Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Facebook Privacy Security Social Networks The Internet

Facebook's Phone Number Policy Could Push Users To Not Trust Two-Factor Authentication (vice.com) 97

An anonymous reader quotes a report from Motherboard: Using two-factor authentication, a security mechanism that requires a second step to login into an account other than the password, is widely considered an essential measure to protect yourself online. Yet, only a small percentage of people use this feature, mostly because it can be burdensome and it's rarely required by default, leaving users with the responsibility to turn it on. Now, Facebook may have given people yet another reason not to bother. Last week, Emojipedia founder Jeremy Burge warned in a viral Twitter thread that anyone could look him up on Facebook using his phone number, which he provided to the social network in order to enable two-factor authentication. What's worse, it looks like there's no way to completely remove your phone number that Facebook has collected. If you check your privacy settings, under "Who can look you up using the phone number you provided?" there are only three options: Everyone, Friends of friends, and Friends. "Everyone" is the default.

Even if you remove your phone number from the two-factor authentication settings page, nothing changes in the privacy settings, indicating Facebook still has your phone number. This screw-up, intentional or not, could discourage adoption of two-factor authentication, leaving people at risk of getting hacked. Facebook's decision to use phone numbers that were given to it for a specific security purpose for reasons other than security are a betrayal, and is training people more broadly that turning over more personal information to an internet company for security features could backfire.
"Phone number is such a private, important security link," Zeynep Tufecki, a professor at the University of North Carolina, Chapel Hill, who has worked with dissidents and human rights activists, wrote on Twitter. "But Facebook will even let you be targeted for ads through phone numbers INCLUDING THOSE PROVIDED *ONLY* FOR SECOND FACTOR AUTHENTICATION. Messing with 2FA is the anti-vaccination misinformation of security."
This discussion has been archived. No new comments can be posted.

Facebook's Phone Number Policy Could Push Users To Not Trust Two-Factor Authentication

Comments Filter:
  • by sycodon ( 149926 ) on Monday March 04, 2019 @05:52PM (#58215686)

    Change your shit. Name, address, remove posts unfriend people unsubscribe or whatever then leave your account dormant.

    Let Facebook die a slow, painful death.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      you 'COULD' just delete your account.

      • by rtb61 ( 674572 )

        They still datamine you via other people's accounts and companies that use facebook, when you get linked to that crap. Far safer to nuke facebook from orbit basically campaign for legislation to put them and their ilk out of business.

      • you 'COULD' just delete your account.

        No, you can't. Oh, Facebook gives you a "delete" button, but it actually doesn't delete anything. One of the things that makes me happy that I never joined Facebook and never will.

        • You're doing it wrong. You have to join Facebook. It's an invaluable tool.

          Of course, you have to be creative. I, for one, don't fill it with my uninteresting, boring real life. And I certainly don't "friend" any of the boring people I know. Instead, live an interesting life, rub shoulders with the best and greatest of your field, show off those pictures of you and them on vacation (Photoshop is one hell of a tool!), fake some insightful praise you get from them and make sure everyone visiting your page know

  • DUH (Score:3, Insightful)

    by Anonymous Coward on Monday March 04, 2019 @05:59PM (#58215748)

    When will people get it.
    NEVER supply information unless you have to and then supply as much false information as you can.
    Use different email addresses for different purposes, work, family, friends and one you know will be spammed that can be give to sales people.

    • No. Give out one mail address per contact. It's trivial to aggregate them, so it's not really any hassle to you to collect your mail, but that way you immediately know if one of them is harvesting&selling.

  • Free text messaging app... free numbers, cheap android phone.. no problemo :)
  • It's intentional (Score:3, Insightful)

    by Anonymous Coward on Monday March 04, 2019 @06:03PM (#58215770)

    This screw-up, intentional or not, could discourage adoption of two-factor authentication, leaving people at risk of getting hacked.

    Of course it's intentional. Whenever Facebook tweaks settings or adds new features they always default to "Everyone" settings for search results - even for so-called security features. This is the only thing they've done consistently since they launched. When will people learn?

  • by ffkom ( 3519199 ) on Monday March 04, 2019 @06:05PM (#58215782)
    A friend of mine created a "live.com" account just to play some games on an Xbox. Microsoft insisted on him providing an actual mobile phone number to short message some code to - and most suspiciously refused any phone number powered by one of the many SMS-to-IP gateways.
    He ultimately used the mobile number of some emergency pre-paid phone that had been residing for many months unused in his car. And guess what, only days after this use advertisement cold calls started showing up in the "missed call" history of this phone.

