Twitter About To Be Hit With A ~$250 Million Fine For Using Your Two Factor Authentication Phone Numbers/Emails For Marketing
from the good dept
There are many things that big internet companies do that the media have made out to be scandals that aren't -- but one misuse of data that I think received too little attention was how both Facebook and later Twitter were caught using the phone numbers people gave it for two factor authentication, and later used them for notification/marketing purposes.
In case you're somehow unaware, two-factor authentication is how you should protect your most important accounts. I know many people are too lazy to set it up, but please do so. It's not perfect (Twitter's recent big hack routed around 2FA protections), but it is many times better than just relying on a username and password. In the early days of 2FA, one common way to implement it was to use text messaging as the second factor. That is, when you tried to login on a new machine (or after a certain interval of time), the service would have to text you a code that you would need to enter to prove that you were you.
Over time, people realized that this method was less secure. Many hacks involved people "SIM swapping" (using social engineering to have your phone number ported over to them), and then getting the 2FA code sent to the hacker. These days, good 2FA usually involves using an authenticator app, like Google Authenticator or Twilio's Authy or even better a physical key such as the Yubikey or Google's Titan Key. However, many services and users have stuck with text messaging for 2FA because it's the least complex for users -- and the issue with any security practice is that if it's not user-friendly, no one will use it, and that doesn't do any good either.
But using phone numbers given for 2FA purposes for notifications or marketing is really bad. First of all, it undermines trust -- which is the last thing you want to do when dealing with a security mechanism. People handed over these phone numbers/emails for a very specific and delineated reason: to better protect their account. To then share that phone number or email with the marketing team is a massive violation in trust. And it serves to undermine the entire concept of two factor authentication, in that many users will become less willing to make use of 2FA, fearing how the numbers might be abused.
As we noted when Facebook received the mammoth $5 billion fine from the FTC a year ago, while the media focused almost entirely on the Cambridge Analytica situation as the reason for the fine, if you actually read the FTC's settlement documents, it was other things that really caused the FTC to move, including Facebook's use of 2FA phone numbers for marketing. We were glad that Facebook got punished for that.
And now it's Twitter's turn. Twitter has revealed that the FTC is preparing to fine the company $150 million to $250 million for this practice -- noting that it violated the terms of an earlier consent decree with the FTC in 2011, where the company promised not to mislead users about how it handled personal information. Yet, for years, Twitter used the phone numbers and emails provided for 2FA to help target ads (basically using the phone number/email as an identifier for targeting).
There's no explanation for this other than really bad handling of data at Twitter, and the company should be punished for it. There are many things I think Twitter gets unfairly blamed for, but a practice like this is both bad and dangerous, and I'm all for large fines from the FTC to convince companies to never do this kind of thing again.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 2fa, ftc, marketing, notifications, privacy, security, targeting, two factor authentication
Companies: twitter
Reader Comments
Subscribe: RSS
View by: Time | Thread
Parable Time
Once upon a time, a scorpion approached the bank of a river, looking to cross. The scorpion saw a nearby frog, and asked, "Hey there Mr. Frog, can you help me across the river? I can ride on your back!" And the frog replied, "No, I don't want to give you a ride on my back. You'll sting me." The scorpion denied it, saying "No I won't. If I sting you in the middle of the river, I'll drown too." So the frog agreed.
The scorpion climbed onto the frog's back, and the frog swam across the river at the top surface, keeping the scorpion dry and above water. But when they got to around halfway, the scorpion stung the frog with its poisonous tail.
As the frog slowed down, struggling to stay above water, the poison filling his veins, and death becoming apparent, the frog asked "Why did you sting me, scorpion? Now we will both die in the river."
And the scorpion replied, "I tried not to, but I couldn't help it. I'm a scorpion!"
[ link to this | view in chronology ]
That stupid scorpion parable
It is my nature may explain why a mother with starving children will steal food, but it doesn't explain well the ill behaviors of a ten-billion dollar company, and tends rather to imply a failure of upper management, or at worst, a poor business model.
The scorpion in this case don a fucking cork on its stinger, or hire a turtle. Or take some don't-sting-the-frog lessons. But instead not only does he die with the frog, but no future frogs will trust future scorpions in need.
