
Facebook claimed phone number was only for 2FA. Now it's searchable - waymon
https://twitter.com/jeremyburge/status/1101402001907372032
======
zxcvbn4038
Synchrony branded credit cards do the same thing, they use your SSN to obtain
phone numbers from one of the Transunion skip trace databases. So even though
I’ve only ever given Synchrony my dummy number, when I try to change my
password I get a selection of phone numbers that they want to send a
verification code to, and those numbers only exist in that Transunion
database.

You can’t correct or remove anything from the Transunion database, because
it’s not used for credit decisions there is no way to force them to do it.

So instead I’ve made it a game to try and see how many phone numbers I can get
added to the database. My goal is to request a free copy of my file one day
and have it arrive on a pallet.

Maybe if I fill out a credit card application and list Kevin Bacon’s address
as a former residence then they’ll add him to my list of known associates...

~~~
godzillabrennus
When you figure out how to game the system charge others to do it.

People would pay to create fuzz in their records.

~~~
zxcvbn4038
I think they key is that data brokers are greedy and accept all inputs with
little validation. Their data quality teams are more focused on algorithmicly
removing “obvious” duplicates due to small transpositional errors and such.
They are usually not geared towards stoping people from intentionally entering
incorrect but valid data. Even in cases where they might hold back data
because they are uncertain about, they don’t delete it, as soon as there are
enough “signals” that it might be correct they pass it through.

So knowing that data brokers are greedy the trick isn’t to get governments to
force them to delete and protect information, the trick is to give them so
much bad information that the good data becomes indistinguishable.

------
mthoms
Some mobile apps have two account creation options: Facebook login or phone
number.

I recently chose phone number (because screw FB) but then noticed that the SMS
verification is performed by Facebook anyways.

What the hell are App developers thinking? If I choose _not_ to use my FB
login in your app it's because I don't want FB snooping on me.

But then you turn around and use Facebook to validate my phone number without
proper consent?

~~~
NowThenGoodBad
I totally agree with you.

From a developer side: Google, Facebook, etc have well developed and much
safer password and login authentication and the liability technically falls on
them for any screw ups. Although I have a very secure hashing system for my
online game login I still plan to make logging in with your Google and, maybe,
Facebook account. It also adds convenience.

I’m imagining the dev found some tool to do sms verification that Facebook
makes simple (or maybe that’s all they know how to use considering you didn’t
mention any google login...).

------
technofiend
For some unfathomable reason Google no longer allows Google Voice clients to
forward their calls to Project Fi numbers. So my new layer of abstraction is a
$3/mo Call Centric number routed to a $12 SIP deskset.

Call Centric lets you whitelist so step one is to upload your contacts to them
and then drop any calls not in your list. Goodbye telemarketers. Second step
is to leave the phone unplugged altogether unless you need to use it since
anyone you know has your mobile number anyway. :-)

If you really need it, you can add the Call Centric number to your cellphone
via a SIP client but in my experience that's a bit of a battery sucker and
call quality can be poor with noticeable voice delay.

~~~
tylerl
"No longer..."?

No, it never was possible. The two systems use the same underlying
infrastructure but for different purposes, which leads to a frustrating
interplay of technical constraints and security/privacy controls.

~~~
technofiend
I distinctly remember being able to do it at one time. Then a friend
complained he could never reach me and I discovered my cell number was dropped
from forwarding and couldn't be added back. I may have managed to sneak it in
by porting in a forwarded number.

------
dplgk
Does the ACLU care about this kind of stuff?

~~~
__blockcipher__
[https://fixitalready.eff.org/facebook/#/](https://fixitalready.eff.org/facebook/#/)

[https://www.eff.org/press/releases/eff-implores-nine-
compani...](https://www.eff.org/press/releases/eff-implores-nine-companies-
fix-it-already)

EFF does!

------
KiDD
It has always done this... the very reason I do not add my phone number.

------
Criper1Tookus
Never provided a phone number for this reason

------
ChlorophZek
could this be a GDPR violation of any sort in the EU?

~~~
MatthewWilkes
I should think so. They don't have consent; vital interest, public task, legal
obligation and contract do not apply; they must be relying on legitimate
interest. I can't imagine this would pass an unbiased balancing test.

