Slashdot Mirror
Facebook's Phone Number Policy Could Push Users To Not Trust Two-Factor Authentication (vice.com)
An anonymous reader quotes a report from Motherboard: Using two-factor authentication, a security mechanism that requires a second step to login into an account other than the password, is widely considered an essential measure to protect yourself online. Yet, only a small percentage of people use this feature, mostly because it can be burdensome and it's rarely required by default, leaving users with the responsibility to turn it on. Now, Facebook may have given people yet another reason not to bother. Last week, Emojipedia founder Jeremy Burge warned in a viral Twitter thread that anyone could look him up on Facebook using his phone number, which he provided to the social network in order to enable two-factor authentication. What's worse, it looks like there's no way to completely remove your phone number that Facebook has collected. If you check your privacy settings, under "Who can look you up using the phone number you provided?" there are only three options: Everyone, Friends of friends, and Friends. "Everyone" is the default.
Even if you remove your phone number from the two-factor authentication settings page, nothing changes in the privacy settings, indicating Facebook still has your phone number. This screw-up, intentional or not, could discourage adoption of two-factor authentication, leaving people at risk of getting hacked. Facebook's decision to use phone numbers that were given to it for a specific security purpose for reasons other than security are a betrayal, and is training people more broadly that turning over more personal information to an internet company for security features could backfire. "Phone number is such a private, important security link," Zeynep Tufecki, a professor at the University of North Carolina, Chapel Hill, who has worked with dissidents and human rights activists, wrote on Twitter. "But Facebook will even let you be targeted for ads through phone numbers INCLUDING THOSE PROVIDED *ONLY* FOR SECOND FACTOR AUTHENTICATION. Messing with 2FA is the anti-vaccination misinformation of security."
Even if you remove your phone number from the two-factor authentication settings page, nothing changes in the privacy settings, indicating Facebook still has your phone number. This screw-up, intentional or not, could discourage adoption of two-factor authentication, leaving people at risk of getting hacked. Facebook's decision to use phone numbers that were given to it for a specific security purpose for reasons other than security are a betrayal, and is training people more broadly that turning over more personal information to an internet company for security features could backfire. "Phone number is such a private, important security link," Zeynep Tufecki, a professor at the University of North Carolina, Chapel Hill, who has worked with dissidents and human rights activists, wrote on Twitter. "But Facebook will even let you be targeted for ads through phone numbers INCLUDING THOSE PROVIDED *ONLY* FOR SECOND FACTOR AUTHENTICATION. Messing with 2FA is the anti-vaccination misinformation of security."
Keep TFA turned off and update your number to a non-existent one. Facebook know my phone number without me providing it. I'm guessing they stole it from a friends contact list on their phone.
Change your shit. Name, address, remove posts unfriend people unsubscribe or whatever then leave your account dormant.
Let Facebook die a slow, painful death.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
they will use anything you give them against you. It's Facebook. Not your bank.
Film at 11!
They already have your number if a friend or another person uploaded their contacts.
Same with LinkedIn.
Stop the hand wringing. Believe me there are many more databases that have far more private info on you accessible to others. Facebook is childs play.
When will people get it.
NEVER supply information unless you have to and then supply as much false information as you can.
Use different email addresses for different purposes, work, family, friends and one you know will be spammed that can be give to sales people.
Free text messaging app... free numbers, cheap android phone.. no problemo :)
[($)]
Of course it's intentional. Whenever Facebook tweaks settings or adds new features they always default to "Everyone" settings for search results - even for so-called security features. This is the only thing they've done consistently since they launched. When will people learn?
A friend of mine created a "live.com" account just to play some games on an Xbox. Microsoft insisted on him providing an actual mobile phone number to short message some code to - and most suspiciously refused any phone number powered by one of the many SMS-to-IP gateways.
He ultimately used the mobile number of some emergency pre-paid phone that had been residing for many months unused in his car. And guess what, only days after this use advertisement cold calls started showing up in the "missed call" history of this phone.
Let's face it: No matter what the big corporations tell you, they will sell whatever tiny piece of data you give to them.
Thankfully I don't use Facebook, but a lot of websites only offer their one form of 2FA. Humble Bundle as an example pushes not only the "i am not a robot" captcha bullshit but also verification through email. The reason I have a problem with this fundamentally isn't per se that email is an option, just like if people really want to use SMS or an app. The issue is that I can't use U2F instead nor can I disable the 2FA that I will never use.