[ link to this | view in chronology ]
Re: That stupid scorpion parable
It's easier to blame nature, than one's own fucking culture.
[ link to this | view in chronology ]
Re: Re: That stupid scorpion parable
The corporation may die but the prick will still be there to do it again
[ link to this | view in chronology ]
Re: Parable Time
Let me guess - you not only think this is original and clever to invoke (it's not), but somehow uniquely applicable to Twitter and not every major corporation?
[ link to this | view in chronology ]
Re: Re: Parable Time
you not only think this is original and clever to invoke (it's not)
No, what's unique and clever is attacking and arguing with someone over something they so obviously never said. What's unique and clever is implying bad faith where none was evident to anyone else, and what's unique and clever is being an asshat for no other reason that it's the Internet.
It's literally the first time each and every one of these things has been done. Congratulations on staying original.
[ link to this | view in chronology ]
Re: Parable Time
What is the reasoning behind this so-called parable? It makes no sense.
Does the illustration mean to imply that some bad actors should be excused for their wrongdoing, due to their inherent wicked natures?
That’s a blaming-the-victim paradigm.
I’ve heard this parable over and over again, during my lifetime, and it’s always seemed to be pure foolishness.
[ link to this | view in chronology ]
Re: Re: Parable Time
"Does the illustration mean to imply that some bad actors should be excused for their wrongdoing, due to their inherent wicked natures?"
I've always read it as being "certain types of creatures are just evil and should be avoided, don't be surprised when they act evil if you're dumb enough to trust them".
Which, depending on how you read it can have some disturbing connotations in general life.
[ link to this | view in chronology ]
disturbing connotations
I always read it as a justification for racism or distrust of rival religious faiths.
e.g. Not to trust Jews and their evil knishes.
[ link to this | view in chronology ]
Re: disturbing connotations
I always read it as a justification for racism or distrust of rival religious faiths.
Of course you did. Why not ...
[ link to this | view in chronology ]
Re: Re: Parable Time
I’ve heard this parable over and over again, during my lifetime, and it’s always seemed to be pure foolishness.
It takes a measure of abstract thinking to get ones like this. Abstract thinking, at least in it's most commonly-acknowledged forms, begins at an IQ somewhere around 110. This Is a full standard deviation above the average US national IQ of 98.
There are no doubt plenty of people confused by it. They tend to be bamboozled by parables like this, and read into them all kinds of things that were never intended. You are doing that here. Some of you desperately want a straw man to attack so badly, that you're creating it out of all kind of non-strawman things.
This does not imply "blaming" the victim or anything of the like. That's a creation of your own mind. Break free from the buzzword salesmen, those people who promise salvation if only you return the favor and fail to point out their hypocrisy.
Jut say no to their temptations and false rewards of absolution.
[ link to this | view in chronology ]
Not wanting voicemail/text message spam is the main reason I've avoided turning on 2FA for several online accounts that offer it, despite knowing the security advantages.
It's definitely bad that Twitter was doing something that undermined trust. But to me, the underlying problem is only grazed:
In many of the cases I've avoided 2FA, it's because the terms of service explicitly state that the cell phone number I provide can and will be used for marketing purposes, and that by providing it I am consenting. I don't, so I don't.
So, yes, what they were doing was bad. But it sounds like they're getting fined because they weren't following their stated promise not to, not because of the inherent badness of the behavior itself.
[ link to this | view in chronology ]
Re:
I concur with your analysis, but the reason I don't use 2FA is that I don't have a phone, cell or landline. I don't need one, and 2FA isn't a good enough reason for the expense or other inconveniences that come along with having one. But there are reasons to use 2FA, for instance I have a gmail account (one I got a long time ago) but if I want another one, I have to be able to receive a text message for authentication. Apparently, in the past, there were Internet based sms sights that would satisfy this need, but no longer, Google has disallowed these.
So if a service were to require 2FA, they will be without my business, and as you point out, it isn't necessary to lack a phone to have a reason to opt out of 2FA.
[ link to this | view in chronology ]
Re: Re:
I believe Authy has a desktop version of their authenticator, so you don't need a phone to use 2FA. Any site that supports the Google Authenticator supports Authy too.
