Facebook, Information Security, Top News

Facebook accused of spamming 2FA phone numbers

Facebook is being accused of spamming people via the phone numbers they used to turn on two-factor authentication (2FA) and posting their “PLEASE STOP!!” replies to their walls.

Software engineer Gabriel Lewis noticed it late last month and told Facebook to please knock it off: a request that 1) Facebook’s systems ignored, merrily continuing to spam him and then 2) auto-posted to his wall.

Nobody’s sure if it’s a feature meant to drive engagement – is Facebook suffering separation anxiety over its recent traffic decline? – or if it’s a bug.

Facebook isn’t being very helpful in that department. Actually, from the sounds of the statement it’s sending to press, Facebook itself apparently doesn’t know. A Facebook representative told The Verge, for one, that it’s looking into the text notification issue.

We’re looking into this situation to see if there’s more we can do to help people avoid unexpected or unwanted communications.

Its statement says that users can refrain from using their phone numbers for its 2FA system and instead use a code generator (for example, Google Authenticator):

We give people control over their notifications, including those that relate to security features like two-factor authentication. We’re looking into this situation to see if there’s more we can do to help people manage their communications. Also, people who sign up for two-factor authentication using a U2F security key and code generator do not need to register a phone number with Facebook.

The Verge says it confirmed that this is happening with any reply to a Facebook 2FA text message. At least one user said on Twitter that Instagram has also spammed them with notifications to their 2FA phone number.

Lewis says he never opted in to notifications via text messaging to begin with, yet still, he and other sufferers have to put up with text spam.

As of Wednesday, some people were getting pretty steamed, with many insisting that this is clearly not a bug and accusing Facebook’s marketing of running amok:

Of course, simply insisting that something must be deliberate doesn’t make it so.

Whether it’s a bug or not, the situation isn’t helping the cause when it comes to information security. Matthew D. Green, who teaches cryptography at Johns Hopkins Information Security Institute, says the text messages look exactly like real 2FA login attempts. When they turn out to be marketing blather, rather than real security alerts, they drive users’ decision fatigue, he said:

Despite the benefits, users are reluctant to switch on 2FA and the last thing they need is another reason not to.

I’m trying to get more details out of Facebook and I’ll update the story if I get them. In the meantime users might want to look at Facebook’s Code Generator for 2FA. Not only could it help with this feature/bug, it’s also a more secure form of 2FA than using SMS.

Source : Naked Security

Previous ArticleNext Article
Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Send this to a friend