Facebook's Phone Number Policy Could Push Users To Not Trust Two-Factor Authentication

An anonymous reader quotes a report from Motherboard: Using two-factor authentication, a security mechanism that requires a second step to login into an account other than the password, is widely considered an essential measure to protect yourself online. Yet, only a small percentage of people use this feature, mostly because it can be burdensome and it's rarely required by default, leaving users with the responsibility to turn it on. Now, Facebook may have given people yet another reason not to bother. Last week, Emojipedia founder Jeremy Burge warned in a viral Twitter thread that anyone could look him up on Facebook using his phone number, which he provided to the social network in order to enable two-factor authentication. What's worse, it looks like there's no way to completely remove your phone number that Facebook has collected. If you check your privacy settings, under "Who can look you up using the phone number you provided?" there are only three options: Everyone, Friends of friends, and Friends. "Everyone" is the default.

Even if you remove your phone number from the two-factor authentication settings page, nothing changes in the privacy settings, indicating Facebook still has your phone number. This screw-up, intentional or not, could discourage adoption of two-factor authentication, leaving people at risk of getting hacked. Facebook's decision to use phone numbers that were given to it for a specific security purpose for reasons other than security are a betrayal, and is training people more broadly that turning over more personal information to an internet company for security features could backfire. "Phone number is such a private, important security link," Zeynep Tufecki, a professor at the University of North Carolina, Chapel Hill, who has worked with dissidents and human rights activists, wrote on Twitter. "But Facebook will even let you be targeted for ads through phone numbers INCLUDING THOSE PROVIDED *ONLY* FOR SECOND FACTOR AUTHENTICATION. Messing with 2FA is the anti-vaccination misinformation of security."

Change All Your Shit

[sycodon]

Change your shit. Name, address, remove posts unfriend people unsubscribe or whatever then leave your account dormant.

Let Facebook die a slow, painful death.

Re:Change All Your Shit

[rtb61]

They still datamine you via other people's accounts and companies that use facebook, when you get linked to that crap. Far safer to nuke facebook from orbit basically campaign for legislation to put them and their ilk out of business.

DUH

When will people get it.
NEVER supply information unless you have to and then supply as much false information as you can.
Use different email addresses for different purposes, work, family, friends and one you know will be spammed that can be give to sales people.

It's intentional

This screw-up, intentional or not, could discourage adoption of two-factor authentication, leaving people at risk of getting hacked.

Of course it's intentional. Whenever Facebook tweaks settings or adds new features they always default to "Everyone" settings for search results - even for so-called security features. This is the only thing they've done consistently since they launched. When will people learn?

Same for Microsoft's phone number collection

[ffkom]

A friend of mine created a "live.com" account just to play some games on an Xbox. Microsoft insisted on him providing an actual mobile phone number to short message some code to - and most suspiciously refused any phone number powered by one of the many SMS-to-IP gateways.
He ultimately used the mobile number of some emergency pre-paid phone that had been residing for many months unused in his car. And guess what, only days after this use advertisement cold calls started showing up in the "missed call" history of this phone.

Let's face it: No matter what the big corporations tell you, they will sell whatever tiny piece of data you give to them.

Re:Same for Microsoft's phone number collection

And even if the corporation does not sell the data, all it takes is one employee with access to the data to decide they would like to make a few extra dollars ..... and how many large companies do not have an employee who is spying for another company/government ?

Re: Use a fake number

You probably need to verify it once by SMS for facebook to accept it, no?

Two factor authentication on Facebook?

[bobbied]

Who turns on two factor authentication on Facebook?

Personally, I don't really care if somebody hacks my FB account. I don't depend on it for *anything* of importance in my life and I'm NOT giving up my phone number or much else beyond my Gmail account to FB or any of their advertisers. They don't have any correct information from me except for my name, and even that is a nickname, not my legal name.

Just don't do it. Social media isn't worth the trouble..

Re: Use a fake number

[Darinbob]

Every time I use any different device or computer it complains that I logged in from an unknown device or computer. Even if I've used that computer or device many many times in the past. Facebook and Google bother don't seem to have a memory beyond 2 locations and they seem to forget about these over time if there is no activity from a location.

They both have major security holes in any case in that they want to save your password or provide a password-less login (every single damn time I go to Facebook it wants me to click the "remember me" for a password-less login).

Re:Phoney!

[Narcocide]

Oh, I very much believe that the threat these 2FA advocates warn about is quite real. That doesn't mean Facebook has any intention of treating the situation as anything more than an opportunity to sell verified cellphone numbers to robo-callers and malware-distributors alike, of course. These two threats aren't mutually exclusive. In fact, they're very likely to be closely related.

Blessing in Disguise

[mentil]

Training people to be skeptical of SMS-based 2FA is good, because forced number porting is so trivial. Due to social engineering or policy, it's far too easy to steal someone's phone number or its associated mobile codes. Furthermore, most people have it set up to show texts when their phone is locked, which undermines the value of verification codes if their phone is stolen. Dongles or even biometrics are superior. An NFC dongle you could slip in your phone case could be a good compromise.

Stop Caring About These "Abuses".

[jddj]

Stuff like this isn't an abuse. Hell, it isn't even a dark pattern.

THIS IS WHAT FACEBOOK WAS SET UP TO DO. IT'S SUCCESSFULLY EXECUTING ITS DESIGN.

The solution is to have nothing whatsoever to do with Facebook, to the extent that is possible.

Turn away from it, in the way you'd avoid a payday lender, a back-alley doctor, a furniture rental shop, or anyone else who has your ruin at heart, solely to advance their own interest.

Re:Phoney!

[markdavis]

>"They want your phone number to more accuratey ID you in advertising databases."

And to sell your phone number to marketing companies that will then spam the s*** out of your phone, no doubt. Or use it to harass you themselves, for whatever purpose they like. And, of course, to make sure that anonymity dies. I have been warning people this was coming with "two factor authentication" schemes that have ONLY mobile phones as the "choice" for second factor. For most purposes, you should be able to use a land line (callback with voice prompt) or Email address for such things.... but somehow that is never allowed.

Stop wasting phone number digits

[thogard]

The international standards allow US phone number to have 5 more digits so turn them into extensions. That would give everyone 100,000 extensions that their phone or carrier could manage. Turn it on and default all 10 digit numbers to the original ten plus 00000. Work can have the ten plus 99999. Friends get their own number which matches the last 5 of the number they use to call you. Everything else gets rejected.