Facebook Is Using Your Number for More Than Just Security Purposes

March 07, 2019

In September 2018 Facebook admitted, following its previous request for users to switch on two-factor authentication (2FA) by signing up with their phone number, that it was using these numbers to target users with adverts. But new concerns have surfaced claiming that numbers added to use 2FA were now searchable by anyone on the platform.

The issue was brought to light by Emojipedia’s, Jeremy Burge, who broadcasted his opinion over Twitter, he said: “For years Facebook claimed … adding a phone number for 2FA was only for security. Now it can be searched and there’s no way to disable it. Using a phone number to sign up for services has been the single greatest coup for the social media and advertising industries. One unique ID that is used to link your identity across every platform on the internet. That is why every startup wants your phone number.” 

By default, Facebook sets its phone number search to everyone – in other words, anyone with your phone number can search for you. While you can’t turn this off completely, you can change your preferences to ‘friends’ or ‘friends of friends’. This misleading security measure transpires to Facebook’s sister services and advertisers, such as Instagram.

The latest criticism arose after Jeremy was required to enter his phone number on Emojipedia’s Facebook page due to its high quantity of followers, it was from this prompt that escalated his frustration over how Facebook deal with users data. 

This collection of images was posted in a viral Tweet by Emojipedia’s, Jeremy Burge through his personal Twitter account, which has so far reached more than 22,000 Twitter users. The snapshots further back-up his explaintation.  Click on the images to enlarge.

Source: Jeremy Burge Twitter

Facebook Responds

Addressing Jeremy’s claims, in a statement, Facebook said: “We’ve been hearing questions about two-factor authentication and phone number settings on Facebook. Two-factor authentication is an important security feature, and last year we added the option to set it up for your account without registering a phone number. Separately, the ‘Who can look me up?’ settings are not new and are not specific to two-factor authentication. 

“In April 2018, we removed the ability to enter another person’s phone number or email address into the Facebook search bar to help find someone’s profile. Today, the ‘Who can look me up?’ settings control how your phone number or email address can be used to look you up in other ways, such as when someone uploads your contact info to Facebook from their mobile phone. We appreciate the feedback we’ve received about these settings and will take it into account.”

It is not the first time Facebook has come under fire violating data privacyIn February, the UK Digital, Culture, Media and Sport Committee stated in a report that a collection of internal Facebook emails it had assessed indicated that the platform had ‘intentionally and knowingly’ violated both data privacy and anti-competition laws.

In the same month, a New York governor ordered two state agencies to investigate a media report into Facebook, after believing the platform was accessing far more personal information, such as health data, from mobile devices than previously known.

Don’t give up on 2FA just yet

Because your password alone is no longer enough to secure access to your accounts and systems, 2FA is a vital layer of security. For those who haven’t activated their 2FA, you can now set yours up through authenticator apps like Google Authenticator, which was brought into play in May 2018. 

But is 2FA Enough?

With 2FA becoming nearly a decade old, we believe multi-factor authentication (MFA), which uses several forms of authentication for more robust security, should become mandatory in enterprise. Especially following a report by CSO, which claims that passwords have accounted for 81 per cent of data breaches in the past few years.

In fact, the move to multi-factor authentication is one of our 9 Cyber Security Predictions for 2019. MFA significantly reduces the risk of an unwanted party accessing your most important systems, adds a layer of security that is hard to breach and meets user demand for a simple sign-in process.

Check Out Our Other Recent Posts >

Cleaning House in Your Active Directory: Finding Threats and Conditional Access
Cleaning House in Your Active Directory: Finding Threats and Conditional Access

Learn how to take the proactive approach to Active Directory (AD) security by joining us at this month’s Magnify Meetup with Conditional Access specialists, Preempt. You’ll learn how to set up your AD correctly, find your flaws and fix them, identify where you have weak authentication protocols, and how you can build a better AD infrastructure.