Facebook 'Security': A New VPN That's Spyware And Two-Factor Authentication That Spams You

from the insecurity dept

Facebook's definition of protection isn't quite up to snuff. Last week, some Facebook users began seeing a new option in their settings simply labeled "Protect." Clicking on that link in the company's navigation bar will redirect Facebook users to the “Onavo Protect – VPN Security” app’s listing on the App Store. There, they're informed that "Onavo Protect helps keep you and your data safe when you browse and share information on the web." You're also informed that the "app helps keep your details secure when you login to websites or enter personal information such as bank accounts and credit card numbers."

What you're not told is that Facebook acquired the company back in 2013, and is now using it as little more than glorified spyware, allowing Facebook to track and monetize your travels around the internet (especially time spent wandering around competing social media platforms). That is, understandably, upsetting some people who believe that security tools should, well, actually protect you from surveillance, not open up an entirely new avenue for it:

"Facebook, however, purchased Onavo from an Israeli firm in 2013 for an entirely different reason, as described in a Wall Street Journal report last summer. The company is actually collecting and analyzing the data of Onavo users. Doing so allows Facebook to monitor the online habits of people outside their use of the Facebook app itself. For instance, this gave the company insight into Snapchat’s dwindling user base, even before the company announced a period of diminished growth last year."

Amusingly, as one Facebook team was busy pushing a VPN service that spies on you, other parts of the company have been busy pushing a new two-factor authentication system (good) that the company also thought should be co-opted for marketing purposes (not so good). Ideally, two-factor authentication should use your phone number exclusively to send you authentication codes via SMS. But Facebook apparently got the nifty idea to immediately take that number and spam customers in the hopes this would drive additional engagement at the website:

On a positive note, Facebook was quick to acknowledge that the SMS spam isn't intentional, and that it would be rolling out out a fix shortly (hopefully before too many people get disgusted by 2FA):

"It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused. We are working to ensure that people who sign up for two-factor authentication won't receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug."

While Facebook was quick to own its 2FA problem, the company has been somewhat mute regarding the backlash to its "VPN" service offering. That effort likely began with good intentions among Facebook's security team, then got hijacked by company higher ups nervous about the fact Facebook's engagement and subscriber numbers have begun a precipitous dive. The solution to that problem is making Facebook better and more secure, not pushing security and privacy services whose real agenda is monetization and, apparently, annoyance.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 2fa, marketing, security, sms, spam, tracking, two factor authentication, vpn
Companies: facebook


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Ninja (profile), 20 Feb 2018 @ 10:33am

    Are we witnessing the next myspace/orkut/whatever?

    In any case, put aside the latest shenanigans from Facebook there's still the negative impact it causes psychologically speaking. I personally felt better after I stopped using it. No seriously, there are other means of keeping in touch.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 20 Feb 2018 @ 12:11pm

    Re:

    Facebook should be burned to the ground, then nuked from orbit just to make sure. Everyone who has ever worked there should be blacklisted for life from IT. And sociopathic monster Mark Zuckerberg should be locked in a deep, dark hole forever.

    link to this | view in thread ]

  3. icon
    Gary (profile), 20 Feb 2018 @ 12:31pm

    Re: Re:

    Sounds like someone is jealous they didn't invent Facebook first!

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 20 Feb 2018 @ 12:39pm

    You don't have to buy into the Zuke's fever dreams to be affected by them.

    link to this | view in thread ]

  5. icon
    orbitalinsertion (profile), 20 Feb 2018 @ 12:39pm

    Re: Re: Re:

    Kind of like Zuckerberg?

    link to this | view in thread ]

  6. icon
    Roger Strong (profile), 20 Feb 2018 @ 12:45pm

    Re: Re:

    Facebook should be burned to the ground, then nuked from orbit just to make sure. Everyone who has ever worked there should be blacklisted for life from IT.

    That's too subtle and optimistic for my tastes.

    Facebook has partnered with Amazon, Google, Microsoft, Twitter and others on the OAuth standard for access delegation. Log into one, and you're automatically logged into the rest.

    Microsoft is pushing this in their Visual Studio programming environment for web sites, desktop and mobile apps to the extent that they've removed other user authentication tools.

    I have a new Ricoh camera. To use its full functionality I need to log into the Ricoh web site. Which doesn't have its own user authentication system. To log in I had to set up a Facebook account and use THAT to authenticate on the Ricoh site.

    This is the future of all your apps, websites and devices. What could possibly go wrong?

    link to this | view in thread ]

  7. icon
    PaulT (profile), 20 Feb 2018 @ 12:57pm

    Re:

    "Are we witnessing the next myspace/orkut/whatever?"

