Pixel Envy

Written by Nick Heer.

Facebook Allows Users to Look Up Others With Their Two-Factor Authentication Phone Number, With No Opt-Out

Jeremy Burge:

For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there’s no way to disable that.

Facebook 2FA numbers are also shared with Instagram which prompts you ‘is this your phone number?’ once you add to FB.

Zack Whittaker, TechCrunch:

Last year, Facebook was forced to admit that after months of pestering its users to switch on two-factor by signing up their phone number, it was also using those phone numbers to target users with ads. But some users are finding out just now that Facebook’s default setting allows everyone — with or without an account — to look up a user profile based off the same phone number previously added to their account.

This isn’t just yet another example of Facebook behaving outrageously when it comes to the company’s pathological need to slurp up everything about its users’ every living moment. It also has the potential to reduce the likelihood that users will adopt two-factor authentication. Technically-literate people have been preaching two-factor authentication for a long time, but average users have been slow to enable it; if they get the impression that it’s yet another piece of data that creepy companies can use to track them, they will be even more hesitant.

Also, I’d like to address something about two-factor authentication that’s been bugging me for a while. Ever since fears about SIM hijacking began spreading, some people have been claiming that using SMS-based two-factor authentication is worse than not using two-factor at all. I think that’s silly and myopic. It is worth noting that SIM hijacking is pretty easy for someone who has access — directly or indirectly — to a carrier’s SIM backend. But the circumstances under which someone’s phone number would be hijacked are pretty rare for the vast majority of us. People who are connected with low character count or high-valued social media accounts, higher-ranking employees, activists, journalists, wealthy individuals, and public figures are more susceptible to these kinds of attacks. Most of us, however, are not any of these things, and will likely benefit from using any kind of two-factor authentication. You should use a code generator or a hardware mechanism like a YubiKey wherever you can, but SMS authentication is not necessarily terrible, and is likely not worse than using no verification at all.

However, that is entirely theoretical, and there’s an enormous caveat you should be aware of: while you may have loads of email accounts and it’s trivial to create a throwaway one, but you probably only have one phone number. Therefore, it is critical that you only give your phone number to services and apps you really trust. Many unscrupulous apps will include your phone number in information they send to data brokers and advertising companies like Facebook. You should, therefore, be extremely careful when providing your phone number anywhere. Treat it as you would a unique personal identifier, like a Social Security Number or a Social Insurance Number. Assume it has been compromised, but protect it nevertheless.