Facebook's Phone Number Policy Could Push Users To Not Trust Two-Factor Authentication

An anonymous reader quotes a report from Motherboard: Using two-factor authentication, a security mechanism that requires a second step to login into an account other than the password, is widely considered an essential measure to protect yourself online. Yet, only a small percentage of people use this feature, mostly because it can be burdensome and it's rarely required by default, leaving users with the responsibility to turn it on. Now, Facebook may have given people yet another reason not to bother. Last week, Emojipedia founder Jeremy Burge warned in a viral Twitter thread that anyone could look him up on Facebook using his phone number, which he provided to the social network in order to enable two-factor authentication. What's worse, it looks like there's no way to completely remove your phone number that Facebook has collected. If you check your privacy settings, under "Who can look you up using the phone number you provided?" there are only three options: Everyone, Friends of friends, and Friends. "Everyone" is the default.

Even if you remove your phone number from the two-factor authentication settings page, nothing changes in the privacy settings, indicating Facebook still has your phone number. This screw-up, intentional or not, could discourage adoption of two-factor authentication, leaving people at risk of getting hacked. Facebook's decision to use phone numbers that were given to it for a specific security purpose for reasons other than security are a betrayal, and is training people more broadly that turning over more personal information to an internet company for security features could backfire. "Phone number is such a private, important security link," Zeynep Tufecki, a professor at the University of North Carolina, Chapel Hill, who has worked with dissidents and human rights activists, wrote on Twitter. "But Facebook will even let you be targeted for ads through phone numbers INCLUDING THOSE PROVIDED *ONLY* FOR SECOND FACTOR AUTHENTICATION. Messing with 2FA is the anti-vaccination misinformation of security."

Change All Your Shit

[sycodon]

Change your shit. Name, address, remove posts unfriend people unsubscribe or whatever then leave your account dormant.

Let Facebook die a slow, painful death.

Re:Change All Your Shit

you 'COULD' just delete your account.

Re:Change All Your Shit

[rtb61]

They still datamine you via other people's accounts and companies that use facebook, when you get linked to that crap. Far safer to nuke facebook from orbit basically campaign for legislation to put them and their ilk out of business.

Re:Change All Your Shit

[Chris+Mattern]

you 'COULD' just delete your account.

No, you can't. Oh, Facebook gives you a "delete" button, but it actually doesn't delete anything. One of the things that makes me happy that I never joined Facebook and never will.

Re:Change All Your Shit

[Opportunist]

You're doing it wrong. You have to join Facebook. It's an invaluable tool.

Of course, you have to be creative. I, for one, don't fill it with my uninteresting, boring real life. And I certainly don't "friend" any of the boring people I know. Instead, live an interesting life, rub shoulders with the best and greatest of your field, show off those pictures of you and them on vacation (Photoshop is one hell of a tool!), fake some insightful praise you get from them and make sure everyone visiting your page knows that you're one of the big shots.

Because sooner or later some HR goon will go for some personality surfing. And just as much as he won't admit that he does it, as unlikely it is that he's going to ask if any of this is real.

Nothing pads a resume better than something that doesn't allow anyone to say you lied. If you asked me, I would of course have told you that it's all bunk and bullshit. But you didn't ask. You assumed.

And you hired me.

Facebook's continual privacy violations continue

[GrumpySteen]

Film at 11!

DUH

When will people get it.
NEVER supply information unless you have to and then supply as much false information as you can.
Use different email addresses for different purposes, work, family, friends and one you know will be spammed that can be give to sales people.

Re:DUH

[Opportunist]

No. Give out one mail address per contact. It's trivial to aggregate them, so it's not really any hassle to you to collect your mail, but that way you immediately know if one of them is harvesting&selling.

Google Play.

[wolfheart111]

Free text messaging app... free numbers, cheap android phone.. no problemo :)

It's intentional

This screw-up, intentional or not, could discourage adoption of two-factor authentication, leaving people at risk of getting hacked.

