Uproar Over Facebook 2FA Privacy Violation
Facebook has been caught red-handed again—so say privacy wonks. They accuse Zuckerberg’s crew of misusing phone numbers given to it for use in two-factor authentication.
Said wonks say Facebook is sharing the data with Instagram and WhatsApp to secretly link your profiles together. And that it lets miscreants look you up by your phone number, subjecting your identity to stalking, social engineering and other malicious awfulness. Facebook is also accused of violating GDPR, for using the numbers without consent.
Yet Facebook spokesdroids are unrepentant. In this inaugural SB Blogwatch, we phone a friend.
Your humble blogwatcher curated these bloggy bits for your entertainment, not to mention: alt tech history …
Zuckerberg’s Phone Follies
What’s the craic, Zack Whittaker? “Facebook won’t let you opt-out of its phone number ‘look up’ setting“:
Users are complaining that the phone number Facebook hassled them to use to secure their account … has also been associated with their user profile — which anyone can use to “look up” their profile. [It] allows everyone — with or without an account — to look up a user profile based off the same phone number.
…
Worse, Facebook doesn’t give you an option to opt-out. … Although users can hide their phone number on their profile so nobody can see it, it’s still possible to “look up” user profiles. … There’s no way to hide it.
…
Facebook spokesperson Jay Nancarrow told [me] the settings “are not new.” … If a user doesn’t like it, they can set up two-factor without using a phone number.
Ouch. Connor Jones says it’s not for the first time we’ve heard complaints like these:
[Facebook] encourages its users to set up 2FA account protection which requires a phone number. This isn’t necessarily a bad thing.
…
The real kicker here is that Facebook takes the phone number [and] ties it to your account [so] the number can be used to find your profile. … 2FA and enhanced account security are taken seriously. … Some think that using a trusted security measure to violate the privacy expectations of users is a step too far.
This all started with an epic tweet thread rant from Jeremy Burge:
For years Facebook claimed the adding a phone number for 2FA was only for security. [But] Facebook 2FA numbers are also shared with Instagram. … WhatsApp also shares phone numbers with Facebook. [And] Facebook shares phone numbers with advertisers.
…
The original FB phone number prompt … was shown for MONTHS before a link was added in September 2018 clarifying “actually we’ll use this wherever we **** well please”.
…
Using a phone number to sign up for services has been the single greatest coup for the social media and advertising industries. One unique ID that is used to link your identity across every platform.
…
It’s shocking that this one number is used for usernames, authentication (2FA), advertising tracking, geolocation and more. And it’s the same piece of info you have to give to a random plumber.
…
Facebook [said] in 2018 it would disable ‘lookup by phone number’. [So] either the 2018 statement is misleading or the current settings page is misleading.
…
TL;DR: Login-with-Phone-Number is the new Login-with-Facebook. Easy to track, shared between services, it’s the key to invisible mesh of your data. Don’t do it.
How long has this been going on? Ben Lovejoy clarifies—”Second problem found with Facebook 2FA security: phone numbers are searchable:”
He noted that while Facebook now says that your phone number will be used ‘to help secure your account and more’ – with a link to further details – the two words … were added only in September of last year. … The number is additionally shared with Facebook-owned WhatsApp and Instagram.
…
Our advice remains to use apps, rather than phone numbers, for 2FA whenever possible.
Apps such as? Abhimanyu Ghoshal suggests three:
That’s just all kinds of ******. … The company comes across as obtuse about the potential dangers and the invasiveness of allowing anyone to confirm your identity with your phone number on the platform.
…
You can actually avoid giving your number to Facebook without ditching the additional security that 2FA affords you. … The easiest way is to use an authentication app that doesn’t rely on your phone number, like Google Authenticator, Microsoft Authenticator, or Authy. … It’s better than SMS-based authentication, because it can’t be hijacked by an attacker.
…
Of the lot, I prefer Authy, because it lets you sync your 2FA codes across your devices, and that’s essential for me because I switch phones often. … The other two work well, but don’t allow you to sync codes.
What’s the threat model? Jen Thorpe quotes some examples:
This could lead to some very dangerous situations. A person who has left an abusive partner, or an abusive family situation, might have to worry about those people finding their Facebook account. Activists who engage in protecting people’s civil rights may also be in danger.
…
Facebook told users that attaching their phone number to their account would make it safer. That simply isn’t true.
And here’s another potential privacy pitfall, from potatofarmer45:
This will make keeping your social media private during recruiting much much harder because rather than trying to search for your name on FB or your email, an interviewer can just search your listed contact number. Names are often not unique but phone numbers are.
“Attorney and marmot fan” Preston Byrne calls it a 10-digit security hole:
Facebook has just created a massive security hole which exposes every single one of its users to life-alteringly-****** hacks. I’m frankly astonished nobody internally at that company thought about this before pushing this feature.
…
Your average workaday user who is even a little security minded will use their cell phone to do two-factor authentication for their Facebook login, but will also use the same cell phone for every other two-factor login they have, including, for example, their e-mail account or their bank. This is not an intelligent approach to security, as using cell phones for two-factor authentication is … not even remotely secure … because cell phone companies are run by idiots.
…
This is not a theoretical problem. … Over and over again last year, people got their phone numbers ported. The hackers logged in to all of their accounts. The hackers took all of their stuff. Lather, rinse, repeat.
…
To be blunt … Facebook has compromised the security of every individual user. … The engineering boffins over at FB are almost totally blind to the risk they’ve just created for hundreds of millions of users.
…
We all need to seriously re-evaluate our relationship with Facebook or any other … service that asks us for our mobile phone numbers.
Anytime a social-media privacy hole is disclosed, there’s always one wag who acts like Albin here:
I can’t believe anybody ever thought giving their phone number to any social media service would send it anywhere except everywhere.
… or like superkuh:
There is an easy way to opt-out. Stop using Facebook.
…
These constant articles are like watching someone stick their hand on a hot stove and complain over and over that it hurts. But try suggesting they take their hand off the burner and nope, freak outs.
…
If people don’t like the way things are then they have to be the change. Facebook is not going to change as its business model is based on selling its users.
Ah, the old “you are the product” defense? ascorbic looks acidicly across the pond: [You’re fired—Ed.]
This is surely a breach of GDPR. … Data must only be used for the purpose for which it was collected.
Taking a number provided explicitly for 2FA and using it for search certainly sounds like a breach.
Meanwhile, jamisteven told ya so:
Been warning people about this for years.
…
It’s whats known in intelligence circles as “linkability”. The more points of verification, the better a profile can be built to associate an actual identity with an email address, screen name, username, alias, etc. Snowden warned everyone about this, nobody listened
And Finally …
What if we had folding phone screens in 1999?
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums and weirdest websites so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: AT&T, via Prelinger Library and the Internet Archive (in the public domain)
Pingback: Facebook Forces Users to Give Email Password (wait, what?) - Security Boulevard