Top tip: Don't bother with Facebook's two-factor SMS auth – unless you love phone spam
Pick another 2FA method: Social network is having a What The Zuck moment
Forget fake news, Russian trolls and the gradual cruel destruction of journalism – now Facebook is taking heat for spamming a netizen's phone with text messages after he signed up for SMS-based two-factor authentication.
Software engineer Gabriel Lewis said this week that after he activated the security measure with his cellphone number, he began to receive not just one-time login tokens as expected, but texts from Facebook with links to stuff happening on the social network.
How sly. Using a security mechanism to lure you back into the website.
What's worse, Lewis has not installed the Facebook app on his smartphone, and has not opted in to text message alerts. In short, the only thing he told Facebook to do was send his login authentication codes to his mobile via text, and now he's getting everything.
On top of that, Lewis said any replies to the Facebook texts (such as attempts to opt out) were posted directly to his profile page, leaving him looking like he was screaming "NO STOP" like a serial killer victim.
So I signed up for 2 factor auth on Facebook and they used it as an opportunity to spam me notifications. Then they posted my replies on my wall. 🤦♂️ pic.twitter.com/Fy44b07wNg— Gabriel Lewis 🦆 (@Gabriel__Lewis) February 12, 2018
The cockup has some, including cryptography professor Matthew Green, wondering if Facebook had deliberately configured its two-factor SMS authentication backend to double as a messaging system for those who opted not to install the mobile app.
A lot of people are suggesting the Facebook SMS spam is a bug. Bullshit. Someone at FB made a deliberate decision to “re-engage users” by spamming all those mobile phone numbers 2FA users had entered. No bug here at all.— Matthew Green (@matthew_d_green) February 14, 2018
Green went on to note that he too has received the unwanted alerts, which he said have only recently started arriving.
Who's using 2FA? Sweet FA. Less than 10% of Gmail users enable two-factor authenticationREAD MORE
Facebook has emitted a statement on the matter, but remained vague on exactly what caused the issue, and how it could be resolved – other than suggesting not giving the social network your phone number in the first place.
So: it's secure your profile via SMS and be spammed, or don't lock it down from password thieves and get some peace. Nice. Luckily, you can use dedicated security tokens and other methods for two-factor authentication with Facebook to avoid handing over your cell number. Given the spate of SS7 attacks, using something other than SMS for authentication is a good idea, anyway.
"We give people control over their notifications, including those that relate to security features like two-factor authentication," a spokesperson told El Reg on Wednesday evening.
"We're looking into this situation to see if there's more we can do to help people manage their communications. Also, people who sign up for two-factor authentication using a U2F security key and code generator do not need to register a phone number with Facebook."
This is particularly poor timing for Facebook, as the reports of the unwanted texts come as the social network just found itself on the wrong end of Germany's privacy laws.
Facebook broke that Euro nation's rules with its mobile app by pre-ticking a number of opt-in settings including location tracking. Facebook has said it will appeal this month's ruling. ®