(note, I have no connection to authy, and don't use it)
[ link to this | view in chronology ]
Re: Re: Re:
The reviews for Google Authenticator and Twilio's Authy both present issues. Maybe they will mature and become better.
I have thought about the Yubi key, but I am not sure the hassle is worth it. I use a password manager, with very strong and very obscure passwords that are easily changed, though visiting each site and finding the place to change passwords is a pain.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Not to mention the lack of support. FIDO doesn't help on sites or apps that don't support it.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Google Authenticator uses TOTP, a standard protocol. There are various compatible programs, or you can use a few lines of python (plus the pyopt module):
import pyotp
totp = pyotp.TOTP(key)
print(totp.now())
You just need to get 'key' in base32 format, e.g. by reading it from a file or piping it from your password manager. The key will be given by the service that wants you to enroll in 2FA (it might be in QR-code form). It's not quite a second factor if the manager has both secrets, but it should satisfy any site requiring this form of 2FA.
[ link to this | view in chronology ]
Re: Re: Re: Re:
"I use a password manager, with very strong and very obscure passwords that are easily changed,"
Which, of course, makes it so that you have no backup protection in the unlikely event you have been compromised. It's good practice, but if either the site you log into gets compromised or the password manage site itself is compromised, you won't have any way of stopping abuse until after it's happened.
It's up to you whether you trust the 2FA method you choose and accept the downsides of each (and none is perfect), but I'd personally recommend having the sites where you have your most important data stored be set up to at least inform you when someone's logged in if not require 2FA. Better to be annoyed by the occasional demand for a second factor to be confirmed than find out that someone had access to your data when a site compromise is announced days or weeks after it's been breached.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
The password manager I use is passwordsafe, originally by Bruce Schneier and now maintained by others. It does not use a website, it has a self contained database, which I rename and number by version. They stopped making a Linux build but there is a clone by Marc Deslauriers called passafe which reads the same file types, you just need to copy your database to the correct folder (/home/user/.local/share/pasaffe/) and rename it passaffe.psafe3.
I also use SpiderOak cloud backup (recommended by Edward Snowden and is fully encrypted), and the SpiderOak_Hive system which syncs between machines set up for it (Even the Windows side of my dual boot laptop) so I never actually could loose my database, though I came close recently as various updates put my protections askew. My savior was that I also had a copy on my Android tablet which is not on SpiderOak. I hard link the passafe database to the Hive and make a copy that is renamed for use with the Windows/Android versions, and then backed up to the cloud and other Hive instances. That way, I have the same database everywhere, though the transfer to the Android tablet is manual.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
OK, that's very good, though it still won't protect you from your account on any website getting compromised on the server end. It doesn't matter how good your password is if their database gets compromised.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
If you are referring to your password getting stolen from their database, any remotely competent admins will ensure that this does not matter. So hopefully you'll be OK anyway. If you mean other personal information getting compromised server side, 2FA doesn't help with that either.
The password storage will be encrypted, possibly with multiple passes, and hopefully a very strong password. You could hand an attacker your password file and user name, and they should be able to do nothing useful with it. You will have at minimum many trillions of years to change your passwords before they're able to brute force it.
https://scrambox.com/article/brute-force-aes/
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
"If you are referring to your password getting stolen from their database, any remotely competent admins will ensure that this does not matter"
That's a reasonably large assumption with some companies. How many times do you read about some unencrypted stash being leaked or plaintext details left on the open web? I regularly get emails from haveibeenpwned.com regarding leaks, some of them years after the event.
"If you mean other personal information getting compromised server side, 2FA doesn't help with that either."
I simply mean that if your password is compromised in some way and someone logged in successfully, you at least get informed with 2FA, whereas without it you won't know until they have done whatever they want in your account without it.
"The password storage will be encrypted, possibly with multiple passes, and hopefully a very strong password."
Based on a number of assumptions that don't hold true for every site. Sure, if you're careful the risk is minimal, but we constantly hear of things like this:
https://www.vice.com/en_us/article/qvy9k7/facebook-hundreds-of-millions-user-passwords-plainte xt-data-leak
Sure, supposedly the passwords weren't visible to anyone outside of Facebook in that case, but no password manager will help you if the site you're logging in to allows people to view plain text passwords. 2FA will.
