A questionable practice by the social network giant
Asking users’ phone numbers and then using them for advertising campaigns, this is just one more in the long list of deceptive and invasive Facebook practices to generate revenues through personal information from your users. In a contradictory manner to users’ expectations and their recent statements, the company has been using contact information that users explicitly provided for security reasons, or even their users never provided, for targeted advertising.
A group of specialists in ethical hacking have performed various tests in a real environment to demonstrate how this misleading Facebook practice works. Experts discovered that Facebook collects user phone numbers for targeted advertising in two different ways: by getting phone numbers used for two-factor authentication (2FA), and through “shadow” contact information.
First, when a user gives Facebook his phone number for security reasons (to configure 2FA or to receive alerts on new logins to his account), that phone number can reach the hands of advertisers in a matter of weeks (This would not be the first time that Facebook incorrectly uses the phone numbers used for 2FA).
The important thing is that users should not stop using the 2FA mechanism. The problem is not with two-factor authentication, it is not even a problem with the inherent weaknesses of SMS based 2FA in particular. It is, on the other hand, a problem with how Facebook has handled user information and has dismissed its reasonable expectations of security and privacy.
There are many types of 2FA. SMS-based authentication requires a phone number, in order to receive a code as a “second security factor” when you log in. Other types of 2FA, such as authentication apps and hardware tokens, do not require a phone number to work. However, just four months ago, Facebook required users to enter a phone number to activate any type of 2FA, even though it offers its authentication service as a safer alternative. Other companies, like Google, also follow this practice, considered obsolete by specialists in ethical hacking.
Facebook still has work to do, even after you have removed the phone number request to activate 2FA. This finding has not only given the reason to users who suspect Facebook’s repeated claims about “full control” of our own information, but has also severely damaged users’ confidence in a fundamental security practice.
Second, Facebook is also taking contact information from our friends. Experts in ethical hacking mention an example: “If a User A shares their contacts with Facebook, including a previously unknown phone number for a User B, advertisers will be able to direct an ad to User B using that phone number, which is known as “shadow contact information”.
This means that even if User B never gave his phone number to Facebook, advertisers will be able to associate it with their account according to their friends’ phone book.
As Facebook tries to save its reputation among users after the Cambridge Analytica scandal, it continues with outstanding work, according to specialists in ethical hacking from the International Institute of Cyber Security, improve this practice on its users’ phone numbers would be a good start.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.