
Twitter to be fined $250M for using 2FA numbers for ads - afrcnc
https://www.techdirt.com/articles/20200804/01231345032/twitter-about-to-be-hit-with-250-million-fine-using-your-two-factor-authentication-phone-numbers-emails-marketing.shtml
======
dang
[https://news.ycombinator.com/item?id=24051665](https://news.ycombinator.com/item?id=24051665)

------
Timpy
I'm more paranoid about big companies selling me out for ad money than I am
about phishing attacks. There's a number of sites where I feel like I should
add 2FA for security, but I won't do it for privacy reasons. Logging into
Microsoft Office for my job is a pain in the ass because they redirect me to
the "Add your phone number" page twice for each app that I use. I have to
click "skip this step" 4 times, since I'm using Teams and Outlook. Was the
world a better place when every transaction you made in a retail store didn't
come with a request for tracking? "Can we get your email? What's a good phone
number for you? Do you have a rewards card? Do you want one? Any way we can
peg you with a unique id and sell it to a data broker?"

~~~
3pt14159
If a company wants to know who you are they can find out. Data brokers are
pretty cheap and they share so much data between each other it's bonkers.

------
kanobo
2FA is only as good as the company that employs it otherwise it just gives
people a false sense of security and privacy.

~~~
war1025
I've become pretty convinced that sms-based 2FA is an anti-pattern. I've seen
too many articles and anecdotes about sim-swap attacks to feel at all
comfortable trusting sms as an authentication method.

~~~
strictnein
SMS 2FA is still superior to nothing. Most account compromises aren't because
of SIM swapping. Phishing, password spraying, and (especially) password reuse
are the most common and SMS 2FA completely defeats the latter two and makes
the first one harder.

Most people/groups who phish are pretty technically inept so they struggle to
automate things like OTP capture/use, so they're stuck doing it live, and that
obviously doesn't scale well.

~~~
war1025
> SMS 2FA is still superior to nothing.

It's better than nothing, but given that it's trivial to go from that to just
an authenticator app, I would personally not have any of my accounts set up to
accept sms 2FA.

Of course, the best thing would be for people to use actual passwords instead
of "Watermelon23", but that's easier said than done.

------
kl4m
This page was loading so many trackers for a full minute (doubleclick, openx,
google.ca???) that my laptop started heating up. I'll wait for another media
source to read about it, thanks.

~~~
Alupis
Or, use an Ad Blocker if you're so averse to this website making money off
their content?

~~~
aeurielesn
> this website making money off their content

That's an interesting wording. I would say it's making money off your data
than their content.

In other situations, we'd normally call this doxing.

~~~
Alupis
> In other situations, we'd normally call this doxing

No we wouldn't.

If you're going to complain about ads, but still want the content, then shutup
and pay the website for it. You're not going to do that either, though. Want
to have your cake and eat it too?

No, instead (generic) you just wants free content. (Generic) you isn't going
to pay $12.99 monthly per website to support the content and operation costs.
(Generic) you just wants free stuff.

How many people on HN complain about Paywalled websites and immediately seek
ways to circumvent the paywall? Paywalls are the alternative.

There's real costs with running a website - even more-so with producing
content people are interested in (clearly evidenced by front page of HN).

Or, just use an Ad Blocker and be on with your day. It's the complaining
that's annoying - and petty. Solutions to your perceived problem are super
easy and well within reach. It's literally 3 clicks to install uBlock Origin.

~~~
UweSchmidt
The problem is systematic: There is currently no realistic way to pay and be
done with the medium; there is no spotify or netflix for websites. Those
services kinda prove that people are willing to pay after a decade of
torrenting and burning DVDs.

HN readers typically know how to deal with ad blockers, our less technical
fellows don't, and we ultimately owe them to work against this bullshit, like
we expect them to steer their respective fields and professions to the common
benefit, that they make their products and services healthy and safe.