Of course it's intentional. Whenever Facebook tweaks settings or adds new features they always default to "Everyone" settings for search results - even for so-called security features. This is the only thing they've done consistently since they launched. When will people learn?

Same for Microsoft's phone number collection

[ffkom]

A friend of mine created a "live.com" account just to play some games on an Xbox. Microsoft insisted on him providing an actual mobile phone number to short message some code to - and most suspiciously refused any phone number powered by one of the many SMS-to-IP gateways.
He ultimately used the mobile number of some emergency pre-paid phone that had been residing for many months unused in his car. And guess what, only days after this use advertisement cold calls started showing up in the "missed call" history of this phone.

Let's face it: No matter what the big corporations tell you, they will sell whatever tiny piece of data you give to them.

Re:Same for Microsoft's phone number collection

And even if the corporation does not sell the data, all it takes is one employee with access to the data to decide they would like to make a few extra dollars ..... and how many large companies do not have an employee who is spying for another company/government ?

Re: Use a fake number

You probably need to verify it once by SMS for facebook to accept it, no?

Why?

[grep+-v+'.*'+*]

Why would you give FB your phone number? Why would you give FB ANYTHING?

Most of my friends us it (I have to admit), but I don't.

I do publically gave FB my Real Name and phone number(!!), but that's it. Everything else is bogus. (I think I live on the night side of Sol, went to school on Pluto for a change.) I log in maybe once a year because something gives me a reward for doing so. I give an indirect FB promote "This Product Is Great" nag (I guess, never looked), and since I'm interested that's not a completely wrong thing.

But my name, address, and phone number USED to be in the phone book, so I'm not that concerned about it. Yep, the phone book has (had) thousands of page, a literal wall of data. The NEWISH phoneish bookish dataish thing has your info tied to interests and events, NOT at all the same thing. But since FB knows almost nothing about me -- I'm sure more than I think because of friends -- I treat it as an external locator beacon.

If you WANT to be my friend, you'll bloomin' well literally TALK to me. If _not_, you can thumbs-up me all day long, and I'll give you a finger back as well.

Re:Why?

Did you just ask why anyone would give their phone number to Facebook, and then tell us that you gave your number to Facebook - "I do publically gave FB my Real Name and phone number(!!)."?

What part of the fact that "if your friends uploaded a contact list with your info, they also have this info, plus they know if you lied." did you miss?

I'm not sure I understand your point. I'm not sure if you have a point.

Re:Why?

I identify as a third gender helicopter, and your comment is offending me. But I have many friends. I consider the files in /usr/share/lib as my friends.

BETTER 2FA EXISTS Y'ALL.... !!!

Sorry folks but "phone number" is really SHITTY 2FA LIE.
All giving ANY and ALL entities your "phone number" does is allow them to TRACK and CONTROL the FUCK out of YOU.
Second, it is weak to BOTH...
1) Stolen phone
2) Hijacked phone number

Ever hear of TOTP protocol aka "Google Authenticator", it's a goddamned RFC even, look it the fuck up.
It is a shared TIME based code generator that WORKS flawlessly, and can work with ALL login apps, and is OPENSOURCE, and COSTS no one NOTHING because it DOES NOT require use of PHONE LINES.
It is ONLY weak to...
1) Stolen phone
for which you should be using a secure passphrase and encryption on anyways.

So TOTP is STRICTLY BETTER.

And you should WAKE THE FUCK UP and start demanding the services you use convert from SHITTY weak expensive DATAMINE and SELL YOUR ASS out to CORP and GOV SPIES "phone number" to TOTP / GA 2FA.

Phoney!

[Impy+the+Impiuos+Imp]

They want your phone number to more accuratey ID you in advertising databases. This is all a cover story.

Re:Phoney!

[Narcocide]

Oh, I very much believe that the threat these 2FA advocates warn about is quite real. That doesn't mean Facebook has any intention of treating the situation as anything more than an opportunity to sell verified cellphone numbers to robo-callers and malware-distributors alike, of course. These two threats aren't mutually exclusive. In fact, they're very likely to be closely related.