    Let's face it: No matter what the big corporations tell you, they will sell whatever tiny piece of data you give to them.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      And even if the corporation does not sell the data, all it takes is one employee with access to the data to decide they would like to make a few extra dollars ..... and how many large companies do not have an employee who is spying for another company/government ?

  • Why would you give FB your phone number? Why would you give FB ANYTHING?

    Most of my friends us it (I have to admit), but I don't.

    I do publically gave FB my Real Name and phone number(!!), but that's it. Everything else is bogus. (I think I live on the night side of Sol, went to school on Pluto for a change.) I log in maybe once a year because something gives me a reward for doing so. I give an indirect FB promote "This Product Is Great" nag (I guess, never looked), and since I'm interested that's no
    • by Anonymous Coward

      Did you just ask why anyone would give their phone number to Facebook, and then tell us that you gave your number to Facebook - "I do publically gave FB my Real Name and phone number(!!)."?

      What part of the fact that "if your friends uploaded a contact list with your info, they also have this info, plus they know if you lied." did you miss?

      I'm not sure I understand your point. I'm not sure if you have a point.

  • by Anonymous Coward

    Sorry folks but "phone number" is really SHITTY 2FA LIE.
    All giving ANY and ALL entities your "phone number" does is allow them to TRACK and CONTROL the FUCK out of YOU.
    Second, it is weak to BOTH...
    1) Stolen phone
    2) Hijacked phone number

    Ever hear of TOTP protocol aka "Google Authenticator", it's a goddamned RFC even, look it the fuck up.
    It is a shared TIME based code generator that WORKS flawlessly, and can work with ALL login apps, and is OPENSOURCE, and COSTS no one NOTHING because it DOES NOT require use

  • They want your phone number to more accuratey ID you in advertising databases. This is all a cover story.

    • Oh, I very much believe that the threat these 2FA advocates warn about is quite real. That doesn't mean Facebook has any intention of treating the situation as anything more than an opportunity to sell verified cellphone numbers to robo-callers and malware-distributors alike, of course. These two threats aren't mutually exclusive. In fact, they're very likely to be closely related.

    • >"They want your phone number to more accuratey ID you in advertising databases."

      And to sell your phone number to marketing companies that will then spam the s*** out of your phone, no doubt. Or use it to harass you themselves, for whatever purpose they like. And, of course, to make sure that anonymity dies. I have been warning people this was coming with "two factor authentication" schemes that have ONLY mobile phones as the "choice" for second factor. For most purposes, you should be able to use a

  • by bobbied ( 2522392 ) on Monday March 04, 2019 @06:22PM (#58215928)

    Who turns on two factor authentication on Facebook?

    Personally, I don't really care if somebody hacks my FB account. I don't depend on it for *anything* of importance in my life and I'm NOT giving up my phone number or much else beyond my Gmail account to FB or any of their advertisers. They don't have any correct information from me except for my name, and even that is a nickname, not my legal name.

    Just don't do it. Social media isn't worth the trouble..

    • Comment removed based on user account deletion
      • Well, my Facebook account isn't worth anything anyway. I am a member of only a few groups and don't link to very many "friends" in the first place so I have no contacts to give up. My Facebook information is basically fiction to start, with only enough facts (my name and a picture) so people who are looking for me can find me. There really isn't anything else.

        Now, some of my friends and family have HUGE exposure... My half sister announced her kid's arrival, giving his full legal name and stats on the d

  • Okay - I realise that is probably one of the stupidest questions to ever ask on Slashdot....

    Not read the article but the permissions settings in the quoted extract did not ring true. So I checked. I have my phone number listed on facebook and the permissions are set to "only me". This means that unless there is a problem with the effectiveness of the permission settings in facebook (not an impossible scenario I'll grant you) nobody can get my phone number from facebook except me. Given that the phone numb

    • Historically the iPhone version has had more permissions features than the Android one, I think. Also, the article is clearly talking about the website, not an app.

  • It's not just that we don't trust FB, which we don't.

    It's not just that we don't trust 2FA, which we don't.

    It's that it violates our expectations and Constitutional Rights of Privacy.

    • For your information, there is nothing in the US Constitution that provides for a "right to privacy".
      • For your information, there is nothing in the US Constitution that provides for a "right to privacy".

        For that matter, there is not, and never has been, any such thing as "privacy" online. If you post something ANYWHERE, expect someone unexpected to see it, and use it in a way you didn't intend.

      • You do realize that ANY constitution is just a law - i.e. a contract of citizens with their own government, of citizens, by citizens and for citizens?
        Not some holy scripture chiseled into stone tablets by a toenail of god or by a delusional schizophrenic suffering from heat stroke and exhaustion?

