Facebook 'Security': A New VPN That's Spyware And Two-Factor Authentication That Spams You
from the insecurity dept
Facebook's definition of protection isn't quite up to snuff. Last week, some Facebook users began seeing a new option in their settings simply labeled "Protect." Clicking on that link in the company's navigation bar will redirect Facebook users to the “Onavo Protect – VPN Security” app’s listing on the App Store. There, they're informed that "Onavo Protect helps keep you and your data safe when you browse and share information on the web." You're also informed that the "app helps keep your details secure when you login to websites or enter personal information such as bank accounts and credit card numbers."
What you're not told is that Facebook acquired the company back in 2013, and is now using it as little more than glorified spyware, allowing Facebook to track and monetize your travels around the internet (especially time spent wandering around competing social media platforms). That is, understandably, upsetting some people who believe that security tools should, well, actually protect you from surveillance, not open up an entirely new avenue for it:
"Facebook, however, purchased Onavo from an Israeli firm in 2013 for an entirely different reason, as described in a Wall Street Journal report last summer. The company is actually collecting and analyzing the data of Onavo users. Doing so allows Facebook to monitor the online habits of people outside their use of the Facebook app itself. For instance, this gave the company insight into Snapchat’s dwindling user base, even before the company announced a period of diminished growth last year."
Amusingly, as one Facebook team was busy pushing a VPN service that spies on you, other parts of the company have been busy pushing a new two-factor authentication system (good) that the company also thought should be co-opted for marketing purposes (not so good). Ideally, two-factor authentication should use your phone number exclusively to send you authentication codes via SMS. But Facebook apparently got the nifty idea to immediately take that number and spam customers in the hopes this would drive additional engagement at the website:
So I signed up for 2 factor auth on Facebook and they used it as an opportunity to spam me notifications. Then they posted my replies on my wall. 🤦♂️ pic.twitter.com/Fy44b07wNg
— Gabriel Lewis 🦆 (@Gabriel__Lewis) February 12, 2018
On a positive note, Facebook was quick to acknowledge that the SMS spam isn't intentional, and that it would be rolling out out a fix shortly (hopefully before too many people get disgusted by 2FA):
"It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused. We are working to ensure that people who sign up for two-factor authentication won't receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug."
While Facebook was quick to own its 2FA problem, the company has been somewhat mute regarding the backlash to its "VPN" service offering. That effort likely began with good intentions among Facebook's security team, then got hijacked by company higher ups nervous about the fact Facebook's engagement and subscriber numbers have begun a precipitous dive. The solution to that problem is making Facebook better and more secure, not pushing security and privacy services whose real agenda is monetization and, apparently, annoyance.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 2fa, marketing, security, sms, spam, tracking, two factor authentication, vpn
Companies: facebook
Reader Comments
Subscribe: RSS
View by: Time | Thread
In any case, put aside the latest shenanigans from Facebook there's still the negative impact it causes psychologically speaking. I personally felt better after I stopped using it. No seriously, there are other means of keeping in touch.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
I would never even *try* to create something as horrible as Facebook. That takes a sociopath, which is exactly why it's played out as it has.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
That's too subtle and optimistic for my tastes.
Facebook has partnered with Amazon, Google, Microsoft, Twitter and others on the OAuth standard for access delegation. Log into one, and you're automatically logged into the rest.
Microsoft is pushing this in their Visual Studio programming environment for web sites, desktop and mobile apps to the extent that they've removed other user authentication tools.
I have a new Ricoh camera. To use its full functionality I need to log into the Ricoh web site. Which doesn't have its own user authentication system. To log in I had to set up a Facebook account and use THAT to authenticate on the Ricoh site.
This is the future of all your apps, websites and devices. What could possibly go wrong?
[ link to this | view in chronology ]
Re: Re: Re:
That simply isn't true. They each offer their own OAuth implementations. While "login with Facebook/Google" is ubiquitous on the web they are not shared authentications. OAuth is simply a standard that allows a web site operator (and others) to offload the work of authenticating users to a 3rd party. OAuth is no less secure than regular username+password authentication*.
[ link to this | view in chronology ]
Re: Re: Re: Re:
But that's exactly what I'm saying.
Sure, a password won't be shared between sites. But if Facebook passwords were ever to leak, a crook could authenticate using that, and now he's also authenticated for the user's non-Facebook sites and services.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
How do we know that? You go to some site, click "log in with Facebook", and then what? Enter your Facebook password into whatever box it gives you? Does the average person know how to check whether they're really on Facebook's site and not a lookalike (and remember to do it every time)?
I've seen people type URLs into Google, so I'm not hopeful about this...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
Do you guys ever actually think this gets you support for your cause, or did it ever dawn on you that a more subtle approach might be more effective?
[ link to this | view in chronology ]
Re:
If so, people should be reminded that users of those services merely went to use competitors who met their needs better. That FB is currently one of the leaders in connecting people is not necessarily an indicator of longevity if a better option comes along.
"No seriously, there are other means of keeping in touch."
Depends on your needs and who you're trying to keep in touch with. Some people find it invaluable, some people prefer other methods, some people can be easily persuaded to use other methods if all their friends start moving there.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
The company "outsourced" its HR department to a third party...
