Facebook's 2FA 'Security' Practices Violate User Privacy
By John P. Mello Jr.
Mar 5, 2019 10:56 AM PT
Facebook has undermined privacy on its network by exposing mobile phone numbers provided to secure user accounts through two-factor authentication. That's because anyone can use the numbers to look up a user's account. One doesn't even have to be a Facebook member to do so.
Moreover, there's no way to opt out of the setting, although it can be limited to "friends" only.
The security gaffe came to light Friday when Jeremy Burge, a UK entrepreneur, posted this tweet:
For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there's no way to disable that. pic.twitter.com/zpYhuwADMS
The alert triggered responses that ranged from concern to outrage, including this tweet by Zeynep Tufekci, an associate professor at the School of Information and Library Science at the University of North Carolina, Chapel Hill:
See thread! Using security to further weaken privacy is a lousy move�especially since phone numbers can be hijacked to weaken security. Putting people at risk. What say you @facebook? https://t.co/9qKtTodkRD
The settings that expose user accounts through the phone numbers are "nothing new" and they apply to any phone number added to a profile, said Facebook spokesperson Jay Nancarrow, according to a TechCrunch report.
Facebook did not respond to our request to comment for this story.
Just a Bug
Two-factor authentication is a technique for securing online accounts. When a user logs into an account, in addition to their user word and password, a code is sent -- typically in an SMS text message to a mobile phone -- that serves as an additional security layer.
After Facebook introduced 2FA, it relentlessly encouraged their users to use it. Concern over its users security apparently wasn't the only reason for the social network's enthusiasm for 2FA.
Facebook was using 2FA numbers to target advertising at users, according to reports in TechCrunch and Gizmodo.
"It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused," Facebook Chief Security Officer Alex Stamos wrote in an online post. "This was not an intentional decision; this was a bug."
Nevertheless, if a user has 2FA enabled, anyone who obtains the number associated with 2FA can use it to look up and confirm the user's profile.
"Two-factor authentication is usually recommended to users as a security measure to see if someone else logged into their accounts," explained Alexander Vukcevic, director of protection labs and quality assurance at
Avira, a security software company in Tettnang, Germany.
"Yet when the feature is being misused by any service, it also leaves the possibility for third parties to look up users' sensitive data, and even worse, allow them to be exposed to different threats such as phishing attacks," he told TechNewsWorld.
"Asking for something as private as your mobile number under the guise of security, and reusing it for advertising and search, is about as wily as it gets," observed Shane Green, U.S. CEO of
Digi.me, a personal data management service in Washington, D.C.
"It points to the complete ethical rot at the top of the company that employees and managers could ever think something like this is acceptable," he told TechNewsWorld.
Facebook's phone number fiasco could have general consequences for consumer security, Green noted.
"It absolutely hurts the willingness of people to improve their security by undermining trust," he said. "That's one of the great tragedies of something like this. The consequences reverberate well beyond Facebook. It could be a consumer's bank or health data, next time, that wasn't properly protected."
Ironically, Stamos said as much: "The last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications."
Data Mining Uber Alles
This latest social network contretemps is classic Facebook, said
John Carroll, a media analyst for WBUR in Boston.
"They will do anything to data mine their 2.2 billion users. They have absolutely no shame in manipulating people's information to the company's advantage," he told TechNewsWorld.
"Despite the incessant apology tours that they go on, they never essentially change the nature of what they're doing," Carroll pointed out.
What's more, when a gaffe is exposed, Facebook places the burden on the user -- or, as in the case of 2FA phone numbers, the company acts dismissive.
"Facebook didn't even bother to mount a defense this time," Carroll observed. "They just said this has been around for a while, as if they were a politician dismissing something as old news so they don't have to address it head on."
As incidents of privacy abuse mount, Facebook could be courting risk for itself and its advertisers.
"Facebook is gambling on its ability to avoid regulation, especially in the U.S.," Carroll said.
"What's protecting them is the incredibly complex infrastructure that they've constructed," he told TechNewsWorld.
"You wonder if politicians in the U.S. Congress have the slightest idea of how any of this works, and the extent to which Facebook is sucking up data to sell to advertisers at an accelerating pace," Carroll said. "If they can't understand it, there's no way they can engineer meaningful safeguards."
Although Facebook has been in and out of hot water with politicians and regulators in the past, this latest kerfuffle may be different.
"This does stand apart from many of the concerning revelations at Facebook. It is just so clearly deceptive and wrong," Digi.me's Green said.
"I imagine regulators in Europe and even the U.S. will have far harder questions for Facebook as a result," he continued, "and even though their quarterly advertising growth numbers are still healthy, this is definitely chipping away at the trust of advertisers."
If the privacy flaps don't encourage advertisers to take their business elsewhere, the changing demographics of the social network may do it.
"Among young people, the group most inclined to use Facebook is lower-income young people," said Karen North, director of the Annenberg
Online Communities program at the University of Southern California in Los Angeles.
"Why are people leaving? Part of it is they're seeking new experiences, but part of it is Facebook is no longer the trusted, friendly community it was," she said.
"People talk about Facebook now in terms of its advertising and exploitation," North told TechNewsWorld.
"It also seems to be tone deaf," she added. "After being under fire for privacy and meddling issues, you'd think it would stay away from anything that had the appearance of impropriety. But it hasn't."
John P. Mello Jr. has been an ECT News Network reporter
since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the
Boston Phoenix, Megapixel.Net and Government
Security News. Email John.