Two-factor authentication has been a near silver-bullet that prevents phishing attacks and online account thefts. It is very effective, as it provides the user a virtual “second password”, which disables the capability of account login procedure if not provided. It was very instrumental to security, that Google has no recorded incident of a phishing attack, as they have a mandatory 2FA device when working for the company.
Unfortunately, the Facebook’s version of 2FA is currently in hot water as the social media giant has been exposed for using the mobile numbers their users voluntarily disclose for 2FA being actively used to deliver targeted adverts as well. “We use the information people provide to offer a better, more personalized experience on Facebook, including ads. We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time.” said the Facebook’s spokesperson.
When the user enables 2FA in Facebook, the security code is sent to the user’s mobile number. This is a very useful security blanket, especially in a situation that the password has been exposed to 3rd parties. Without the 2FA security code, the account thief cannot login successfully using the stolen account’s credentials.
“The researchers also found that if User A, whom we’ll call Anna, shares her contacts with Facebook, including a previously unknown phone number for User B, whom we’ll call Ben, advertisers will be able to target Ben with an ad using that phone number, which I call “shadow contact information,” about a month later. Ben can’t access his shadow contact information, because that would violate Anna’s privacy, according to Facebook, so he can’t see it or delete it, and he can’t keep advertisers from using it either,” explained Kashmir Hill, the Gizmodo reporter who first publicly exposed the Facebook 2FA fiasco.
Facebook’s spokesperson kept on insisting that the behavior is normal, and users accepted the Terms of Service, the moment they signed-in with their Facebook accounts. “People own their address books. We understand that in some cases this may mean that another person may not be able to control the contact information someone else uploads about them. It’s likely that he was shown the ad because someone else uploaded his contact information via contact importer,” added the Facebook’s spokesperson.
“I think that many users don’t fully understand how ad targeting works today: that advertisers can literally specify exactly which users should see their ads by uploading the users’ email addresses, phone numbers, names+dates of birth, etc. In describing this work to colleagues, many computer scientists were surprised by this, and were even more surprised to learn that not only Facebook, but also Google, Pinterest, and Twitter all offer related services. Thus, we think there is a significant need to educate users about how exactly targeted advertising on such platforms works today.” Alan Mislove of Northeastern University, one of the people who first discovered the FB 2FA controversy.
Facebook, in its Terms of includes a brief stipulation about its use of the mobile numbers provided by the user for their business interest, due to the lawyer-language of the document, it is not easily seen by a typical user. Facebook has been collecting a ton of personally identifiable information for more than a decade, and their business model requires them to sell targeted adverts in order for the social media site to remain afloat.