Facebook’s 2FA Sham: Users Are Yet Again Exploited
Most web users have begrudgingly gotten used to the two-factor authentication (2FA) process that’s supposed to protect online accounts.
Facebook’s 2FA process is under fire because like so many other snafus that come with being on Facebook, it’s more to it than meets the eye.
Hell started to break loose over Facebook’s 2FA process Friday with a tweet from Emojipedia founder Jeremy Burge. He alerted that folks who give their phone numbers to Mark Zuckerberg’s platform as part of the process are pretty much giving that number to the world.
With a little time and effort, people can find users’ profiles from the same number they give the world’s largest social media platform. And best of all, Facebook won’t let you opt out of this!
Clearly, that’s enough to drive a mad man sane, but it remains a question of whether it’s enough for Facebook to give a damn.
Another Step In Ruining Trust
2FA is embraced by many who want to protect their accounts from being hacked. Many wouldn’t have second thoughts about using their phone numbers so that if there are attempts to access their accounts by others they are notified immediately.
On that same note, few would think that the trusty two-step process would end up in the hands of advertisers. That’s exactly what can happen with Facebook.
Here’s the tweet that Burge posted that set in motion Facebook’s latest headache.
For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there’s no way to disable that. pic.twitter.com/zpYhuwADMS
— Jeremy Burge 🐥🧿 (@jeremyburge) March 1, 2019
Facebook users enjoy being able to opt out of the platform’s various features. This includes hiding the phone numbers they include in their profiles.
These opt-out features allow people to opt-out of allowing their profiles to be public. They can set it to be seen by “everyone.” They can also limit their phone numbers to those who are “friends,” or even “friends of friends.”
Those who leave their settings on “everyone” also leave open the ability for anyone to look them up by phone number. That includes people who don’t subscribe to Facebook and even advertisers.
Weaponizing Phone Numbers To Monetize Users
Facebook continues to show that nothing is off limits when it comes to its quest to make money.
Even its former security chief, Alex Stamos, took the company to task over its 2FA process.
Via Twitter Saturday, he said:
This is why tech companies need somebody advocating for security as a first-class goal in product, which is a different function than good security engineering. FB can’t credibly require 2FA for high-risk accounts without segmenting that from search & ads. https://t.co/CzDyuRInBU
— Alex Stamos (@alexstamos) March 2, 2019
To TechCrunch, Jessy Irwin, head of security at Blockchain company Tendermint, said:
If people feel like they can’t trust the tools they use when they try to do things that are good for their security, they just stop doing it. There should be some things that are treated as sacred, especially when we talk about improving account security.
Warning Bells Rang Months Ago
The researchers found that the phone numbers users give Facebook “became targetable by an advertiser within a couple of weeks.”
So users who want their accounts to be more secure are forced to make a privacy trade-off and allow advertisers to more easily find them on the social network.
Facebook: Users Knew We Were Doing This
In a relatively nonchalant statement about the 2FA settings, Facebook said:
[they] are not new and are not specific to two-factor authentication. In April 2018, we removed the ability to enter another person’s phone number or email address into the Facebook search bar to help find someone’s profile.
Today, the ‘Who can look me up?’ settings control how your phone number or email address can be used to look you up in other ways, such as when someone uploads your contact info to Facebook from their mobile phone. We appreciate the feedback we’ve received about these settings and will take it into account.
See thread! Using security to further weaken privacy is a lousy move—especially since phone numbers can be hijacked to weaken security. Putting people at risk. What say you @facebook? https://t.co/9qKtTodkRD
— zeynep tufekci (@zeynep) March 2, 2019
Well, I Guess That’s Settled Then, Eh?
With that statement, it appears Facebook is not moving to immediately do anything about this. Why would it?
Facebook basks in the glory of having more than two billion subscribers around the world. These people are so enamored with using the platform that they’ve not been moved to close their accounts in the wake of a series of privacy mess ups on the company’s part.
People make everything in their lives a Facebook moment. Their posts can range from “arriving at the doctor” to “my husband left me.” Many clearly do not care about advertisers having access to their profiles and the like.
No matter, the question remains: are these tactics, even when revealed, enough to drive people away?
Investors don’t appear to be spooked either.