A computer literally heating up due to who knows what arbitrary javascript is
executed on that person's computer is notable, and the advertising-tech-
complex is very much on topic for HN.

Finally, there can be NO DEAL between a website visitor and a bunch of third
party javascript that cannot be understood or audited, and if the operation is
not profitable, tough. There were cool websites on the internet before ads and
we will have websites in the future.

~~~
Alupis
> there is no spotify or netflix for websites. Those services kinda prove that
> people are willing to pay

The overwhelming majority of Spotify accounts are Free Accounts, supported
by... you guessed it... Ads.

People don't torrent music because Spotify is easier. Spotify earns money
through advertisers paying them to advertise on their platform. Spotify pays
part of that to artists who put music on their platform. Everyone is getting
paid, and it costs the user nothing. That's why Spotify is so popular.

> There were cool websites on the internet before ads and we will have
> websites in the future

What is it your are arguing for? Charging $0.35 per every single page view? Or
people running websites should just foot the bill out of the goodness of their
hearts? Someone has to pay the hosting bill...

Some of the tech-elites on HN will pay this out of principle, but the
overwhelming majority of people will not. Be realistic.

A world where you must pay for every page view is effectively antithetical to
everything the web stood for. The _free_ distributions of knowledge to
everyone simply would cease to exist.

It's actually amazingly clever. We've tricked 3rd party advertisers into
footing the bill for literally _everything_ on the internet. You are free to
consume content without paying a single penny - someone else is paying it for
you. The trade? You gotta look at some ads once in a while. Oh the humanity!

If someone is this principled - they should run an Ad Blocker. Most people
simply don't care. You can make a case that they should care, but then you'll
need to come with with a robust system to pay content creators to ensure they
aren't buried in expenses of running a website for a bunch of freeloaders.

~~~
UweSchmidt
Advertising is not free lunch. We pay by being manipulated into spending more.
Would have been nice if there was a free source of money, but clearly this
cannot possibly be true. Even if advertisements wouldn't work, the cost of
advertisement is still baked into prices.

There is also no contract, no trade. People go on a website, ignore any and
all terms of services and privacy notes and try to read what's up. Presenting
such terms of services etc. is acting in bad faith (as no layperson is able to
understand it and no lawyer has time to read all of it). Third party code is
executed on their computer. Could be bitcoin miners or even ransomware.

Your example with spotify may be true, but you can't ignore that Netflix and
others are raking in a lot of money and provide a really expensive product
(compared to website articles which yes, were produced for free by many people
for years, on some level). I used to subscribe to The Athletic and will
probably do so again if there's football in autumn.

I really wouldn't mind seeing some ads. On a shoe website, see a banner ad for
shoes, with a hyper link to another shoe website. No tracking, no code, just a
link.

~~~
Alupis
> No tracking, no code, just a link.

I think the problem there is those types of ads aren't effective. And
therefore, advertisers won't pay for them, which then goes back to the
original problem of "who's paying the hosting bill"? Let alone paying the
salaries of a dozen journalists or content creators.

If tastefully done, ads can be discrete and effective. There are bad apples
out there, who plaster every pixel of page space with ads and more ads and
more ads.

I don't think anyone enjoys that experience - but that's not the ads fault,
it's the webmaster who did it! Eventually, that strategy won't pay for itself
anymore as people stop using the website.

Netflix is a strange thing to relate to here, I think. People have always paid
for movies - so I think it was a natural progression to pay for a movie
streaming service.

Websites have mostly always been free - and the ones that successfully run a
subscription model absolutely limit their market appeal and userbase. Making
people pay for every page view (the effective equivalence of running
impression-based ads) is simply not going to work; you'll have an immense
challenge to convince people what was previously "free" is now going to cost
them actual money directly from their bank account.

At the end of the day, there's two arguments going on here.

1) Tracking is a violation of expected privacy, and should not be done.

2) Ads are bad and should go away.

Number 1 is true! However, the result of stopping would be unrelated ads being
shown to people with practically zero percent chance of converting into a
transaction for the advertiser (showing diaper ads to a single man that lives
by their self, for example). That could be fine, but again, reduces
advertising effectiveness which means advertisers will pay less for the ad
space. This could work... but will have ramifications that are potentially not
great (more paywalls, for example).

Number 2, in my opinion, isn't true, and isn't realistic for the reasons laid
out above.

------
rambojazz
I wonder if they write off fines as expenses and still turn a profit.

