Facebook's Phone Number Policy Could Push Users To Not Trust Two-Factor Authentication (vice.com) 97
An anonymous reader quotes a report from Motherboard: Using two-factor authentication, a security mechanism that requires a second step to login into an account other than the password, is widely considered an essential measure to protect yourself online. Yet, only a small percentage of people use this feature, mostly because it can be burdensome and it's rarely required by default, leaving users with the responsibility to turn it on. Now, Facebook may have given people yet another reason not to bother. Last week, Emojipedia founder Jeremy Burge warned in a viral Twitter thread that anyone could look him up on Facebook using his phone number, which he provided to the social network in order to enable two-factor authentication. What's worse, it looks like there's no way to completely remove your phone number that Facebook has collected. If you check your privacy settings, under "Who can look you up using the phone number you provided?" there are only three options: Everyone, Friends of friends, and Friends. "Everyone" is the default.
Even if you remove your phone number from the two-factor authentication settings page, nothing changes in the privacy settings, indicating Facebook still has your phone number. This screw-up, intentional or not, could discourage adoption of two-factor authentication, leaving people at risk of getting hacked. Facebook's decision to use phone numbers that were given to it for a specific security purpose for reasons other than security are a betrayal, and is training people more broadly that turning over more personal information to an internet company for security features could backfire. "Phone number is such a private, important security link," Zeynep Tufecki, a professor at the University of North Carolina, Chapel Hill, who has worked with dissidents and human rights activists, wrote on Twitter. "But Facebook will even let you be targeted for ads through phone numbers INCLUDING THOSE PROVIDED *ONLY* FOR SECOND FACTOR AUTHENTICATION. Messing with 2FA is the anti-vaccination misinformation of security."
Even if you remove your phone number from the two-factor authentication settings page, nothing changes in the privacy settings, indicating Facebook still has your phone number. This screw-up, intentional or not, could discourage adoption of two-factor authentication, leaving people at risk of getting hacked. Facebook's decision to use phone numbers that were given to it for a specific security purpose for reasons other than security are a betrayal, and is training people more broadly that turning over more personal information to an internet company for security features could backfire. "Phone number is such a private, important security link," Zeynep Tufecki, a professor at the University of North Carolina, Chapel Hill, who has worked with dissidents and human rights activists, wrote on Twitter. "But Facebook will even let you be targeted for ads through phone numbers INCLUDING THOSE PROVIDED *ONLY* FOR SECOND FACTOR AUTHENTICATION. Messing with 2FA is the anti-vaccination misinformation of security."
Re: Use a fake number (Score:2, Insightful)
You probably need to verify it once by SMS for facebook to accept it, no?
Re: (Score:1)
I don't think so. I kept getting a popup that asked if this was my number.
Re: Use a fake number (Score:4, Insightful)
Every time I use any different device or computer it complains that I logged in from an unknown device or computer. Even if I've used that computer or device many many times in the past. Facebook and Google bother don't seem to have a memory beyond 2 locations and they seem to forget about these over time if there is no activity from a location.
They both have major security holes in any case in that they want to save your password or provide a password-less login (every single damn time I go to Facebook it wants me to click the "remember me" for a password-less login).
Careful (Score:1)
I gave a fake email address to yahoo mail - they were buggering me about phone number or back up email every single time and then once, I was either tired of it or literally stuck. Then after yahoo was merged into 'Oath' I permanently lost access to my yahoo email.
Re: (Score:2)
Or.... just use a time-based authentication app for your 2FA
https://www.facebook.com/help/... [facebook.com]
Change All Your Shit (Score:4)
Change your shit. Name, address, remove posts unfriend people unsubscribe or whatever then leave your account dormant.
Let Facebook die a slow, painful death.
Re: (Score:1, Insightful)
you 'COULD' just delete your account.
Re: (Score:3)
They still datamine you via other people's accounts and companies that use facebook, when you get linked to that crap. Far safer to nuke facebook from orbit basically campaign for legislation to put them and their ilk out of business.
Re: (Score:2)
No, you can't. Oh, Facebook gives you a "delete" button, but it actually doesn't delete anything. One of the things that makes me happy that I never joined Facebook and never will.
Re: (Score:2)
You're doing it wrong. You have to join Facebook. It's an invaluable tool.
Of course, you have to be creative. I, for one, don't fill it with my uninteresting, boring real life. And I certainly don't "friend" any of the boring people I know. Instead, live an interesting life, rub shoulders with the best and greatest of your field, show off those pictures of you and them on vacation (Photoshop is one hell of a tool!), fake some insightful praise you get from them and make sure everyone visiting your page know
Facebook's continual privacy violations continue (Score:2)
Film at 11!
Re: Facebook's continual privacy violations contin (Score:2)
11Am or 11pm?
I don't think the kids got the message
DUH (Score:3, Insightful)
When will people get it.
NEVER supply information unless you have to and then supply as much false information as you can.
Use different email addresses for different purposes, work, family, friends and one you know will be spammed that can be give to sales people.