...which only communicates via Facebook.
Later, they replaced their internal email system with some kind of Facebook service. Given they're a military contractor, and that they're subject to stringent regulations concerning business mail, I've wondered how that works...
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
SMS 2FA? What about TOTP?
I don't have a lot of confidence in the security of SMS-based authentication schemes.
[ link to this | view in chronology ]
Re: SMS 2FA? What about TOTP?
How could you be a tech journalist, writing a scathing article about InfoSec being abused by Facebook, and not have the level of self awareness that would lead you to at least DuckDuckGo the topics that you’re going to be writing so assuredly of? People trust sites like techdirt to provide information that’s at least as accurate as an average Reddit post. I never write comments like this on news articles, but this author is spreading misinformation that lead to ruined lives. Please, do some brushing up on the current 2FA scene and edit your article to accurately reflect how terrible SMS is for this purpose and maybe mention the basic alternatives. Man, I’m sorry if I came across as a jackass. Please know that it wasn’t my intent if that’s how I do come across.
[ link to this | view in chronology ]
Re: Re: SMS 2FA? What about TOTP?
This has led to some interesting incidents, like showing up for a doctor's appointment and having them tell me that A) they had canceled my appointment and B) they felt I owed them $50 for doing that, since I didn't respond to a text verifying that I still intended to show up. I got the strong impression they will be changing their policies so as to not accept new patients without text, email, and Farcebook accounts they can spam.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
what's the newest or rising alternative for facebook
[ link to this | view in chronology ]
Re: what's the newest or rising alternative for facebook
[ link to this | view in chronology ]
Re: Re: what's the newest or rising alternative for facebook
[ link to this | view in chronology ]
Re: what's the newest or rising alternative for facebook
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
"If I buy anything that requires one to use the product it's going right back to the store."
This makes me laugh a little as what you just said was that not only will you not do the most basic research on a product before you buy it, you'll happily drive miles back and forth to a retail outlet to replace it if a feature you could have educated yourself about was present. I'd say that someone who uses social media and is aware of what they're buying is probably more suited to feel superior, to be honest.
[ link to this | view in chronology ]
Re: Re:
I, too, would return a product if I discovered after buying it that it would not work without Facebook authentication - but that does not imply that I wouldn't do the research before buying; I would, and generally do, and then don't buy such products (though I can't remember any examples of such products just off the top of my head).
All it says is that if I missed the requirement in my pre-purchase research, or if I failed to do the research in one instance and it turned out that that instance was one where it actually mattered, I would go through with the return.
That seems like a reasonable position, to me - if nothing else, then because such a requirement makes the product useless to me, because I do not have a Facebook account and (for reasons of my own) refuse to create one.
[ link to this | view in chronology ]
Re: Re: Re:
I'd also say that anyone who depends on whatever limited stock a brick and mortar store happens to have on a particular day is asking for trouble unless there's a real need to have the item immediately. I can't remember the first time I made any significant purchase without at lead reading online reviews while stood in from of the shelf. OK, there may be circumstances where that can't be done, but the image in my head is this guy looking at the screen telling him to log in, even though the Facebook logo is on the packaging.
It just seems meaningless to boast about what you don't do as if it makes you special. There's lots of things I also don't use, but you won't find me making special effort to tell everyone about them.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Also, the Facebook logo being present on the packaging does not necessarily imply "requires Facebook in order to use the device" (although it should certainly be enough of a red flag to get someone who's anti-Facebook to do extra research before buying); it could simply imply "supports Facebook connectivity", much as a Facebook logo on a Website or in an app often means nothing more than "we make it easy for you to share (things related to us) via Facebook!".
I agree that "not using Facebook or anything like it" isn't necessarily anything to boast about, though. Even I don't tend to bring my personal Facebook avoidance up in public discussions, even ones where Facebook is the topic, unless it's directly relevant; I might mention it if Facebook comes up in individual conversation, but that's about as far as that goes.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
But generally speaking - if you're that fundamentally opposed to something and you don't realise you've bought a product that's irrevocably tied to it until you have it in your home, you seriously need to step up your due diligence when choosing products.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
this was a bug
[ link to this | view in chronology ]
you keep using that word, but it does not mean what you think it means!!!!
[ link to this | view in chronology ]
This is not true. SMS is a terrible method of 2FA. Far from "ideal." NIST has stopped recommending SMS for 2FA.
[ link to this | view in chronology ]
Zero tolerance for "bug"
After all, Facebook literally has billions of users. Isn't it safe to assume they have all manner of testing, QA, beta testing, and alpha testing before any feature goes live?
Then who approved the idea to spam people using their two-factor authentication number? And then who approved posting their reply to their wall? I can easily see a programmer coming up with the idea, but team leads and managers are supposed to not allow these things. And where are the testers saying this isn't a good idea?
Or is this "bug" actually a feature passed down from higher management as yet another way to spy and track people?
[ link to this | view in chronology ]
If you need real VPN that won't spam you with texts, try http://topsecur.com, will help for sure.
[ link to this | view in chronology ]