Slashdot Mirror
Facebook's Phone Number Policy Could Push Users To Not Trust Two-Factor Authentication (vice.com)
An anonymous reader quotes a report from Motherboard: Using two-factor authentication, a security mechanism that requires a second step to login into an account other than the password, is widely considered an essential measure to protect yourself online. Yet, only a small percentage of people use this feature, mostly because it can be burdensome and it's rarely required by default, leaving users with the responsibility to turn it on. Now, Facebook may have given people yet another reason not to bother. Last week, Emojipedia founder Jeremy Burge warned in a viral Twitter thread that anyone could look him up on Facebook using his phone number, which he provided to the social network in order to enable two-factor authentication. What's worse, it looks like there's no way to completely remove your phone number that Facebook has collected. If you check your privacy settings, under "Who can look you up using the phone number you provided?" there are only three options: Everyone, Friends of friends, and Friends. "Everyone" is the default.
Even if you remove your phone number from the two-factor authentication settings page, nothing changes in the privacy settings, indicating Facebook still has your phone number. This screw-up, intentional or not, could discourage adoption of two-factor authentication, leaving people at risk of getting hacked. Facebook's decision to use phone numbers that were given to it for a specific security purpose for reasons other than security are a betrayal, and is training people more broadly that turning over more personal information to an internet company for security features could backfire. "Phone number is such a private, important security link," Zeynep Tufecki, a professor at the University of North Carolina, Chapel Hill, who has worked with dissidents and human rights activists, wrote on Twitter. "But Facebook will even let you be targeted for ads through phone numbers INCLUDING THOSE PROVIDED *ONLY* FOR SECOND FACTOR AUTHENTICATION. Messing with 2FA is the anti-vaccination misinformation of security."
Even if you remove your phone number from the two-factor authentication settings page, nothing changes in the privacy settings, indicating Facebook still has your phone number. This screw-up, intentional or not, could discourage adoption of two-factor authentication, leaving people at risk of getting hacked. Facebook's decision to use phone numbers that were given to it for a specific security purpose for reasons other than security are a betrayal, and is training people more broadly that turning over more personal information to an internet company for security features could backfire. "Phone number is such a private, important security link," Zeynep Tufecki, a professor at the University of North Carolina, Chapel Hill, who has worked with dissidents and human rights activists, wrote on Twitter. "But Facebook will even let you be targeted for ads through phone numbers INCLUDING THOSE PROVIDED *ONLY* FOR SECOND FACTOR AUTHENTICATION. Messing with 2FA is the anti-vaccination misinformation of security."
When will people get it.
NEVER supply information unless you have to and then supply as much false information as you can.
Use different email addresses for different purposes, work, family, friends and one you know will be spammed that can be give to sales people.
you 'COULD' just delete your account.
Of course it's intentional. Whenever Facebook tweaks settings or adds new features they always default to "Everyone" settings for search results - even for so-called security features. This is the only thing they've done consistently since they launched. When will people learn?
You probably need to verify it once by SMS for facebook to accept it, no?
Every time I use any different device or computer it complains that I logged in from an unknown device or computer. Even if I've used that computer or device many many times in the past. Facebook and Google bother don't seem to have a memory beyond 2 locations and they seem to forget about these over time if there is no activity from a location.
They both have major security holes in any case in that they want to save your password or provide a password-less login (every single damn time I go to Facebook it wants me to click the "remember me" for a password-less login).
Stuff like this isn't an abuse. Hell, it isn't even a dark pattern.
THIS IS WHAT FACEBOOK WAS SET UP TO DO. IT'S SUCCESSFULLY EXECUTING ITS DESIGN.
The solution is to have nothing whatsoever to do with Facebook, to the extent that is possible.
Turn away from it, in the way you'd avoid a payday lender, a back-alley doctor, a furniture rental shop, or anyone else who has your ruin at heart, solely to advance their own interest.
And even if the corporation does not sell the data, all it takes is one employee with access to the data to decide they would like to make a few extra dollars ..... and how many large companies do not have an employee who is spying for another company/government ?