Re: (Score:2)
No. Give out one mail address per contact. It's trivial to aggregate them, so it's not really any hassle to you to collect your mail, but that way you immediately know if one of them is harvesting&selling.
Google Play. (Score:2)
It's intentional (Score:3, Insightful)
Of course it's intentional. Whenever Facebook tweaks settings or adds new features they always default to "Everyone" settings for search results - even for so-called security features. This is the only thing they've done consistently since they launched. When will people learn?
Same for Microsoft's phone number collection (Score:5, Informative)
He ultimately used the mobile number of some emergency pre-paid phone that had been residing for many months unused in his car. And guess what, only days after this use advertisement cold calls started showing up in the "missed call" history of this phone.
Let's face it: No matter what the big corporations tell you, they will sell whatever tiny piece of data you give to them.
Re: (Score:2, Insightful)
And even if the corporation does not sell the data, all it takes is one employee with access to the data to decide they would like to make a few extra dollars ..... and how many large companies do not have an employee who is spying for another company/government ?
Why? (Score:2)
Most of my friends us it (I have to admit), but I don't.
I do publically gave FB my Real Name and phone number(!!), but that's it. Everything else is bogus. (I think I live on the night side of Sol, went to school on Pluto for a change.) I log in maybe once a year because something gives me a reward for doing so. I give an indirect FB promote "This Product Is Great" nag (I guess, never looked), and since I'm interested that's no
Re: (Score:1)
I identify as a third gender helicopter, and your comment is offending me. But I have many friends. I consider the files in /usr/share/lib as my friends.
Re: (Score:1)
Did you just ask why anyone would give their phone number to Facebook, and then tell us that you gave your number to Facebook - "I do publically gave FB my Real Name and phone number(!!)."?
What part of the fact that "if your friends uploaded a contact list with your info, they also have this info, plus they know if you lied." did you miss?
I'm not sure I understand your point. I'm not sure if you have a point.
BETTER 2FA EXISTS Y'ALL.... !!! (Score:1)
Sorry folks but "phone number" is really SHITTY 2FA LIE.
All giving ANY and ALL entities your "phone number" does is allow them to TRACK and CONTROL the FUCK out of YOU.
Second, it is weak to BOTH...
1) Stolen phone
2) Hijacked phone number
Ever hear of TOTP protocol aka "Google Authenticator", it's a goddamned RFC even, look it the fuck up.
It is a shared TIME based code generator that WORKS flawlessly, and can work with ALL login apps, and is OPENSOURCE, and COSTS no one NOTHING because it DOES NOT require use
Phoney! (Score:2)
They want your phone number to more accuratey ID you in advertising databases. This is all a cover story.
Re: (Score:2)
Oh, I very much believe that the threat these 2FA advocates warn about is quite real. That doesn't mean Facebook has any intention of treating the situation as anything more than an opportunity to sell verified cellphone numbers to robo-callers and malware-distributors alike, of course. These two threats aren't mutually exclusive. In fact, they're very likely to be closely related.
Re: (Score:3)
>"They want your phone number to more accuratey ID you in advertising databases."
And to sell your phone number to marketing companies that will then spam the s*** out of your phone, no doubt. Or use it to harass you themselves, for whatever purpose they like. And, of course, to make sure that anonymity dies. I have been warning people this was coming with "two factor authentication" schemes that have ONLY mobile phones as the "choice" for second factor. For most purposes, you should be able to use a
Two factor authentication on Facebook? (Score:3)
Who turns on two factor authentication on Facebook?
Personally, I don't really care if somebody hacks my FB account. I don't depend on it for *anything* of importance in my life and I'm NOT giving up my phone number or much else beyond my Gmail account to FB or any of their advertisers. They don't have any correct information from me except for my name, and even that is a nickname, not my legal name.
Just don't do it. Social media isn't worth the trouble..
Re: (Score:2)
Re: (Score:2)
Well, my Facebook account isn't worth anything anyway. I am a member of only a few groups and don't link to very many "friends" in the first place so I have no contacts to give up. My Facebook information is basically fiction to start, with only enough facts (my name and a picture) so people who are looking for me can find me. There really isn't anything else.
Now, some of my friends and family have HUGE exposure... My half sister announced her kid's arrival, giving his full legal name and stats on the d
Did anyone fact check this article before posting? (Score:1)
Okay - I realise that is probably one of the stupidest questions to ever ask on Slashdot....
Not read the article but the permissions settings in the quoted extract did not ring true. So I checked. I have my phone number listed on facebook and the permissions are set to "only me". This means that unless there is a problem with the effectiveness of the permission settings in facebook (not an impossible scenario I'll grant you) nobody can get my phone number from facebook except me. Given that the phone numb
Re: (Score:1)
Historically the iPhone version has had more permissions features than the Android one, I think. Also, the article is clearly talking about the website, not an app.
Few of us trust it right now (Score:2)
It's not just that we don't trust FB, which we don't.
It's not just that we don't trust 2FA, which we don't.
It's that it violates our expectations and Constitutional Rights of Privacy.
Re: (Score:2)
Re: (Score:2)
For your information, there is nothing in the US Constitution that provides for a "right to privacy".