In the above case, all it takes is for some other part of Facebook to be compromised in a way that allowed the plain text to be viewed (or a corrupt employee leaking the list to external bad actors), and someone's logging into your account without you knowing about it until after the damage is done.
It's simply worth putting extra protection into place for anything important and not depend on a single type of security. Sure, it's unlikely that my decently maintained car driven within normal limits will have a crash, but I still wear a seatbelt in case something happens beyond my control.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re:
All the time, but usually not plain text passwords. That Facebook issue is pretty awful though. I hope I'm not being naive about how many places might log a plain text password.
What password manager stores passwords unencrypted?
I completely agree, I just wanted to push back a bit on how vulnerable passwords and password managers are (generally, with a significant caveat of proper password security).
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
"I hope I'm not being naive about how many places might log a plain text password."
Well, it's always better to be safe than sorry. You would hope that anywhere you're trusting with your data is better than that, but there's no accounting for incompetence and/or corrupt employees. There are a great many examples where even the most basic security procedures you would hope be in place have not been there, and you can't trust that you'll find out of a company's problems before someone else has exploited them.
"What password manager stores passwords unencrypted?"
Hopefully none, but again it's down to having a layer of extra security should the one you mainly depend on fail.
I'm not saying that badly secured password managers are common nor that every company you deal with is likely to have a problem as big as Facebook's was. Only that there's no harm in having the extra security and it's always good to have notification of when the main security method you rely upon is breached, especially if that notification method also prevents the attacker from getting past the login screen on a successful password entry.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re:
Sure, it's unlikely that my decently maintained car driven within normal limits will have a crash, but I still wear a seatbelt in case something happens beyond my control.
You couldn't have told me this BEFORE I went on Jeopardy? $10,000 grand prize, down the drain.
Thanks buttwipe.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
<b>OK, that's very good, though it still won't protect you from your account on any website getting compromised on the server end. It doesn't matter how good your password is if their database gets compromised.</b>
Wait, I know you!
https://www.nydailynews.com/resizer/otMpBO682HEELHriNSsX6yZ28IY=/1200x0/arc-anglerfish-arc2-pro d-tronc.s3.amazonaws.com/public/RPMJ3ZO2FS2JV4DPKM2L6FP47A.jpg
[ link to this | view in chronology ]
Re: Re: Re:
However, in the case of GMail, you need to give a phone number and let them call it at least once before they will permit you to configure a TOTP MFA. Therefore, grandparent would still be stuck even if he/she were willing to use a desktop-hosted authenticator.
[ link to this | view in chronology ]
Re: Re: Re: Re:
It seems they allow you to change your phone number after the authentication, to anything. In this way one could use a friends phone to get the sms, and then go in and change the number to that of the White House. Doesn't quite make sense to me.
[ link to this | view in chronology ]
Re:
So, yes, what they were doing was bad. But it sounds like they're getting fined because they weren't following their stated promise not to, not because of the inherent badness of the behavior itself.
Do you guys bend over backward to not understand things, or is this genuine?
They promised not to after the FTC declared the behavior "bad" 9 years ago. Its "badness" underlines the entire set of exchanges between the FTC and Twitter.
I can't wait to read the next comment. I expect something like:
"So, what I think this means is this that the scorpion was a misogynist and the frog was a racist. The snail wasn't even mentioned because they is transgender, so the bottom line is the whole thing is about sexually assaulting ostriches."
I mean, why not. I means what you want it to mean I guess.
good grief
[ link to this | view in chronology ]
The Facebook 2FA abuse was particularly bad. I have a bad habit of replying to automated messages for catharsis. Turns out that when Facebook decided it was a good idea to text alerts of status updates from friends it decided were important to you, it also decided that any replies to said text would then be posted on said status update under your account. Had a fun time explaining THAT one to my friend.
[ link to this | view in chronology ]
This is similar to Microsoft pushing its Windows 10 upgrades through its security updates channel.
[ link to this | view in chronology ]
Profound clear-thinking system engine
[ link to this | view in chronology ]