Put simply, I want U2F as many places as possible--done right with forcing ChannelID. I absolutely hate how anyone thinks it's a good idea to use an insecure mechanism as email/SMS as the default. I also hate the push in FIDO2 for passwordless logins. It's honestly like near everyone is conspiring to make 2FA pointless or otherwise downgrade all the obvious advantages.
Why would you give FB your phone number? Why would you give FB ANYTHING?
Most of my friends us it (I have to admit), but I don't.
I do publically gave FB my Real Name and phone number(!!), but that's it. Everything else is bogus. (I think I live on the night side of Sol, went to school on Pluto for a change.) I log in maybe once a year because something gives me a reward for doing so. I give an indirect FB promote "This Product Is Great" nag (I guess, never looked), and since I'm interested that's not a completely wrong thing.
But my name, address, and phone number USED to be in the phone book, so I'm not that concerned about it. Yep, the phone book has (had) thousands of page, a literal wall of data. The NEWISH phoneish bookish dataish thing has your info tied to interests and events, NOT at all the same thing. But since FB knows almost nothing about me -- I'm sure more than I think because of friends -- I treat it as an external locator beacon.
If you WANT to be my friend, you'll bloomin' well literally TALK to me. If _not_, you can thumbs-up me all day long, and I'll give you a finger back as well.
If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
Sorry folks but "phone number" is really SHITTY 2FA LIE.
All giving ANY and ALL entities your "phone number" does is allow them to TRACK and CONTROL the FUCK out of YOU.
Second, it is weak to BOTH...
1) Stolen phone
2) Hijacked phone number
Ever hear of TOTP protocol aka "Google Authenticator", it's a goddamned RFC even, look it the fuck up.
It is a shared TIME based code generator that WORKS flawlessly, and can work with ALL login apps, and is OPENSOURCE, and COSTS no one NOTHING because it DOES NOT require use of PHONE LINES.
It is ONLY weak to...
1) Stolen phone
for which you should be using a secure passphrase and encryption on anyways.
So TOTP is STRICTLY BETTER.
And you should WAKE THE FUCK UP and start demanding the services you use convert from SHITTY weak expensive DATAMINE and SELL YOUR ASS out to CORP and GOV SPIES "phone number" to TOTP / GA 2FA.
They want your phone number to more accuratey ID you in advertising databases. This is all a cover story.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Who turns on two factor authentication on Facebook?
Personally, I don't really care if somebody hacks my FB account. I don't depend on it for *anything* of importance in my life and I'm NOT giving up my phone number or much else beyond my Gmail account to FB or any of their advertisers. They don't have any correct information from me except for my name, and even that is a nickname, not my legal name.
Just don't do it. Social media isn't worth the trouble..
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Okay - I realise that is probably one of the stupidest questions to ever ask on Slashdot....
Not read the article but the permissions settings in the quoted extract did not ring true. So I checked. I have my phone number listed on facebook and the permissions are set to "only me". This means that unless there is a problem with the effectiveness of the permission settings in facebook (not an impossible scenario I'll grant you) nobody can get my phone number from facebook except me. Given that the phone number has been there for nigh on a decade and in that time I have had no phone calls or messages that I cannot trace to a source outside of facebook it appears that, at least for me, the permissions settings are working.
Perhaps I am unusual in this but even 10 years ago I was not putting my phone number on places without checking the permissions available and thinking about who could get the information (although that did lead to some fun conversations with a cold caller on a different number getting very annoyed that I would not give them a reference number from my phone provider).
I regard facebook and the things I post there as being like a conversation in a pub - you can try and be discrete but you are never quite sure if someone walking past on their way to the cigarette machine is going to overhear something, so don't say things you want kept quiet.
Facebook has proven it's nothing but evil time and time again. This was no "screw up" ... it's intentional as usual.
Wake up for Pete's sake. Ditch Facebook forever.
Using two-factor authentication, a security mechanism that requires a second step to login into an account other than the password
Since TFA has no idea what multi factor auth is they should just call this BS a two-step authentication instead of two-factor authentication.
Because clearly a different authentication channel (text message) is not an acceptable factor. Acceptable factors in multi factor authentication are KNOWLEDGE, POSSESSION, INHERENT.
The only way to truly secure your Facebook account is to enable DUF/DYA infinite factor authentication. This highly secure algorithm is implemented in two surprisingly simple and user friendly steps.
