KOCHI: You might have activated ‘Do Not Disturb’ (DND) mode on your mobile phone to keep service SMSes at bay. Yet, your inbox is filled with such messages. Perhaps, your number is among the millions of others that have landed on the dark web.
A Kochi-based cybersecurity startup recently found a file containing around 93 million phone numbers registered with the Telecom Regulatory Authority of India’s National Do Not Call Registry (NDNS) kept on sale on the Darknet. Technisanct found a database with around 93 million DND numbers in an Excel file during its routine research activities.
Nandakishore Harikumar, chief executive officer (CEO) of Technisanct, said their threat analysis team found the massive breach of data a couple of days back. The total file size is 10.5 GB and it is circulated on a data-sharing platform. The data has been placed on sale on the dark web for a price of fewer than 10 dollars.
“These data are to be shared only with registered telemarketing people and are supposed to be stored confidentially. According to our analysis, this leak must have happened somewhere around June or July 2019. There are multiple complaints registered with brands by individuals for making calls to DND numbers. Norms are being violated in handling DND numbers by the agency concerned. We did a random check of 300 numbers from the database and identified that they all are registered for DND,” he said.
Technisanct has shared the matter with Telecom Regulatory Authority of India (Trai), the Union Ministry of Communication and Information Technology and Indian Computer Emergency Response Team (CERT).
“We have shared complete details with the agencies concerned. Trai has to check whether any data hack has taken place. The DND numbers are to be shared only with the registered telemarketing firms,” Nandakishore said.
The DND numbers are maintained by the NDNS. A consumer has to send a message to block service calls and SMSes. In recent months, several users who have activated DND reported that they have been receiving service calls and messages.
“After going through the complaints on DND, we started searching such data on the dark web and hackers’ forums. The DND is supposed to be very confidential and not to be shared on any platforms. In the US, DNDs are well maintained, but it seems accessing DND numbers in India is an easy affair,” Nandakishore said. An email query did not elicit any response from Trai.
Renowned cyber forensic expert Vinod Bhattathripad said if DND mobile phone numbers are available on the dark web for sale, it might be hacked either from servers of telecom companies or from Trai.
“The DND system across the globe has become a failure as DND-enabled mobile phones still get the service messages. Usually, companies have to procure commercial SIM cards to sent service messages. However, once DND details are leaked, messages can be sent from even ordinary personal use SIM cards. A marketing agency that has not registered with Trai can also send SMSes using leaked details. The marketing agencies who have already registered with Trai may not able to use the hacked details as their messages will be blocked at the server itself. However, several telemarketing agencies are operating without any registration,” he said.
The ‘Do Not Disturb’ numbers are maintained by the NDNS. A consumer has to send a message to block service calls and SMSes. In recent months, several users who have activated DND reported that they have been receiving service calls and messages.