Slashdot Mirror
Facebook's Phone Number Policy Could Push Users To Not Trust Two-Factor Authentication (vice.com)
An anonymous reader quotes a report from Motherboard: Using two-factor authentication, a security mechanism that requires a second step to login into an account other than the password, is widely considered an essential measure to protect yourself online. Yet, only a small percentage of people use this feature, mostly because it can be burdensome and it's rarely required by default, leaving users with the responsibility to turn it on. Now, Facebook may have given people yet another reason not to bother. Last week, Emojipedia founder Jeremy Burge warned in a viral Twitter thread that anyone could look him up on Facebook using his phone number, which he provided to the social network in order to enable two-factor authentication. What's worse, it looks like there's no way to completely remove your phone number that Facebook has collected. If you check your privacy settings, under "Who can look you up using the phone number you provided?" there are only three options: Everyone, Friends of friends, and Friends. "Everyone" is the default.
Even if you remove your phone number from the two-factor authentication settings page, nothing changes in the privacy settings, indicating Facebook still has your phone number. This screw-up, intentional or not, could discourage adoption of two-factor authentication, leaving people at risk of getting hacked. Facebook's decision to use phone numbers that were given to it for a specific security purpose for reasons other than security are a betrayal, and is training people more broadly that turning over more personal information to an internet company for security features could backfire. "Phone number is such a private, important security link," Zeynep Tufecki, a professor at the University of North Carolina, Chapel Hill, who has worked with dissidents and human rights activists, wrote on Twitter. "But Facebook will even let you be targeted for ads through phone numbers INCLUDING THOSE PROVIDED *ONLY* FOR SECOND FACTOR AUTHENTICATION. Messing with 2FA is the anti-vaccination misinformation of security."
Even if you remove your phone number from the two-factor authentication settings page, nothing changes in the privacy settings, indicating Facebook still has your phone number. This screw-up, intentional or not, could discourage adoption of two-factor authentication, leaving people at risk of getting hacked. Facebook's decision to use phone numbers that were given to it for a specific security purpose for reasons other than security are a betrayal, and is training people more broadly that turning over more personal information to an internet company for security features could backfire. "Phone number is such a private, important security link," Zeynep Tufecki, a professor at the University of North Carolina, Chapel Hill, who has worked with dissidents and human rights activists, wrote on Twitter. "But Facebook will even let you be targeted for ads through phone numbers INCLUDING THOSE PROVIDED *ONLY* FOR SECOND FACTOR AUTHENTICATION. Messing with 2FA is the anti-vaccination misinformation of security."
A friend of mine created a "live.com" account just to play some games on an Xbox. Microsoft insisted on him providing an actual mobile phone number to short message some code to - and most suspiciously refused any phone number powered by one of the many SMS-to-IP gateways.
He ultimately used the mobile number of some emergency pre-paid phone that had been residing for many months unused in his car. And guess what, only days after this use advertisement cold calls started showing up in the "missed call" history of this phone.
Let's face it: No matter what the big corporations tell you, they will sell whatever tiny piece of data you give to them.
The international standards allow US phone number to have 5 more digits so turn them into extensions. That would give everyone 100,000 extensions that their phone or carrier could manage. Turn it on and default all 10 digit numbers to the original ten plus 00000. Work can have the ten plus 99999. Friends get their own number which matches the last 5 of the number they use to call you. Everything else gets rejected.