Re:Phoney!

[markdavis]

>"They want your phone number to more accuratey ID you in advertising databases."

And to sell your phone number to marketing companies that will then spam the s*** out of your phone, no doubt. Or use it to harass you themselves, for whatever purpose they like. And, of course, to make sure that anonymity dies. I have been warning people this was coming with "two factor authentication" schemes that have ONLY mobile phones as the "choice" for second factor. For most purposes, you should be able to use a land line (callback with voice prompt) or Email address for such things.... but somehow that is never allowed.

Two factor authentication on Facebook?

[bobbied]

Who turns on two factor authentication on Facebook?

Personally, I don't really care if somebody hacks my FB account. I don't depend on it for *anything* of importance in my life and I'm NOT giving up my phone number or much else beyond my Gmail account to FB or any of their advertisers. They don't have any correct information from me except for my name, and even that is a nickname, not my legal name.

Just don't do it. Social media isn't worth the trouble..

Re:Two factor authentication on Facebook?

[bobbied]

Well, my Facebook account isn't worth anything anyway. I am a member of only a few groups and don't link to very many "friends" in the first place so I have no contacts to give up. My Facebook information is basically fiction to start, with only enough facts (my name and a picture) so people who are looking for me can find me. There really isn't anything else.

Now, some of my friends and family have HUGE exposure... My half sister announced her kid's arrival, giving his full legal name and stats on the day he was born, has a link to her mother and father's names... She also had her location down to the city provided, so it's not a hard stretch to steal the kid's identity now.. We have is full legal name, date of birth, location of birth, mother and father's name and even his mother's maiden name, all on face book.

If my account gets hacked, there isn't much I can do to fix stupidity like that. I sometimes wonder how we can be related... I've even explained all this to her and still nothing...

Re: Use a fake number

[Darinbob]

Every time I use any different device or computer it complains that I logged in from an unknown device or computer. Even if I've used that computer or device many many times in the past. Facebook and Google bother don't seem to have a memory beyond 2 locations and they seem to forget about these over time if there is no activity from a location.

They both have major security holes in any case in that they want to save your password or provide a password-less login (every single damn time I go to Facebook it wants me to click the "remember me" for a password-less login).

Did anyone fact check this article before posting?

Okay - I realise that is probably one of the stupidest questions to ever ask on Slashdot....

Not read the article but the permissions settings in the quoted extract did not ring true. So I checked. I have my phone number listed on facebook and the permissions are set to "only me". This means that unless there is a problem with the effectiveness of the permission settings in facebook (not an impossible scenario I'll grant you) nobody can get my phone number from facebook except me. Given that the phone number has been there for nigh on a decade and in that time I have had no phone calls or messages that I cannot trace to a source outside of facebook it appears that, at least for me, the permissions settings are working.

Perhaps I am unusual in this but even 10 years ago I was not putting my phone number on places without checking the permissions available and thinking about who could get the information (although that did lead to some fun conversations with a cold caller on a different number getting very annoyed that I would not give them a reference number from my phone provider).
I regard facebook and the things I post there as being like a conversation in a pub - you can try and be discrete but you are never quite sure if someone walking past on their way to the cigarette machine is going to overhear something, so don't say things you want kept quiet.

Few of us trust it right now

[WillAffleckUW]

It's not just that we don't trust FB, which we don't.

It's not just that we don't trust 2FA, which we don't.

It's that it violates our expectations and Constitutional Rights of Privacy.

Re:Few of us trust it right now

[supernova87a]

For your information, there is nothing in the US Constitution that provides for a "right to privacy".

Re:Few of us trust it right now

[TVmisGuided]

For your information, there is nothing in the US Constitution that provides for a "right to privacy".

For that matter, there is not, and never has been, any such thing as "privacy" online. If you post something ANYWHERE, expect someone unexpected to see it, and use it in a way you didn't intend.

Re:Few of us trust it right now

[denzacar]

You do realize that ANY constitution is just a law - i.e. a contract of citizens with their own government, of citizens, by citizens and for citizens?
Not some holy scripture chiseled into stone tablets by a toenail of god or by a delusional schizophrenic suffering from heat stroke and exhaustion?