~~~
Someone1234
They will. All fines are deductible except IRS ones[0]. It has nothing to do
with them turning a profit either way though. They still have to pay the fine
even if it isn't counted towards their taxable profits.

[0] [https://www.investopedia.com/ask/answers/102915/are-irs-
pena...](https://www.investopedia.com/ask/answers/102915/are-irs-penalties-
tax-deductible.asp)

~~~
kohtatsu
GP is wondering if it will be financially worthwhile despite the (non-taxable)
fines.

------
organicfigs
[deleted]

~~~
codazoda
No throwaway? Someone is going to out your company.

~~~
Funes-
Let that happen, then--if he/she is in a safe position now, it would only be
fair that the company was outed.

------
dumbfoundded
I'm pretty sure many other companies sell this information as well. I'm pretty
sure Comcast sells it as I share an account with someone but it uses my phone
for verification & support. I received a spammy text with their name. It's the
only account we share.

~~~
entropea
Facebook has also been caught doing this (as mentioned in OP article as well).

[https://techcrunch.com/2018/09/27/yes-facebook-is-using-
your...](https://techcrunch.com/2018/09/27/yes-facebook-is-using-your-2fa-
phone-number-to-target-you-with-ads/)

~~~
stingraycharles
Why do they keep doing this type of stuff? It’s obviously not allowed, so why
risk it? Is there so much money to be made?

~~~
dumbfoundded
No one gets promoted for making the same amount of money.

------
mlthoughts2018
Prison time is the only serious deterrent. Specific people in the upper
management need to have non-suspendable prison sentences.

Start with maybe 3-6 months, then escalate for repeat offenders. That fact
that these decisions were made internally to a business should not indemnify
the executives who allowed it to happen from criminal charges with mandatory
prison time that cannot be suspended or avoided.

------
dmix
Doesn't Twitter also require a unique phone number to make an account these
days?

I'm guessing that number has no protections the way 2FA ones do?

~~~
jwilliamson
They do. There are also operators whose numbers Twitter won't accept for
signing in. I had to borrow someone's phone to sign up for Twitter because
they didn't like my number.

------
pmarreck
Geez, it's a good thing I removed cell 2FA from all my accounts after getting
hacked (SIM card transfer via social engineering)

~~~
woadwarrior01
The problem with Twitter is they don't allow adding more than one security key
(like Yubikey, NitroKey etc) per account. Google, FB, Github and almost
everyone else who supports security keys does support multiple keys. Without
it, I wouldn't disable SMS auth on Twitter, yet (the security key could die at
any point, hypothetically speaking; which is why you have a backup or two).

~~~
war1025
Why wouldn't you just record the authenticator code somewhere?

You can easily generator OTP codes the same as any of the "authenticator" apps
using, for example, oathtool [1]

You don't even need the code to be stored on a computer. Just write it down
somewhere safe if you're paranoid about getting hacked. The seed codes are
usually 16 characters or so.

[1] [https://www.nongnu.org/oath-
toolkit/oathtool.1.html](https://www.nongnu.org/oath-toolkit/oathtool.1.html)

~~~
woadwarrior01
You're right, that's exactly what I've got. I'd forgotten the exact setup I
have on Twitter. I just checked and I've got a TOTP app (with backup codes on
paper) + Yubikey. I'd disabled SMS for 2FA last year, around the time when
Jack Dorsey's Twitter account was compromised with a SIM swap attack.

