
Facebook Doubles Down on Misusing Your Phone Number - panarky
https://www.eff.org/deeplinks/2019/03/facebook-doubles-down-misusing-your-phone-number
======
thisisit
Discussed earlier:

[https://news.ycombinator.com/item?id=19298692](https://news.ycombinator.com/item?id=19298692)

------
burtonator
The other day I logged out of Instagram on my phone, created a totally new
account (for our dog), cleared all the cache and it STILL found my coworkers.

I didn't want my coworkers to see my dog account because I act silly and want
to be professional.

I'm CERTAIN they just sent data I didn't agree to send (phone number, etc).

They didn't re-prompt to access my contacts so I assume they think that since
the APP has permission every account I create ALSO has permission to access my
contacts.

Fuck facebook!

~~~
temp1928384
Might be the wifi network if you logged in while at work...

------
bitxbitxbitcoin
So the only way to keep your number from being searchable on FB is by not
having 2fa?

~~~
markovbot
Or by not having a facebook, obviously. If you have one, you're part of the
problem :)

~~~
on_and_off
not having an account won't prevent fb from creating one for you and storing
your phone number when one of your contacts uploads their address book

~~~
mirimir
True :(

Here's an idea. Use a service that generates phone numbers that redirect to
your actual phone number. Maybe Twilio. Just as some do with email addresses.

Create a new number for each use. For each family member and friend. For each
site registration. For each whatever.

Have an app that searches periodically online for all of those numbers. If any
of them show up linked to Facebook, or whatever else concerns you, nuke them.
And maybe ping whoever/whatever got that number with an admonition, saying
that they're no longer a trusted contact.

That would be extreme, I know. And you'd need to cut some slack for close
family, your employer, etc.

But would it be doable?

------
locust101
Is there any other authentication method like google authenticator for 2fa to
use facebook?

~~~
pxeboot
Facebook supports U2F security keys for 2 factor auth [1].

[1] [https://m.facebook.com/notes/facebook-security/security-
key-...](https://m.facebook.com/notes/facebook-security/security-key-for-
safer-logins-with-a-touch/10154125089265766/)

~~~
BFLpL0QNek
The UX I'd say is following dark patterns for this.

You cannot enable U2F without first enabling SMS Auth and or OTP Auth. Once
u2f enabled if you delete both SMS Auth and OTP auth it disables 2 factor auth
and takes you to a welcome screen to get started enabling it again with the
only 2 options SMS / OTP, once enabling one of them you can add U2F again.

Also I have "security.webauth.u2f" enabled in Firefox but Facebook is the only
U2F service I use that doesn't work in Firefox so it falls back to the SMS /
OTP methods on login.

~~~
btrettel
> _Also I have "security.webauth.u2f" enabled in Firefox but Facebook is the
> only U2F service I use that doesn't work in Firefox so it falls back to the
> SMS / OTP methods on login._

I noticed this as well. I was able to add my security key via Firefox, but for
some reason Facebook decided that you need Chrome to use U2F when logging in.

------
grecy
People say things like "what do you want, privacy or security?, you can't have
both".

But something I always think about, we're talking about _Facebook_ here. It's
a social media platform with pretty pictures and comments. What's the big
deal?

It's not like we're talking about your online backing or medical records. Why
does the "security" of something as unimportant as Facebook really matter
enough to require 2FA?

To boogy-man "Security" has escalated so much it's like everyone wants it
everywhere, no matter the cost.

~~~
echlebek
Facebook is one of the main identity providers on the internet, next to Google
and Apple. Access to facebook can imply access to a wealth of other apps.

