43
votes
For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there's no way to disable that.
@jeremyburge:
For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there's no way to disable that.
If you have a phone number, Facebook almost certainly has your phone number. If you have one friend who has you as a contact in their phone and they've installed Facebook, Whatsapp or Instagram with the default permissions, Facebook has your phone number.
I'm struggling to care all that much. This has been going on for a long time and it doesn't seem to have been a problem. Lots of people and companies know my phone number. I've had it nearly 20 years...
It's important in the same way all of Trump's lies are important - no one is surprised but we're adding to the tally in the hopes that one day it'll matter.
For many years, my phone number was published in the phone book!
Yeah, I also don't care about this. I hate Facebook for many other reasons, but this isn't one of them.
I think the difference here is that while you could request to be 'unlisted' in the phone books published by telephone companies, here Facebook is totally associated with telephone providers and displays your number regardless of your choice.
Though, if this event turns into a media storm like so many others, maybe they'll return the option to the users.
I hate that a "media shitstorm" is the only way to get major companies to remove some scummy things.
Being big doesn't have to mean being immoral, but if that's what it is...
The bigger they are, the bigger the force necessary to make them sway.
That's not my understanding of what's happening here. What I understood that twitter thread to be about (although reading twitter is a nightmare so I might have misunderstood) is that FB are allowing people who already have my number to find my FB profile using that number. They're not publishing my phone number for all to see unless I've explicitly allowed that on my profile. Which I have not, and I just checked - it's still set to display to "Only me" and loading my profile in another browser confirms that.
While this may seem trivial to a lot of people here, do remember that in many countries men lookup numbers for women to simply harass them or send them dickpics.
While your number may have been in a phonebook 20 years ago, your phone could definitely not do everything it can do now. There are a lot of people out there with malicious intent and making numbers easily searchable only enables these people.
Allowing people to search with a phone number to find a person is not the same as publishing their number for all to see. I just looked around a selection of random people on FB and almost none of them had their numbers visible (those that did were all professionals who might want to be contacted via FB by clients). My understanding is that you can only find people for whom you already have a number, you can't find people's numbers unless that person has explicitly chosen to allow that.
I can't find anywhere saying FB are now publishing everyone's phone number by default.
Yeah. I am surprised by the reaction of a lot of people here.
this thread (which has more details than just the first tweet here, so please do read it since there appears to be some nuance to what's going on with this) doesn't seem like the best development! evidently, the only winning move with facebook was not to play in the first place, and the next best option was to get out before you had significant investment.
The third-best move is to stop now. Privacy is really, really hard though. Youâre likely never going to have privacy unless youâre willing to make drastic changes in your life.
Yet another reason SMS-based 2FA needs to be phased out in favor of time-based one-time passwords. Personally I'd rather have 2FA disabled for a service than use an SMS method.
No, because texts can be intercepted. Reddit had a major breach last year because of it: https://old.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/
Encryption, really. SMS messages aren't generally encrypted (IIRC) so they've always been a big failure point when it comes to 2FA. SMS 2FA was always a deeply compromised version of 2FA. App-based is immeasurably better.
That's a good reason for certain threat models, but information disclosure is an important second factor (ahem) to consider which applies to everyone. SMS-based 2FA requires you to disclose your cell number to the service provider. There are lots of cases where I want to secure my account, but don't want to share that info.
Edit: See TheJorro's comment about interception... that's what I thought you were referring to as spoofing, but they are two distinct things. SMS is just woefully insecure, all around.
Is it just that they're a public company and have a mandate to make as much profit possible, or are they really all just sleazebags?
it's not so much that they're sleazebags so much as they're capitalists. it's just the nature of capitalism to do shit like this, regardless of whether or not there are outstanding considerations to be made like whether or not a corporation which already is notorious for being data hoarding and shit on privacy should really deserve access to people's phone numbers either through their volunteering of that information through 2FA or through other people being tangentially associated with those people and handing it over to facebook through contacts.
i feel like it goes without saying, but you just don't become a captain of the industry by being an ethical, morally principled person. capitalism generally rewards ruthless, soulless exploitation of people and the things they have that you can cash in on, of which phone numbers are just another for mark zuckerberg and facebook.