    If so, people should be reminded that users of those services merely went to use competitors who met their needs better. That FB is currently one of the leaders in connecting people is not necessarily an indicator of longevity if a better option comes along.

    "No seriously, there are other means of keeping in touch."

    Depends on your needs and who you're trying to keep in touch with. Some people find it invaluable, some people prefer other methods, some people can be easily persuaded to use other methods if all their friends start moving there.

    link to this | view in thread ]

  8. icon
    PaulT (profile), 20 Feb 2018 @ 12:59pm

    Re: Re:

    As ever, I'm impressed by the factual information and lack of hyperbole by people who dislike a particular company.

    Do you guys ever actually think this gets you support for your cause, or did it ever dawn on you that a more subtle approach might be more effective?

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 20 Feb 2018 @ 1:12pm

    SMS 2FA? What about TOTP?

    Does Facebook also support time-based one-time passwords? These are the 6-digit codes that change every 30 seconds.

    I don't have a lot of confidence in the security of SMS-based authentication schemes.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 20 Feb 2018 @ 1:16pm

    Reason 2,341,829 that I have all but stopped using Facebook.

    link to this | view in thread ]

  11. icon
    Improbus (profile), 20 Feb 2018 @ 2:01pm

    Re:

    Indeed, I check log into Facebook at least 2 or 3 times a year.

    link to this | view in thread ]

  12. icon
    orbitalinsertion (profile), 20 Feb 2018 @ 2:04pm

    Re: Re:

    For sure, there will be people you simply lose if you don't use FB, even though they hate it too, getting them on a reasonable messaging client like Threema is akin to pulling teeth since they have to use FB for other stuff anyway. In some situations, it is outright required by school or work.

    link to this | view in thread ]

  13. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 20 Feb 2018 @ 2:06pm

    Masnick pro-Facebook damage control post incoming

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 20 Feb 2018 @ 2:09pm

    what's the newest or rising alternative for facebook

    I don't follow social media much. Who or what is the newest rising star in that arena? I heard snapchat is losing users so what are people flicking to now?

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 20 Feb 2018 @ 2:11pm

    Re: Re: Re:

    The thought of a school requiring facebook reminds me of blackboard.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 20 Feb 2018 @ 3:06pm

    Re: Re: Re:

    I try to invent things that I can be proud of. Mostly I fail. Once in a while, I succeed modestly.

    I would never even *try* to create something as horrible as Facebook. That takes a sociopath, which is exactly why it's played out as it has.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 20 Feb 2018 @ 3:10pm

    Never had Myspace, Facebook, Twitter, Instagram, Snapchat,or any other social media site. Never will. If I buy anything that requires one to use the product it's going right back to the store.

    link to this | view in thread ]

  18. icon
    An Onymous Coward (profile), 20 Feb 2018 @ 3:10pm

    Re: Re: Re: Re:

    I'm no fan of facebook, never used it either. But you sound as though you have no knowledge of how facebook came to be what it is today. Before you burn zuckerberg at the stake, do a little reading. Facebook looks nothing at all today as it was originally built to be used. Its users and the need to show a profit drove it where it is now.

    link to this | view in thread ]

  19. icon
    An Onymous Coward (profile), 20 Feb 2018 @ 3:14pm

    Re: Re: Re:

    Log into one, and you're automatically logged into the rest.

    That simply isn't true. They each offer their own OAuth implementations. While "login with Facebook/Google" is ubiquitous on the web they are not shared authentications. OAuth is simply a standard that allows a web site operator (and others) to offload the work of authenticating users to a 3rd party. OAuth is no less secure than regular username+password authentication*.

    • On most sites, anyhow. OAuth isn't perfect but most basic auth isn't either.

    link to this | view in thread ]

  20. identicon
    Kronomex, 20 Feb 2018 @ 3:15pm

    And this sort of crap just reinforces my reasons for dumping farcebook a few years ago.

    link to this | view in thread ]

  21. icon
    An Onymous Coward (profile), 20 Feb 2018 @ 3:20pm

    Re: what's the newest or rising alternative for facebook

    A lot have moved to Instagram. I couldn't begin to say why or why not.

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 20 Feb 2018 @ 3:31pm

    Oh yeah forgot to add thanks for the tip on Ricoh. Won't buy anything from them.