1st: Don't Use Facebook
2nd: Delete Your Account
That's it you're done. Follow this simple procedure and you will never have to worry about Facebook authentication ever again.
It's not just that we don't trust FB, which we don't.
It's not just that we don't trust 2FA, which we don't.
It's that it violates our expectations and Constitutional Rights of Privacy.
-- Tigger warning: This post may contain tiggers! --
How is this going to affect two factor authentication? Everyone should know the best way to do it is not with as phone number, but using an authenticator app. This should push people to not use a phone number if anything for 2FA.
Lance Zimmerman of Panther Games
Tell me what's next
Historically the iPhone version has had more permissions features than the Android one, I think. Also, the article is clearly talking about the website, not an app.
I gave a fake email address to yahoo mail - they were buggering me about phone number or back up email every single time and then once, I was either tired of it or literally stuck. Then after yahoo was merged into 'Oath' I permanently lost access to my yahoo email.
Water is wet.
Training people to be skeptical of SMS-based 2FA is good, because forced number porting is so trivial. Due to social engineering or policy, it's far too easy to steal someone's phone number or its associated mobile codes. Furthermore, most people have it set up to show texts when their phone is locked, which undermines the value of verification codes if their phone is stolen. Dongles or even biometrics are superior. An NFC dongle you could slip in your phone case could be a good compromise.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
Stuff like this isn't an abuse. Hell, it isn't even a dark pattern.
THIS IS WHAT FACEBOOK WAS SET UP TO DO. IT'S SUCCESSFULLY EXECUTING ITS DESIGN.
The solution is to have nothing whatsoever to do with Facebook, to the extent that is possible.
Turn away from it, in the way you'd avoid a payday lender, a back-alley doctor, a furniture rental shop, or anyone else who has your ruin at heart, solely to advance their own interest.
So this means if I tell a telephone scammer to go fuck themselves, they can simply go onto Facebook and look up the phone number they just called to see who I am so they can harass me further, if I had left Facebook's phone number setting at the default of "Everyone".
I just went and changed it to "Friends only" thanks to this article.
Yes I know some jackass is going to spout off not to use Facebook, there's 5 of you in every single Facebook thread, fuck off, you have no useful thing to say.
...That Mark Fuckerberg created Facebook (well, stole it anyways from the Twinklevoss Twins) for the sole purpose of getting himself some Asian pussy (successfully, I might add), ....being the fucking loser dorky dweeb that he is. The fucking guy and his fucking shit-for-brains company does *not* have your best interests in mind...and never has, and he thinks Facebook users are "fucking stupid" for trustng him, so anybody who still actively is using Facebook is plain and simple a fucking moron at this point.
... It is driving me that many accounts require phone numbers these days. Even Google Voice when I am applying for THEIR numbers. Argh.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
It's common knowledge that Facebook sells everything it knows about a person: The first thought to any question from Facebook must be "Will publication of this fact reduce my privacy?" Most times, the answer is "yes". If one has the stupidity to publish personal details via Facebook, then sympathy is not deserved.
...it only becomes sketchy when it's tied to a publicly-available token, such as a phone number. Tokens which don't have any public component, e.g. a Fido U2F token, are preferred...and, in fact, are in heavy use on the Facebook campus itself, by developers, moderators, etc. (Ask them why sometime.)
The only solution to the problem as described in the original article is to NOT provide them with a phone number, no matter how often they beg. And if they start forcing it, that's when the clueful will delete their accounts.
That's as far as I go.
All the world's an analog stage, and digital circuits play only bit parts.
I would think that for most people, their public number is the same as their 2FA number -- since they only have one number.
I'll repeat myself: 2FA is primarily, a way to connect an account to a real consumer.
There is literally no reason to trust Facebook at all for anything.
11Am or 11pm?
I don't think the kids got the message
It's the attempt to solve a social problem with technical means, which is going to backfire every time.
Use instead a good password policy, educate users.
To me, password is the link between /myself/ (i.e. my mind) and "the world out there" -- and I don't want some covert twisted wormholes around that. Dementia? My mind is gone? So is my password. Too bad.
Only if I /explicitly/ take steps to perennize it (basically by giving a slip o' paper to someone, or some electronic variant of that) it is perennized. By default, it isn't. Simple, transparent.
