phone number when you accessing sites using internet on your mobile phone.
• Implement a feature whereas it’ll ask for my consent if I’m willing to share my phone number with a 3rd party service that tries to lookup my number through SMS or some other mediums.
• Allow customer to opt-out from this feature if they so choose.
• Optional, but releasing an API documentation for this functionality for security researchers to make sure that it’s secure.

I hope that I have convinced you that this is a real concern, and that our MNOs should protect the privacy of their customers much more than what they are currently doing.

1. To be honest, we’ve solved this already with email — two-step consent. MNO can ask for an authorization to add a new subscription to an account via SMS when they received a billing item from content provider. ↩︎
2. I said that with a tongue in cheek tone because it’s already proven that someone could trick your Thai MNO to reissue a new SIM card, with your number, without your consent. This feature actually annoys many customers more than helping them and they are no securer than sending an OTP through SMS. ↩︎
3. To me, phone number is considered a confidential information which I only share with people I trust. ↩︎