STE WILLIAMS

Facebook is being accused of spamming people via the phone numbers they used to turn on two-factor authentication (2FA) and posting their “PLEASE STOP!!” replies to their walls.

Software engineer Gabriel Lewis noticed it late last month and told Facebook to please knock it off: a request that 1) Facebook’s systems ignored, merrily continuing to spam him and then 2) auto-posted to his wall.

So I signed up for 2 factor auth on Facebook and they used it as an opportunity to spam me notifications. Then they posted my replies on my wall. 🤦‍♂️ pic.twitter.com/Fy44b07wNg

— Gabriel Lewis 🦆 (@Gabriel__Lewis) February 12, 2018

Nobody’s sure if it’s a feature meant to drive engagement – is Facebook suffering separation anxiety over its recent traffic decline? – or if it’s a bug.

Facebook isn’t being very helpful in that department. Actually, from the sounds of the statement it’s sending to press, Facebook itself apparently doesn’t know. A Facebook representative told The Verge, for one, that it’s looking into the text notification issue.

We’re looking into this situation to see if there’s more we can do to help people avoid unexpected or unwanted communications.

Its statement says that users can refrain from using their phone numbers for its 2FA system and instead use a code generator (for example, Google Authenticator):

We give people control over their notifications, including those that relate to security features like two-factor authentication. We’re looking into this situation to see if there’s more we can do to help people manage their communications. Also, people who sign up for two-factor authentication using a U2F security key and code generator do not need to register a phone number with Facebook.

The Verge says it confirmed that this is happening with any reply to a Facebook 2FA text message. At least one user said on Twitter that Instagram has also spammed them with notifications to their 2FA phone number.

Facebook is also abusing 2FA contact details for Instagram spam. https://t.co/u9njcm9HT1 pic.twitter.com/8f4of7uBZ5

— Nick Heer (@nickheer) February 14, 2018

Lewis says he never opted in to notifications via text messaging to begin with, yet still, he and other sufferers have to put up with text spam.

As of Wednesday, some people were getting pretty steamed, with many insisting that this is clearly not a bug and accusing Facebook’s marketing of running amok:

A lot of people are suggesting the Facebook SMS spam is a bug. Bullshit. Someone at FB made a deliberate decision to “re-engage users” by spamming all those mobile phone numbers 2FA users had entered. No bug here at all.

— Matthew Green (@matthew_d_green) February 14, 2018

Of course, simply insisting that something must be deliberate doesn’t make it so.

Whether it’s a bug or not, the situation isn’t helping the cause when it comes to information security. Matthew D. Green, who teaches cryptography at Johns Hopkins Information Security Institute, says the text messages look exactly like real 2FA login attempts. When they turn out to be marketing blather, rather than real security alerts, they drive users’ decision fatigue, he said:

The worst part is that FB’s spam SMS *look* exactly like real 2FA login attempts when your phone screen is locked. So when one arrives (every evening between 8-10pm) you *have* to check it. pic.twitter.com/rVGvHmsffF

— Matthew Green (@matthew_d_green) February 14, 2018

Despite the benefits, users are reluctant to switch on 2FA and the last thing they need is another reason not to.

I’m trying to get more details out of Facebook and I’ll update the story if I get them. In the meantime users might want to look at Facebook’s Code Generator for 2FA. Not only could it help with this feature/bug, it’s also a more secure form of 2FA than using SMS.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/L-X-35ijbvw/