This is a deep violation that makes every user of 2fa _unsafe_. A mere $250 million? This needs to be the kind of violation that endangers the company. It's not a mistake or honest error when 2fa phone numbers are used for advertising. This is malicious. Should be scaled to 100X the amount the company gained in advertising for the violation.
I don't have the citation but I recall a researcher who was studying this practice. He suggests that these requests for "factors" will continue to escalate to the point of absurdity. The sales pitch to the user is essentially "The more we know about you, the more we can protect you." However, if the user is seeking protection from others who are trying to discover her personal details, then this continual "full disclosure" to each tech company is counterproductive.
This sort of nonsensical reasoning has also used by individuals portraying themselves as "whitehats" who try to profit from large leaks of personal data. Users are asked to provide personal data to the whitehat in order to confirm whether their personal data has been leaked.
I report every social media company that only offers SMS 2FA.
They obviously have enough engineers and awareness to do software based OTP, and clearly only want SMS for their phone number social graph and data brokering operation.
This is a deep violation that makes every user of 2fa _unsafe_.
It's certainly a violation of trust that could make people less likely to volunteer extra information for 2FA that could be used against them, even if it might also make them safer. For that alone, wilful violations ought to be treated as a serious breach under data protection laws.
The number of important financial services I use that now insist on phone numbers for 2FA is getting irritating, too. Apparently in some cases it's been prompted by the changes in EU rules under PSD2, but as with almost everything else I've come across so far under PSD2, I'm not sure how much safer it will really make anyone. At least those financial services -- and my government, which is the other organisation I see doing this routinely now -- probably aren't going to use the contact information for anything other than the 2FA they claim, though.
On another note, SMS 2FA needs to stop being a thing. Telcos and their systems can't be trusted if all it takes is someone to hijack or intercept your phone number and texts.
You shouldn’t use a phone number for 2fa to begin with, you’d be better off without 2fa if that’s the only option IMO (assuming you’re using a strong unique password). This is just more fuel on that fire.
2FA with SMS protects against password reuse or leaks. It's my understanding that SMS is weak against attacks targeted at particular people while being sufficiently strong for the majority of cases.
Not sure I follow "You'd be better off without 2FA" (unless you're counting the use of the number for advertising) - it's weak, but it doesn't introduce additional vulnerabilities.
And IIRC at the time Twitter didn't offer any other 2FA mechanisms.
Wouldn’t a phone-based 2FA also give you the knowledge that someone’s trying to log in? Can the SMS message somehow not be sent to all users on the network with your phone number?
> Twitter estimates the "range of probable loss" it faces in the probe is between $150 million and $250 million
That's close to 10% of Twitter's annual revenue. How do the likes of Google and Facebook get away with fines <1% of annual revenue? This seems disproportionate. I am not taking a position on whether it should be higher or lower, just that it appears unbalanced.
Because the modern web is based entirely around invading the privacy of every user as much as possible in order to sell their private details to advertisers. If Twitter's money came from users in the form of subscriptions or purchases, rather than from advertisers in the form of paid, targeted ads, this would be guarded information, rather than shared.
Part of the difference is that Twitter has much lower revenue per user than the other two. If you frame the fine as "$X per user impacted" rather than as "y% of your revenue" then it seems more proportional.
I've always hated giving my phone number to sites, even when it's ostensibly only for recovery purposes. Even worse are the sites/apps which refuse to let you make an account without one. I remember Facebook getting busted for the same thing so this just goes to further confirm my suspicion that this type of practice is more widespread than most companies would like to acknowledge.
The fine (and others like it) is a meaningless gesture. Unless companies like twitter start getting fined in amounts that aren’t pocket change to them, there is literally no incentive to change their abusive behavior. They make enough from abusing their users and absconding with their data to pay these paltry fines a hundred times over in most cases.
Despite all that, their ads are straight up garbage. Either that or I'm very hard to target. I swear Twitter and Facebook must display random ads to me. I'm often having to mark it as never show this again because it's so way off from my interests.
I leave my Adblock off for youtube a fair bit of the time. Not for any sense of ethical responsibility to help content creators, but because of how entertaining I find their failed attempts to target me. The ads are so bad, they’re oftentimes literal scams. I go out of my way to engage with the bad ads so I’ll get more like them. Luckily screwing with the ad algorithm doesn’t seem to have too great an effect on the video recommendation algorithm.
is there any benefit in using the phone network for 2FA besides (IMHO too) easy recovery in case of loss? Is there an equivalently usable method for recovery? recovery codes aren't practicall i guess because people would keep loosing them too.
Maybe some pseudonymous proof using cryptographic functions of modern passports could be used somehow without revealing real identity to the passport issuer too? It should not be possible to know who issued the pseudonymous identity proof but should also only be proof-able by me...
You can outsource it to something like authy, which is still sms based, but gets disabled if you install their app. They also claim that they can detect number porting attacks, so that might be marginally better.
>Maybe some pseudonymous proof using cryptographic functions of modern passports could be used somehow without revealing real identity to the passport issuer too?
You can still lose your passport. It's less likely than losing your phone, but still. Also, to access the cryptographic functions of a passport, you probably need a NFC reader, which isn't exactly accessible.
>You can still lose your passport. It's less likely than losing your phone, but still. Also, to access the cryptographic functions of a passport, you probably need a NFC reader, which isn't exactly accessible.
i thought maybe the pseudonymous identity proof could still work after your passport has been reissued either because of loss or because of invalidation. But its probably not really doable with named constraints. Modern phones are apparently often equipped with an NFC reader. I think this could be usable enough for the recovery case.
From the past several years they've been constantly suspending brand new accounts for "security" reasons and requiring a phone number to unlock them, even if the account wasn't doing anything that looks spammy or suspicious.
When opening a support ticket about it, they claim it was a "mistake and" offer to unlock the account but I always suspected it was a disgusting tactic for harvesting phone numbers and I guess I was right.
They did and were fined $5bn for privacy violations generally, of which one part was:
> In addition to these violations of its 2012 order, the FTC alleges that Facebook violated the FTC Act’s prohibition against deceptive practices when it told users it would collect their phone numbers to enable a security feature, but did not disclose that it also used those numbers for advertising purposes.
