Facebook is in hot water again.
Facebook? Do people still use that thing?
I know, I’m surprised too.
So what have they done this time?
Well, if you gave Facebook your phone number in order to enable SMS-based two-factor authentication (2FA) on your account, other people can find your profile just by searching for your phone number.
Woah! SMS-based 2FA? What’s that?
Welcome to the twenty first century, Grandpa. Two-factor authentication (2FA) is one of the primary ways you stop your online accounts from being hijacked by criminals who manage to guess, steal, or work out your passwords.
Typically, you enter a six digit security code that is sent to your phone via SMS, or is generated by a smartphone app. The idea is that a hacker might know your password – but they don’t know the six digit security code. And because the security code changes every 30 seconds or so, even if they did find it out – they would be hard pressed to make use of it.
2FA isn’t perfect, but it definitely makes it harder for bad guys to break into your accounts.
So people gave Facebook their phone number so they could receive their six digit 2FA code, and Facebook…
…and Facebook let anyone look up the owner of that particular phone number just by entering it. Despite that phone number only being given for the purposes of enhancing security.
Hasn’t Facebook already been exposed for doing this?
You’re probably thinking about a few months ago, when researchers discovered that Facebook was allowing companies to target adverts at individuals by exploiting the phone numbers that were only given to enable 2FA.
No, I’m thinking of something else…
Well, perhaps you’re thinking of the time when Facebook admitted it had sent unwanted non-security-related SMS messages to phone numbers that had been given to it by users solely for the purposes for enabling 2FA for heightened security.
No, that’s not it. I remember something else to do with Facebook and phone numbers that didn’t involve 2FA.
Ahh. You’re probably remembering that until last year, simply entering someone’s phone number or email address into Facebook’s search box would perform a reverse look-up and tell you who it belonged to, displaying any information that individual shared publicly on their Facebook profile. After years of being abused, Facebook eventually decided to disable the feature.
So what’s the issue now?
Like I said, the issue is that Facebook is allowing the phone numbers that users entered solely for the purposes of heightening their online security (by enabling 2FA) to be used in reverse look-ups.
And what’s the danger in that?
If someone found out your phone number (perhaps you left a message on their answering machine, or they saw that you had called them) they could find out your name, see your profile picture, and any other information that you had made public.
Oh, and you didn’t explicitly given Facebook permission to use your phone number in that fashion. You gave Facebook your phone number in the hope that you were enhancing your privacy, not reducing it.
But surely they’ve given users who’ve enabled 2FA a way to opt-out of having their phone number available for a reverse look-up?
Firstly, that isn’t the way it should work – the onus should be on Facebook asking you to opt in for less privacy, rather than you having to opt out. Of course, this kind of behaviour is the norm for Facebook…
…but to answer your question, no there isn’t a way to opt-out. The best you can do is change your privacy settings to limit reverse look-ups to people who are your “Friends.”
Shouldn’t there be a “No one” option there?
Yes, and it should be enabled by default. Facebook, however, chose the default to be “everyone”.
I heard that SMS-based 2FA isn’t that great anyway
It’s not as secure as 2FA that uses an authentication app, but SMS-based 2FA is a heck of a lot better than no 2FA at all.
Does Facebook offer app-based 2FA?
So, folks should enable app-based 2FA on their Facebook accounts instead?
That’s one option.
What’s another option?
Well, you could always delete your Facebook accounts. It’s potentially too late because god knows who has already scraped your personal information off Facebook, and what they might be doing with it…
Frankly, if you haven’t yet spotted Facebook’s pattern of behaviour after this many years, I wonder if you ever will. Be sensible, walk away.
We made a “Smashing Security” podcast all about how to quit Facebook. Give it a listen, and maybe try quitting Facebook for yourself. It’s quite liberating.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.