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 20 Feb 2018 @ 4:10pm

    Re: Re: what's the newest or rising alternative for facebook

    Which means they've just moved from Facebook... to Facebook.

    link to this | view in thread ]

  24. icon
    Mononymous Tim (profile), 20 Feb 2018 @ 4:24pm

    this was a bug

    ..in our programmer.

    link to this | view in thread ]

  25. icon
    Roger Strong (profile), 20 Feb 2018 @ 4:25pm

    Re: Re: Re: Re:

    OAuth is simply a standard that allows a web site operator (and others) to offload the work of authenticating users to a 3rd party.

    But that's exactly what I'm saying.

    Sure, a password won't be shared between sites. But if Facebook passwords were ever to leak, a crook could authenticate using that, and now he's also authenticated for the user's non-Facebook sites and services.

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 20 Feb 2018 @ 9:22pm

    Re: SMS 2FA? What about TOTP?

    I had to stop and read the sentence again. SMS is the ideal 2FA method? What?! SMS can be easily spoofed given most carriers current standards, giving the black hats open access to run targeted individual attacks. Not to mention the other security risks that come with having your 2FA delivered via the same system people use for texting in general. What should be the very lowest base standard in all cases is a software authenticator.

    How could you be a tech journalist, writing a scathing article about InfoSec being abused by Facebook, and not have the level of self awareness that would lead you to at least DuckDuckGo the topics that you’re going to be writing so assuredly of? People trust sites like techdirt to provide information that’s at least as accurate as an average Reddit post. I never write comments like this on news articles, but this author is spreading misinformation that lead to ruined lives. Please, do some brushing up on the current 2FA scene and edit your article to accurately reflect how terrible SMS is for this purpose and maybe mention the basic alternatives. Man, I’m sorry if I came across as a jackass. Please know that it wasn’t my intent if that’s how I do come across.

    link to this | view in thread ]

  27. icon
    PaulT (profile), 21 Feb 2018 @ 12:48am

    Re:

    But you will rant about things you don't do on non-social media sites because it makes you feel superior in some way? Well done, your life must be so fulfilled in all aspects.

    "If I buy anything that requires one to use the product it's going right back to the store."

    This makes me laugh a little as what you just said was that not only will you not do the most basic research on a product before you buy it, you'll happily drive miles back and forth to a retail outlet to replace it if a feature you could have educated yourself about was present. I'd say that someone who uses social media and is aware of what they're buying is probably more suited to feel superior, to be honest.

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 21 Feb 2018 @ 7:36am

    Re: Re: Re: Re: Re:

    Sure, a password won't be shared between sites.

    How do we know that? You go to some site, click "log in with Facebook", and then what? Enter your Facebook password into whatever box it gives you? Does the average person know how to check whether they're really on Facebook's site and not a lookalike (and remember to do it every time)?

    I've seen people type URLs into Google, so I'm not hopeful about this...

    link to this | view in thread ]

  29. identicon
    oliver, 21 Feb 2018 @ 7:51am

    2FA?
    you keep using that word, but it does not mean what you think it means!!!!

    link to this | view in thread ]

  30. icon
    The Wanderer (profile), 21 Feb 2018 @ 8:17am

    Re: Re:

    I think that may be a bit farther than is justified.

    I, too, would return a product if I discovered after buying it that it would not work without Facebook authentication - but that does not imply that I wouldn't do the research before buying; I would, and generally do, and then don't buy such products (though I can't remember any examples of such products just off the top of my head).

    All it says is that if I missed the requirement in my pre-purchase research, or if I failed to do the research in one instance and it turned out that that instance was one where it actually mattered, I would go through with the return.

    That seems like a reasonable position, to me - if nothing else, then because such a requirement makes the product useless to me, because I do not have a Facebook account and (for reasons of my own) refuse to create one.

    link to this | view in thread ]

  31. icon
    JMM (profile), 21 Feb 2018 @ 9:59am

    Re: what's the newest or rising alternative for facebook

    E-mail.

    link to this | view in thread ]

  32. identicon
    Anonymous Coward, 21 Feb 2018 @ 11:11am

    Ideally, two-factor authentication should use your phone number exclusively to send you authentication codes via SMS.

    This is not true. SMS is a terrible method of 2FA. Far from "ideal." NIST has stopped recommending SMS for 2FA.

    link to this | view in thread ]

  33. icon
    PaulT (profile), 21 Feb 2018 @ 11:24am

    Re: Re: Re:

    Well, something like requiring social media authentication from a third party not directly related to the device seems like something that should at least be mentioned on the box. It would certainly be mentioned in a reputable review.

    I'd also say that anyone who depends on whatever limited stock a brick and mortar store happens to have on a particular day is asking for trouble unless there's a real need to have the item immediately. I can't remember the first time I made any significant purchase without at lead reading online reviews while stood in from of the shelf. OK, there may be circumstances where that can't be done, but the image in my head is this guy looking at the screen telling him to log in, even though the Facebook logo is on the packaging.

