byLucas Nolan16 Feb 20180
Facebook has come under fire for their two-factor authentication process which sends users notifications via text message and posts replies on their Facebook wall, instead of merely acting as a layer of security.
The Verge reports that an issue with Facebook’s two-factor authentication (2FA) system was noticed by Bay Area software engineer Gabriel Lewis who took to Twitter to display screenshots of the error. Lewis discovered that when he replied to the 2FA notifications sent to his phone via text, his replies appeared as posts on his Facebook wall. The 2FA system is used to provide an extra layer of security for users logging into Facebook, requiring them to click a link or enter a code sent via text message to their phone before they can gain access to their account.
So I signed up for 2 factor auth on Facebook and they used it as an opportunity to spam me notifications. Then they posted my replies on my wall. pic.twitter.com/Fy44b07wNg
— Gabriel Lewis (@Gabriel__Lewis) February 12, 2018
Worse still, the same number used for 2FA notifications was also sending Lewis notifications about his friends’ posts on Facebook. Lewis had apparently never even signed up to receive 2FA texts to his phone. Technology critic and sociologist Zeynep Tufekci took to Twitter to criticise Facebook, accusing the company of “juicing” their user engagement metrics by spamming their phones with notifications.
This is how a business model can be so poisonous and harmful. This is unacceptable. https://t.co/l4qp2ozLCl
— zeynep tufekci (@zeynep) February 14, 2018
Abusing the authentication process is unconscionable. SMS shouldn’t be used for “engagement” anyway. Opens people up to phishing under the best of circumstances. https://t.co/0qQtnTUOSv
— zeynep tufekci (@zeynep) February 14, 2018
This is bad news for Facebook who is already involved in a number of class action lawsuits over violations of the Telephone Consumer Protection Act, or TCPA. The TCPA states that companies may not contact you unless given express permission, Facebook has been accused in the past of spamming their uses with birthday posts and other notifications via text message. In many cases, the Facebook users not only didn’t give Facebook permission to contact them, they didn’t give Facebook their phone number. It seems that the latest text message issue may be a bug and not a method to lure users back to Facebook by spamming them with 2FA notifications, but if that is what the company is attempting to do, it could lead to legal problems for them in the future.
Facebook commented on the issue saying, “We give people control over their notifications, including those that relate to security features like two-factor authentication. We’re looking into this situation to see if there’s more we can do to help people manage their communications. Also, people who sign up for two-factor authentication using a U2F security key and code generator do not need to register a phone number with Facebook.”
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship. Follow him on Twitter @LucasNolan_ or email him at lnolan@breitbart.com
[contf] [contfnew]
Breitbart
[contfnewc] [contfnewc]