Monday, March 4, 2019

Facebook and Phone Numbers

Jeremy Burge:

For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there’s no way to disable that.

Facebook 2FA numbers are also shared with Instagram which prompts you ‘is this your phone number?’ once you add to FB.

The original FB phone number prompt never mentioned “and more”. It was shown for MONTHS before a link was added in September 2018 clarifying “actually we’ll use this wherever we damn well please”

WhatsApp also shares phone numbers with Facebook

Facebook shares phone numbers with advertisers

Update (2019-03-05): Zack Whittaker (Hacker News):

Alex Stamos, former chief security officer and now adjunct professor at Stanford University, also called out the practice in a tweet. “Facebook can’t credibly require two-factor for high-risk accounts without segmenting that from search and ads,” he said.

Since Stamos left Facebook in August, Facebook has not hired a replacement chief security officer.

John Gruber:

The lesson some people are going to take from this is that enabling two-factor authentication is for suckers.

Nick Heer:

Ever since fears about SIM hijacking began spreading, some people have been claiming that using SMS-based two-factor authentication is worse than not using two-factor at all. I think that’s silly and myopic. It is worth noting that SIM hijacking is pretty easy for someone who has access — directly or indirectly — to a carrier’s SIM backend. But the circumstances under which someone’s phone number would be hijacked are pretty rare for the vast majority of us. People who are connected with low character count or high-valued social media accounts, higher-ranking employees, activists, journalists, wealthy individuals, and public figures are more susceptible to these kinds of attacks. Most of us, however, are not any of these things, and will likely benefit from using any kind of two-factor authentication. You should use a code generator or a hardware mechanism like a YubiKey wherever you can, but SMS authentication is not necessarily terrible, and is likely not worse than using no verification at all.

3 Comments RSS · Twitter

I can understand that many people are ignorant of these issues. However, there are many tech-savvy people who know this and apparently just don’t care. Why would anybody who knows this still have a Facebook account?

Even if you don't use a Facebook account anymore, and have never used Facebook Login for other sites, there are still other non-FB sites/apps that use Facebook as their backend for simple stuff like SMS auth (called "Account Kit"). So yes, let me repeat: if you've ever used Facebook, and gave them your phone number... even though you deleted your FB account, they are still tracking you via your phone number if the other services or apps that you use have implemented Facebook's Account Kit as a way to handle SMS codes for phone-based authorization. I can only assume that they have ways of tracking us via our email addresses too -- even when we are actively avoiding Facebook itself. We really need the US Gov to step in and make a law similar to GDPR. I think even the best people who follow this stuff have no idea how deep it goes.

Leave a Comment