As such... being nothing but just a law, it is no different than any other law and it is a subject to change just like all those other laws. Of which there are a bunch.
Hell, much of the privacy laws and arguments calls back to the addenda to that very law.
As in the first, fourth and fourteenth, parts of the fifth, thirteenth, nineteenth, twenty-fourth and twenty-sixth... and that big catch all - the ninth.
And then there's the eleventh which provides for individual states to guarantee further rights.

AND THEN... there are individual person-to-person or person-to-legal entity contracts.
Which is how NDAs can exist.

Pullin the constitution card regarding rights maybe not mentioned in there specifically, is as inane as an ISP arguing that since there is no mention of internet in the constitution they are not legally bound to provide uninterrupted service.

Re:Few of us trust it right now

[WillAffleckUW]

I live in a state that has a Constitutional Right of Privacy.

Re:Few of us trust it right now

[ConceptJunkie]

Sure there is, and under that they found a Constitutional right to abortion. You're silly if you're only looking at words to see what your rights are.

Re:Did anyone fact check this article before posti

[Narcocide]

Historically the iPhone version has had more permissions features than the Android one, I think. Also, the article is clearly talking about the website, not an app.

Careful

I gave a fake email address to yahoo mail - they were buggering me about phone number or back up email every single time and then once, I was either tired of it or literally stuck. Then after yahoo was merged into 'Oath' I permanently lost access to my yahoo email.

Re: Use a fake number

I don't think so. I kept getting a popup that asked if this was my number.

Blessing in Disguise

[mentil]

Training people to be skeptical of SMS-based 2FA is good, because forced number porting is so trivial. Due to social engineering or policy, it's far too easy to steal someone's phone number or its associated mobile codes. Furthermore, most people have it set up to show texts when their phone is locked, which undermines the value of verification codes if their phone is stolen. Dongles or even biometrics are superior. An NFC dongle you could slip in your phone case could be a good compromise.

Re: Blessing in Disguise

[astrofurter]

Forced number porting is not the only problem with SMS based fake-2FA. The SS7 protocol that controls SMS is known to be insecure.

Consider the following, located with a 10 second Google search:

https://fedotov.co/ss7-hack-tu...

Stop Caring About These "Abuses".

[jddj]

Stuff like this isn't an abuse. Hell, it isn't even a dark pattern.

THIS IS WHAT FACEBOOK WAS SET UP TO DO. IT'S SUCCESSFULLY EXECUTING ITS DESIGN.

The solution is to have nothing whatsoever to do with Facebook, to the extent that is possible.

Turn away from it, in the way you'd avoid a payday lender, a back-alley doctor, a furniture rental shop, or anyone else who has your ruin at heart, solely to advance their own interest.

Phone number requirements...

[antdude]

... It is driving me that many accounts require phone numbers these days. Even Google Voice when I am applying for THEIR numbers. Argh.

2FA is not inherently bad

[TVmisGuided]

...it only becomes sketchy when it's tied to a publicly-available token, such as a phone number. Tokens which don't have any public component, e.g. a Fido U2F token, are preferred...and, in fact, are in heavy use on the Facebook campus itself, by developers, moderators, etc. (Ask them why sometime.)

The only solution to the problem as described in the original article is to NOT provide them with a phone number, no matter how often they beg. And if they start forcing it, that's when the clueful will delete their accounts.

That's as far as I go.

Re: Lose trust for Two Factor Authentication

[astrofurter]

_Anything_ on a smartphone is insecure. If you want real 2FA you need a hardware token.

A real consumer

... Who can look you up using the phone number you provided?

I'll repeat myself: 2FA is primarily, a way to connect an account to a real consumer.

Why trust Zuckerbook at all?

[Rick+Schumann]

There is literally no reason to trust Facebook at all for anything.

Re: Facebook's continual privacy violations contin

[mSparks43]

11Am or 11pm?

