Follow

Oh good. Facebook gives advertisers your two factor authentication phone number.

<< They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user’s account, that phone number became targetable by an advertiser within a couple of weeks. >>

gizmodo.com.au/2018/09/faceboo

@natecull this seems double bad in the face of, uhhhhhh, sim hijack attacks and stuff????? and, like,the wild copious security of phone 2fa?

gawd

@natecull

Next week: Facebook hacks your device cameras to get nudes which it then sends to advertisers.

Following week: Facebook breaks into your house, scans your teenage diaries and sends them to your old bullies to chuckle over.

Week 3: Facebook steals samples of your DNA and sells it to cloning labs.

Week 4: Facebook secretly copies your fingerprints and puts them in sex offender databases.

@natecull

You've got to wonder at what point -- after the now countless mainstream articles revealing FB's deplorable business -- does FB shrivel up and die.

But then the world thought the same thing back in early 2016 as they watched tRump up his bar, one shocking and inconceivable event after another, to election, and then some.

The signs don't bode well for the 'save the planet from climate disaster' imperative, let alone FB folding.

@natecull glad i didn't use my phone number. i use anOSP for that kind of stuff.

@trwnh @kev @switchingsocial

I actually just assumed Facebook and every other site was doing this with 2FA phone numbers, which is why I avoid 2FA wherever possible.

Seems my assumption was right, but a lot of other people seem shocked by this.

I mean it's a fundamental fact of life on the Net that if you give someone some data, they now have that data.

A lot of people seem to want and believe this not to be the case, which seems a bit like wanting and believing water to not flow downhill.

@trwnh @kev @switchingsocial

(GDPR seems all about trying to enforce through strongly worded law that water shall not and must not flow downhill, which, good luck I guess.)

@natecull You avoid 2fa where possible? Really? Even when it’s an OTP app and they don’t need you phone number?

@trwnh @switchingsocial

@kev @trwnh @switchingsocial

Yes. I don't currently have a smartphone that can run authenticator apps.

@natecull @kev @trwnh @switchingsocial If only there was some sort of small hardware token that could help with situations like this ... yu bi the first to try it?

@natecull @kev @switchingsocial i have totp in enpass which works on win/mac/linux/ios/android btw. using totp or u2f in general wherever supported is much better than having to whip out your phone and check an sms, and it doesn't require a phone number. or a phone.

@natecull @kev @trwnh @switchingsocial Maybe a desktop application?

Though, if you're somewhere away from home... :s

@natecull @trwnh @kev

This kind of news is perhaps more significant for people (especially lawmakers) who *don't* make that assumption suddenly being forced to reassess their view of Facebook etc.

A lot of people, rightly or wrongly, assume the best about a company or organisation they depend on in some way. They are more likely to listen to warnings when they are accompanied by evidence of wrongdoing.

(Also, evidence makes lawsuits and prosecutions more likely.)

@natecull @trwnh @kev @switchingsocial @jalcine You don't need to avoid #2FA, moreso avoid 2FA that uses SMS, which is susceptible to hacks (my number was stolen to get my Instagram handle). Token-based second-factor apps are great. I use Authy.

I've used KeePassX, Authy, LastPass, and I'm now on 1Password. I'd rate them in roughly that order as far as usability goes, worst to best, with 1Password being the best, albeit also the most expensive. (It also now supports Linux, which it didn't previously, hence my not using it previously.)

Key feature: 1Password has TOTP 2FA integrated into the main application and form filler.

@mathew I love 1Password. We just deployed it at my company as well thanks to the teams capability. I still use Authy for 2FA token generation, though. I'm still skittish about having all eggs in one basket.

@editor I have my 2FA token seeds in Authy and LastPass Authenticator as well, just in case.

@natecull only the truly naive would ever think otherwise. Good to know I'm not crazy. This shit should get even worse for people to actually pay attention. I'm glad it's like this.

@natecull 2018 is in the link so, not news? Bit don't remember reading about it. Oh wheel.

@natecull

holy fucking fuck

so glad I drew the line and cut the FB from my life

@natecull

(family was 😢 but I know they don't really like me much anyway, and so we're really all better off not interacting)

@natecull This is why I'm so bugged that outfits like The Register insist on pushing 2-factor auth despite the fact that it includes stuff like my goddamn phone number, and that evil-ass outfits like Facebook are involved.

@flugennock @natecull 2FA doesn't need to involve your phone number. In fact, to be secure, it shouldn't. I refuse to use any 2FA system that demands a phone number. And ironically, you can now set up 2FA on Facebook without a phone number, finally, so I've done so.

@natecull
It's beyond me why people still can't understand that phone number IS NOT A FACTOR at all. It's just a way to bind your account to your identity.
So the rule of thumb here is simple: some site tries to pry your phone number as a second factor "for your security"? Fuck this shit.

@natecull Technically they are not giving the number away to advertisers, as far as I can read in the article.

An advertiser who already have the number can target that number on the system.

I do not necessarily support this practice, just think it is important to speak about what actually happens.

That the advertiser might be able to connect the dots is a problem, but a different problem than Facebook simply giving them numbers.

Sign in to participate in the conversation
Mastodon

Invite-only Mastodon server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!