    It just seems meaningless to boast about what you don't do as if it makes you special. There's lots of things I also don't use, but you won't find me making special effort to tell everyone about them.

    link to this | view in thread ]

  34. identicon
    Anonymous Coward, 21 Feb 2018 @ 11:53am

    Re:

    Facebook is already dying because it's not cool enough for the kids. Of course, they've found other "apps" to give away their personal information to, but such is life.

    link to this | view in thread ]

  35. icon
    John85851 (profile), 21 Feb 2018 @ 1:33pm

    Zero tolerance for "bug"

    With all this talk about zero tolerance for different things, is it time to have zero tolerance for "bugs" on sites such as Facebook?
    After all, Facebook literally has billions of users. Isn't it safe to assume they have all manner of testing, QA, beta testing, and alpha testing before any feature goes live?
    Then who approved the idea to spam people using their two-factor authentication number? And then who approved posting their reply to their wall? I can easily see a programmer coming up with the idea, but team leads and managers are supposed to not allow these things. And where are the testers saying this isn't a good idea?

    Or is this "bug" actually a feature passed down from higher management as yet another way to spy and track people?

    link to this | view in thread ]

  36. icon
    The Wanderer (profile), 21 Feb 2018 @ 2:31pm

    Re: Re: Re: Re:

    Just as a nit, I don't think "the store" necessarily implies a brick-and-mortar shopfront; last I checked (which admittedly may not have been recently), it was still relatively common to refer to online merchants as "stores", or at least "Web stores".

    Also, the Facebook logo being present on the packaging does not necessarily imply "requires Facebook in order to use the device" (although it should certainly be enough of a red flag to get someone who's anti-Facebook to do extra research before buying); it could simply imply "supports Facebook connectivity", much as a Facebook logo on a Website or in an app often means nothing more than "we make it easy for you to share (things related to us) via Facebook!".

    I agree that "not using Facebook or anything like it" isn't necessarily anything to boast about, though. Even I don't tend to bring my personal Facebook avoidance up in public discussions, even ones where Facebook is the topic, unless it's directly relevant; I might mention it if Facebook comes up in individual conversation, but that's about as far as that goes.

    link to this | view in thread ]

  37. identicon
    Anonymous Coward, 21 Feb 2018 @ 2:35pm

    Re: Re: Re: Re: Re: Re:

    That's why I make it a habit to close my browser before logging into any "important" site, (banking, credit card, bill pay, etc.) That way I KNOW I have a new session and there is no cross-contamination with "referring URLs" being transmitted.

    link to this | view in thread ]

  38. icon
    PaulT (profile), 22 Feb 2018 @ 12:00am

    Re: Re: Re: Re: Re:

    Fair enough. I was only being half serious anyway. The guy didn't exactly have anything relevant or of interest to anyone else to say, so I was having a little dig.

    But generally speaking - if you're that fundamentally opposed to something and you don't realise you've bought a product that's irrevocably tied to it until you have it in your home, you seriously need to step up your due diligence when choosing products.

    link to this | view in thread ]

  39. identicon
    TRX, 24 Feb 2018 @ 2:25am

    Re: Re: Re:

    An acquaintance works for a DOD subcontractor. One that is co-located at a national arsenal.

    The company "outsourced" its HR department to a third party...

    ...which only communicates via Facebook.

    Later, they replaced their internal email system with some kind of Facebook service. Given they're a military contractor, and that they're subject to stringent regulations concerning business mail, I've wondered how that works...

    link to this | view in thread ]

  40. identicon
    TRX, 24 Feb 2018 @ 2:35am

    Re: Re: SMS 2FA? What about TOTP?

    I've already run into trouble with that in a few places. I carry a dumbphone becuse a client pays me to, but I had the service provider turn off SMS. I have a real desktop computer with a real keyboard, monitors, and real SMTP email. I'm not going to jerk around squinting and poking at a phone.

    This has led to some interesting incidents, like showing up for a doctor's appointment and having them tell me that A) they had canceled my appointment and B) they felt I owed them $50 for doing that, since I didn't respond to a text verifying that I still intended to show up. I got the strong impression they will be changing their policies so as to not accept new patients without text, email, and Farcebook accounts they can spam.

    link to this | view in thread ]

  41. identicon
    hansolo325, 5 Jun 2018 @ 6:23am

    If you need real VPN that won't spam you with texts, try http://topsecur.com, will help for sure.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.