I don't think the kids got the message

2FA is basically a scam.

It's the attempt to solve a social problem with technical means, which is going to backfire every time.

Use instead a good password policy, educate users.

To me, password is the link between /myself/ (i.e. my mind) and "the world out there" -- and I don't want some covert twisted wormholes around that. Dementia? My mind is gone? So is my password. Too bad.

Only if I /explicitly/ take steps to perennize it (basically by giving a slip o' paper to someone, or some electronic variant of that) it is perennized. By default, it isn't. Simple, transparent.

2FA is an industry scam, as was DKIM and SPF (and for very similar reasons):

Most of the spam I get these days has correct DKIM and SPF records: the spammers just ride throwaway accounts on the Big Ones (gmail, I'm looking at you).

The sad part is that we techies go "Oh, shiny!" and follow the most convoluted procedure because "tech". This is, I think, our worst antipattern.

Stop wasting phone number digits

[thogard]

The international standards allow US phone number to have 5 more digits so turn them into extensions. That would give everyone 100,000 extensions that their phone or carrier could manage. Turn it on and default all 10 digit numbers to the original ten plus 00000. Work can have the ten plus 99999. Friends get their own number which matches the last 5 of the number they use to call you. Everything else gets rejected.

Re:Stop wasting phone number digits

[thogard]

If I give you my number and extension 48524, then my phone won't accept any call to that number except for your number with the proper extension and I know you leaked it because of your bad choice in social media.

Look people up by their password next?

[misnohmer]

Doesn't FB EULA basically boil down to:
1. You give us the right to collect everything you give us, everything we can collect from your phone, tablet, or PC
2. You give us unlimited rights to use any information we gather on you without any compensation
2. You give up any right to sue us over any damages you may feel we caused

I bet you can look people up by their FB password too, though that's probably a premium (read "paid") feature they sell to "partners" only.

Why?

[CptLoRes]

Except for online payment systems, I can't for the life of me think of a web page important enough for me to give them my phone number and/or personal information in general. I'd rather lose my login instead if that's what it comes down to.

Re:Don't use Facebook, problem solved

[MadKeithV]

Oh Facebook gets privacy, it's just that it is literally antithetical to their business model, which is to sell your data.

Re:Use a fake number

[The-Ixian]

Or.... just use a time-based authentication app for your 2FA

https://www.facebook.com/help/...

"Shared secret" is an oxymoron

[jbmartin6]

"Phone number is such a private, important security link,"

This is like saying 'never give out your IP address on the Internet', I'm not saying I like how they are using it, but you have to give out your phone number so people can call you. It is essentially public information. There's a few ways around that, but are still relatively complicated. I'm old enough to remember when you would get tons of sales calls on a new phone number since the phone company listed you by default in a big directory made out of cheap yellow paper. You could pay a fee to opt out of being listed, bleep you very much phone company. Even now you will get tons of sales calls if you buy a house or some other transaction that creates a public record.

Impressive

[gweihir]

The amount of stupidity and greed expressed in this is truly amazing.

anti-vaxxers?

[Goose+Tov]

"Messing with 2FA is the anti-vaccination misinformation of security." I don't get this analogy. 2FA is something that normally improves your security, your, er, online health. A 2FA "anti-vaxxer" might therefore be one who argues against the benefits of 2FA and suggests that it actually decreases your security, and tells people not to use it. But that's all a crazy conspiracy theory, right? I mean, how could using 2FA actually jeopardize your security? Unless this article were to be suggesting exactly that. Full disclosure: My 4-year-old got his DTAP / IVP and MMR yesterday. :)

Comment removed

[account_deleted]

Comment removed based on user account deletion

TFA?

[thomn8r]

I always assumed that the real reason they wanted your phone number was to use it as an additional correlation data point against other info they've collected

Re:Trust

[ennis99]

Facebook always makes us believe that they are doing their best to protect people's privacy, while they are doing exactly the opposite. https://downloader.vip/vpn/ https://downloadnox.com/ https://anydesk.vip/