2FA is an industry scam, as was DKIM and SPF (and for very similar reasons):
Most of the spam I get these days has correct DKIM and SPF records: the spammers just ride throwaway accounts on the Big Ones (gmail, I'm looking at you).
The sad part is that we techies go "Oh, shiny!" and follow the most convoluted procedure because "tech". This is, I think, our worst antipattern.
Who cares.
TL;DR: Facebook apologist.
The international standards allow US phone number to have 5 more digits so turn them into extensions. That would give everyone 100,000 extensions that their phone or carrier could manage. Turn it on and default all 10 digit numbers to the original ten plus 00000. Work can have the ten plus 99999. Friends get their own number which matches the last 5 of the number they use to call you. Everything else gets rejected.
Doesn't FB EULA basically boil down to:
1. You give us the right to collect everything you give us, everything we can collect from your phone, tablet, or PC
2. You give us unlimited rights to use any information we gather on you without any compensation
2. You give up any right to sue us over any damages you may feel we caused
I bet you can look people up by their FB password too, though that's probably a premium (read "paid") feature they sell to "partners" only.
Because Facebook doesn't seem to get it about protecting ones privacy. I wouldn't give Facebook anymore personal data then I would have to. I don't use Facebook anymore, but when I did the site didn't like it because I didn't include a phone number. I was hounded with messages to include one. A big red flag if you ask me.
Except for online payment systems, I can't for the life of me think of a web page important enough for me to give them my phone number and/or personal information in general. I'd rather lose my login instead if that's what it comes down to.
"Phone number is such a private, important security link,"
This is like saying 'never give out your IP address on the Internet', I'm not saying I like how they are using it, but you have to give out your phone number so people can call you. It is essentially public information. There's a few ways around that, but are still relatively complicated. I'm old enough to remember when you would get tons of sales calls on a new phone number since the phone company listed you by default in a big directory made out of cheap yellow paper. You could pay a fee to opt out of being listed, bleep you very much phone company. Even now you will get tons of sales calls if you buy a house or some other transaction that creates a public record.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
It was the website permissions that I checked. No apps were accessed in the checking. Given the way the apps keep being mangled in how they work I wouldn't rely on them to check the underlying permissions.
doesn't facebook ask for persmissions to home-phone-upload yar whole address book when installed :P
on a mobile phone?
how else are they going to "friend recommend"? obviously they are not using the name that one puts
in the phone because someone might name the phone number 123456789 "sally" and another might name the number
"friend with benefits for friday".
thus, the "primary key" is the phone number.
also in other news: water is wet, fire burns, wind blows and facebook cares about your privacy
The amount of stupidity and greed expressed in this is truly amazing.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Don't use it for ANYTHING, not even Facebook.
Not only does it fail to make your account more secure, it makes it LESS secure, by far. You've just given anyone who wishes to target you a perfect way to do so. They contact your wireless carrier, with a sob story claiming to be you and having lost your phone in the ocean while on vacation or something, and it's urgent that the carrier move your number to the new phone they bought to replace it or you won't be able to facetime your dying mother before she goes.. and you forgot your pin.. or some such nonsense. They keep trying again until they get an agent both naive and sympathetic enough to just push the change through, and BAM then own your phone, they own your bitcoin, they own your life if you've been stupid enough to use phone-number based "2-factor auth".
DON'T DO IT!
Either use REAL two-factor or go home.
"Messing with 2FA is the anti-vaccination misinformation of security." I don't get this analogy. 2FA is something that normally improves your security, your, er, online health. A 2FA "anti-vaxxer" might therefore be one who argues against the benefits of 2FA and suggests that it actually decreases your security, and tells people not to use it. But that's all a crazy conspiracy theory, right? I mean, how could using 2FA actually jeopardize your security? Unless this article were to be suggesting exactly that. Full disclosure: My 4-year-old got his DTAP / IVP and MMR yesterday. :)
Comment removed based on user account deletion
I always assumed that the real reason they wanted your phone number was to use it as an additional correlation data point against other info they've collected
Trust two-factor authentication, at least for the most part. 2FA while not perfect is still much, much better than simple password access. Just ask John Podesta, chairman of Hillary Clinton's 2016 US presidential campaign. Podesta's GMail account was famously hacked and his emails posted online after a staffer responded to a phishing email using Podesta's login credentials and Podesta was not using 2FA on GMail. 2FA would have most likely prevented that hack.
But the crux of this article is NEVER, NEVER, NEVER trust Facebook.