        As such... being nothing but just a law, it is no different than any other law and it is a subject to change just like all those other laws. Of which there are a bunch.
        Hell, much of the privacy laws and arguments ca

      • I live in a state that has a Constitutional Right of Privacy.

      • Sure there is, and under that they found a Constitutional right to abortion. You're silly if you're only looking at words to see what your rights are.

  • Blessing in Disguise (Score:5, Interesting)

    by mentil ( 1748130 ) on Monday March 04, 2019 @07:42PM (#58216422)

    Training people to be skeptical of SMS-based 2FA is good, because forced number porting is so trivial. Due to social engineering or policy, it's far too easy to steal someone's phone number or its associated mobile codes. Furthermore, most people have it set up to show texts when their phone is locked, which undermines the value of verification codes if their phone is stolen. Dongles or even biometrics are superior. An NFC dongle you could slip in your phone case could be a good compromise.

  • by jddj ( 1085169 ) on Monday March 04, 2019 @07:47PM (#58216446) Journal

    Stuff like this isn't an abuse. Hell, it isn't even a dark pattern.

    THIS IS WHAT FACEBOOK WAS SET UP TO DO. IT'S SUCCESSFULLY EXECUTING ITS DESIGN.

    The solution is to have nothing whatsoever to do with Facebook, to the extent that is possible.

    Turn away from it, in the way you'd avoid a payday lender, a back-alley doctor, a furniture rental shop, or anyone else who has your ruin at heart, solely to advance their own interest.

  • ... It is driving me that many accounts require phone numbers these days. Even Google Voice when I am applying for THEIR numbers. Argh.

  • ...it only becomes sketchy when it's tied to a publicly-available token, such as a phone number. Tokens which don't have any public component, e.g. a Fido U2F token, are preferred...and, in fact, are in heavy use on the Facebook campus itself, by developers, moderators, etc. (Ask them why sometime.)

    The only solution to the problem as described in the original article is to NOT provide them with a phone number, no matter how often they beg. And if they start forcing it, that's when the clueful will delete th

    • by Anonymous Coward

      It's the attempt to solve a social problem with technical means, which is going to backfire every time.

      Use instead a good password policy, educate users.

      To me, password is the link between /myself/ (i.e. my mind) and "the world out there" -- and I don't want some covert twisted wormholes around that. Dementia? My mind is gone? So is my password. Too bad.

      Only if I /explicitly/ take steps to perennize it (basically by giving a slip o' paper to someone, or some electronic variant of that) it is perennized. By

  • by Anonymous Coward

    ... Who can look you up using the phone number you provided?

    I'll repeat myself: 2FA is primarily, a way to connect an account to a real consumer.

  • There is literally no reason to trust Facebook at all for anything.
  • by thogard ( 43403 ) on Tuesday March 05, 2019 @05:00AM (#58218014) Homepage

    The international standards allow US phone number to have 5 more digits so turn them into extensions. That would give everyone 100,000 extensions that their phone or carrier could manage. Turn it on and default all 10 digit numbers to the original ten plus 00000. Work can have the ten plus 99999. Friends get their own number which matches the last 5 of the number they use to call you. Everything else gets rejected.

  • Doesn't FB EULA basically boil down to:
    1. You give us the right to collect everything you give us, everything we can collect from your phone, tablet, or PC
    2. You give us unlimited rights to use any information we gather on you without any compensation
    2. You give up any right to sue us over any damages you may feel we caused

    I bet you can look people up by their FB password too, though that's probably a premium (read "paid") feature they sell to "partners" only.

  • Comment removed based on user account deletion
  • "Phone number is such a private, important security link,"

    This is like saying 'never give out your IP address on the Internet', I'm not saying I like how they are using it, but you have to give out your phone number so people can call you. It is essentially public information. There's a few ways around that, but are still relatively complicated. I'm old enough to remember when you would get tons of sales calls on a new phone number since the phone company listed you by default in a big directory made out of cheap yellow paper. You could pay a fee to opt out of b

  • The amount of stupidity and greed expressed in this is truly amazing.

  • "Messing with 2FA is the anti-vaccination misinformation of security." I don't get this analogy. 2FA is something that normally improves your security, your, er, online health. A 2FA "anti-vaxxer" might therefore be one who argues against the benefits of 2FA and suggests that it actually decreases your security, and tells people not to use it. But that's all a crazy conspiracy theory, right? I mean, how could using 2FA actually jeopardize your security? Unless this article were to be suggesting exactly tha
  • I always assumed that the real reason they wanted your phone number was to use it as an additional correlation data point against other info they've collected

news: gotcha

Working...