For that matter, there is not, and never has been, any such thing as "privacy" online. If you post something ANYWHERE, expect someone unexpected to see it, and use it in a way you didn't intend.
Re: (Score:2)
You do realize that ANY constitution is just a law - i.e. a contract of citizens with their own government, of citizens, by citizens and for citizens?
Not some holy scripture chiseled into stone tablets by a toenail of god or by a delusional schizophrenic suffering from heat stroke and exhaustion?
As such... being nothing but just a law, it is no different than any other law and it is a subject to change just like all those other laws. Of which there are a bunch.
Hell, much of the privacy laws and arguments ca
Re: (Score:2)
I live in a state that has a Constitutional Right of Privacy.
Re: (Score:2)
Sure there is, and under that they found a Constitutional right to abortion. You're silly if you're only looking at words to see what your rights are.
Re: Lose trust for Two Factor Authentication (Score:2)
_Anything_ on a smartphone is insecure. If you want real 2FA you need a hardware token.
Blessing in Disguise (Score:5, Interesting)
Training people to be skeptical of SMS-based 2FA is good, because forced number porting is so trivial. Due to social engineering or policy, it's far too easy to steal someone's phone number or its associated mobile codes. Furthermore, most people have it set up to show texts when their phone is locked, which undermines the value of verification codes if their phone is stolen. Dongles or even biometrics are superior. An NFC dongle you could slip in your phone case could be a good compromise.
Re: Blessing in Disguise (Score:2)
Forced number porting is not the only problem with SMS based fake-2FA. The SS7 protocol that controls SMS is known to be insecure.
Consider the following, located with a 10 second Google search:
https://fedotov.co/ss7-hack-tu... [fedotov.co]
Stop Caring About These "Abuses". (Score:5, Insightful)
Stuff like this isn't an abuse. Hell, it isn't even a dark pattern.
THIS IS WHAT FACEBOOK WAS SET UP TO DO. IT'S SUCCESSFULLY EXECUTING ITS DESIGN.
The solution is to have nothing whatsoever to do with Facebook, to the extent that is possible.
Turn away from it, in the way you'd avoid a payday lender, a back-alley doctor, a furniture rental shop, or anyone else who has your ruin at heart, solely to advance their own interest.
Phone number requirements... (Score:2)
... It is driving me that many accounts require phone numbers these days. Even Google Voice when I am applying for THEIR numbers. Argh.
2FA is not inherently bad (Score:2)
...it only becomes sketchy when it's tied to a publicly-available token, such as a phone number. Tokens which don't have any public component, e.g. a Fido U2F token, are preferred...and, in fact, are in heavy use on the Facebook campus itself, by developers, moderators, etc. (Ask them why sometime.)
The only solution to the problem as described in the original article is to NOT provide them with a phone number, no matter how often they beg. And if they start forcing it, that's when the clueful will delete th
2FA is basically a scam. (Score:1)
It's the attempt to solve a social problem with technical means, which is going to backfire every time.
Use instead a good password policy, educate users.
To me, password is the link between /myself/ (i.e. my mind) and "the world out there" -- and I don't want some covert twisted wormholes around that. Dementia? My mind is gone? So is my password. Too bad.
Only if I /explicitly/ take steps to perennize it (basically by giving a slip o' paper to someone, or some electronic variant of that) it is perennized. By
A real consumer (Score:1)
I'll repeat myself: 2FA is primarily, a way to connect an account to a real consumer.
Why trust Zuckerbook at all? (Score:2)
Stop wasting phone number digits (Score:4, Informative)
The international standards allow US phone number to have 5 more digits so turn them into extensions. That would give everyone 100,000 extensions that their phone or carrier could manage. Turn it on and default all 10 digit numbers to the original ten plus 00000. Work can have the ten plus 99999. Friends get their own number which matches the last 5 of the number they use to call you. Everything else gets rejected.
Re: (Score:2)
If I give you my number and extension 48524, then my phone won't accept any call to that number except for your number with the proper extension and I know you leaked it because of your bad choice in social media.
Look people up by their password next? (Score:2)
Doesn't FB EULA basically boil down to:
1. You give us the right to collect everything you give us, everything we can collect from your phone, tablet, or PC
2. You give us unlimited rights to use any information we gather on you without any compensation
2. You give up any right to sue us over any damages you may feel we caused
I bet you can look people up by their FB password too, though that's probably a premium (read "paid") feature they sell to "partners" only.
Re: (Score:1)
Re: (Score:2)
"Shared secret" is an oxymoron (Score:2)
"Phone number is such a private, important security link,"
This is like saying 'never give out your IP address on the Internet', I'm not saying I like how they are using it, but you have to give out your phone number so people can call you. It is essentially public information. There's a few ways around that, but are still relatively complicated. I'm old enough to remember when you would get tons of sales calls on a new phone number since the phone company listed you by default in a big directory made out of cheap yellow paper. You could pay a fee to opt out of b
Impressive (Score:2)
The amount of stupidity and greed expressed in this is truly amazing.
anti-vaxxers? (Score:1)
TFA? (Score:2)
Re: (Score:1)