Facebook Is Using Your Two-Factor Authentication Phone Number to Target Advertising

From Kashmir Hill:

Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn't hand over at all, but that was collected from other people's contact books, a hidden layer of details Facebook has about you that I've come to call "shadow contact information." I managed to place an ad in front of Alan Mislove by targeting his shadow profile. This means that the junk email address that you hand over for discounts or for shady online shopping is likely associated with your account and being used to target you with ads.

Here's the research paper. Hill again:

They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user's account, that phone number became targetable by an advertiser within a couple of weeks. So users who want their accounts to be more secure are forced to make a privacy trade-off and allow advertisers to more easily find them on the social network.

Posted on October 2, 2018 at 5:53 AM • 21 Comments

Comments

Leonardo HerreraOctober 2, 2018 7:29 AM

Really sketchy, and nobody is really surprised. My first reaction was "well yes, of course they do this".

JulieOctober 2, 2018 7:44 AM

Didn't Facebook say that "users who were getting spammed with Facebook notifications to the number they provided for 2FA was a bug" like two month ago?

Joseph HillenburgOctober 2, 2018 8:29 AM

There are three options here, in increasing order of security posture.

1. Enable Facebook's TOTP support. Don't use their app for the TOTP codes. Use a third-party TOTP generator such as Google Authenticator, 1Password, etc.
2. Enable Facebook's FIDO hardware authenticator support (i.e. YubiKey.)
3. Delete your Facebook account.

David LeppikOctober 2, 2018 10:55 AM

This after it turns out that their "View as [other user]" was really "Login as [other user]" and could be exploited by Facebook apps to create Single Sign-On credentials for anyone in your network.

The workaround until they fixed it? Tell everyone in your network to turn on 2-factor authentication!

Clearly Facebook hasn't grown out of "move fast and break things" when it comes to breaking the Internet.

Mr. VerhartOctober 2, 2018 11:12 AM

"People just submitted it. I don't know why. They 'trust me'. Dumb fucks." -Mark Zuckerberg

CallMeLateForSupperOctober 2, 2018 11:14 AM

Delete your Facebook account(s). It's easy to do. Social media are not necessary for human existance, they are a construct, and a recent one to boot. (Amiright, Clive?)

When FB's user base is through the floor ... when FB's investors look for greener investments... when Zuckerschmuck's checks begin to bounce .... maybe then he will have an epiphany (I pray for a lightning bolt) and re-imagine his silly "app".


This looks interesting:
https://en.wikipedia.org/wiki/Solid_(web_decentralization_project)

John ThurstonOctober 2, 2018 2:00 PM

I'm glad someone is doing the research and documenting this. But to me, your title is a bit like announcing, "Water found to be wet!"

_Everything_ facebook gets from a user is facebook's to monetize. It doesn't matter how they got it, or how the user thought it might be used. Once they have it, they'll try to turn it into dollars.

I'll change my facebook password to 'IdigPurplePanties'. I predict by next week I'll see new items appearing in my "Suggested Products" list on Amazon.

k15October 2, 2018 2:53 PM

What does Twitter do with it? There are some features they won't let you use without giving it to them.

AlejandroOctober 2, 2018 2:53 PM

We all know Facebook = Liars. The problem is, they get away with it and other corporations follow their lead. And none are punished.

It's clear the federal government will not step in to save us or our electronic data. Maybe a few states will try, but the effort will be uneven. GDPR has merit in the EU, but not here.

The solution, if there will be one, must come from technical wizardly mixed with a great job of salesmanship. People need to be convinced their private data is their property, it's valuable and it's routinely used against them and abused by criminals, governments and corporations. And, there must be a simple, idiot proof, way to implement data privacy and security.

Will we ever see the day?

David MinchOctober 2, 2018 6:49 PM

From the article:

> So users who want their accounts to be more secure are forced to make a privacy trade-off

I’m extremely curious if the average user, who doesn’t follow privacy blogs, cares about this

Clive RobinsonOctober 2, 2018 7:13 PM

@ CallMeLate...,

Delete your Facebook account(s). It's easy to do. Social media are not necessary for human existance, they are a construct, and a recent one to boot.

I can not delete what I've never had... There is an old saying about "ducks" that can be reworded to,

If it looks like trouble,
It, squawks like trouble,
And it walks like trouble,
Why suppose it's not trouble...

The founder showed every sign of being a compleate "sexist twat" sociopath when at college, why think he's grown out of it or changed in any way except for the worse?

And guess what, psychologists and psychiatrists are saying that "social media" has all the hallmarks of being designed to trigger addictive personality traits many (around 4/5ths) have to varying degrees.

Now we have others that specialise in studying those who have been psychologically tortured by sleep deprevation and bright blue/white (hightemp cold light) saying that similar signs, symptoms and retinal damage are showing up...

So "Social Media" designed by sociopaths for those with adictive personalities to tourture themselves... What's not to like about it?

JackOctober 2, 2018 7:57 PM

Facebook seedmoney =
Peter Thiel/Palantir = In-Q-Tell = CIA

Why anyone would trust that spook-circus with anything is beyond me.

Clive RobinsonOctober 3, 2018 3:31 AM

@ Jack,

Facebook seedmoney = Peter Thiel/Palantir = In-Q-Tell = CIA

You forgot to add "+ Cambridge Analytica" after Palantir[1][2], which then gives you "+ election rigging" after CIA. But don't forget Eric Schmidt's daughter was also running around doing "Dadies business" here as well...

Oh but don't forget other US SpookWorks entities Peter Thiel's Palantir had a link up with the NSA[2] as well as slipping in highly invasive technology into several Law Enforcment entities via a backdoor to deliberatly evade both oversight and scrutiny by the representatives of the citizens being spyed upon[2].

Remember folks CA employrs anf sales pitchers actually boasted about "election rigging" as part of their sales speeches to many political undesirables who's money they took on quite large amounts[3]. So it was "fraud" which ever way you look at it.

But we also know that CA made or arranged other "money men" to get involved with election fraud[3]. Where hedge fund money was poured into subordinate organisations to spread fake news (what other things they got upto we may nrver know as the investigating authorities have gone mute on us).

Oh whilst CA is supposadly "no more" it looks like only in name, as other entities have been set up "to carry on the good work" of right wing extremists, one of which is Emerdata[4] which sounfs like a name to be watched.

[1] http://uk.businessinsider.com/emails-peter-thiel-palantir-facebook-cambridge-analytica-2018-3

[2] http://digg.com/2018/palantir-cambridge-analytica

[3] https://www.independent.co.uk/news/uk/home-news/cambridge-analytica-alexander-nix-christopher-wylie-trump-brexit-election-who-data-white-house-a8267591.html

[4] https://www.brit.co/the-people-behind-cambridge-analytica-have-started-a-new-company/

Tim#3October 3, 2018 4:50 AM

For resolving such privacy issues, is anyone looking at "Solid" that Tim Berners Lee is promoting? Any thoughts?

CallMeLateForSupperOctober 3, 2018 8:05 AM

@Clive
"I can not delete what I've never had..."

I know. Me too neither. :-) These things are frustrating enough when one's only possible response is swearing off "playing the game"; it's doubly frustrating when one can't even threaten to swear off, because he *doesn't* play the game.

Facebook in particular has been caught with their pants seriously on fire at least three times since 2017. Whatever they do in their little bubble, it isn't enough. So... I would not invest in the "enterprise", much less submit myself to being "feedstock" for it by way of having an account.

Tony H.October 3, 2018 12:15 PM

What's really annoying is that you can't sign up for FB 2FA using a TOTP token (which should be completely offline) without giving them an email address. You can "delete" the email address afterwards, but doubtless the fine print allows them to keep it "for security purposes" or somesuch.

JackOctober 4, 2018 12:36 AM

@Clive.. No, I didnt forget to mention CA, they look,walk and quack like a duck ALL of them, no matter what they claim to call themselves in the mainstream monopoly propaganda fake news media.
Orwell was wrong - reality is MUCH worse than 1948 and Animal Farm combined and squared..

JackOctober 4, 2018 12:40 AM

PS: I live in Europe, no need to lecture me about CIA rigging elections,it's been going on since the end of WW2.

DroneOctober 4, 2018 5:05 PM

Hah, my Bank was pushing me HARD for SMS 2FA. The moment I said yes, I got an SMS offer for a loan. I told them to unsubscribe me. They did, but only after a fight that almost became litigious.

MeOctober 9, 2018 8:38 AM

@ Tony H
"you can't sign up for FB 2FA using a TOTP token ... without giving them an email address"

That is what mailinator.com is for.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.