Facebook 'Security': A New VPN That's Spyware And Two-Factor Authentication That Spams You

from the insecurity dept

Facebook’s definition of protection isn’t quite up to snuff. Last week, some Facebook users began seeing a new option in their settings simply labeled “Protect.” Clicking on that link in the company’s navigation bar will redirect Facebook users to the ?Onavo Protect ? VPN Security? app?s listing on the App Store. There, they’re informed that “Onavo Protect helps keep you and your data safe when you browse and share information on the web.” You’re also informed that the “app helps keep your details secure when you login to websites or enter personal information such as bank accounts and credit card numbers.”

What you’re not told is that Facebook acquired the company back in 2013, and is now using it as little more than glorified spyware, allowing Facebook to track and monetize your travels around the internet (especially time spent wandering around competing social media platforms). That is, understandably, upsetting some people who believe that security tools should, well, actually protect you from surveillance, not open up an entirely new avenue for it:

“Facebook, however, purchased Onavo from an Israeli firm in 2013 for an entirely different reason, as described in a Wall Street Journal report last summer. The company is actually collecting and analyzing the data of Onavo users. Doing so allows Facebook to monitor the online habits of people outside their use of the Facebook app itself. For instance, this gave the company insight into Snapchat?s dwindling user base, even before the company announced a period of diminished growth last year.”

Amusingly, as one Facebook team was busy pushing a VPN service that spies on you, other parts of the company have been busy pushing a new two-factor authentication system (good) that the company also thought should be co-opted for marketing purposes (not so good). Ideally, two-factor authentication should use your phone number exclusively to send you authentication codes via SMS. But Facebook apparently got the nifty idea to immediately take that number and spam customers in the hopes this would drive additional engagement at the website:

On a positive note, Facebook was quick to acknowledge that the SMS spam isn’t intentional, and that it would be rolling out out a fix shortly (hopefully before too many people get disgusted by 2FA):

“It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused. We are working to ensure that people who sign up for two-factor authentication won’t receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug.”

While Facebook was quick to own its 2FA problem, the company has been somewhat mute regarding the backlash to its “VPN” service offering. That effort likely began with good intentions among Facebook’s security team, then got hijacked by company higher ups nervous about the fact Facebook’s engagement and subscriber numbers have begun a precipitous dive. The solution to that problem is making Facebook better and more secure, not pushing security and privacy services whose real agenda is monetization and, apparently, annoyance.

Filed Under: , , , , , , ,
Companies: facebook

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Facebook 'Security': A New VPN That's Spyware And Two-Factor Authentication That Spams You”

Subscribe: RSS Leave a comment
An Onymous Coward (profile) says:

Re: Re: Re:2 Re:

I’m no fan of facebook, never used it either. But you sound as though you have no knowledge of how facebook came to be what it is today. Before you burn zuckerberg at the stake, do a little reading. Facebook looks nothing at all today as it was originally built to be used. Its users and the need to show a profit drove it where it is now.

Roger Strong (profile) says:

Re: Re: Re:

Facebook should be burned to the ground, then nuked from orbit just to make sure. Everyone who has ever worked there should be blacklisted for life from IT.

That’s too subtle and optimistic for my tastes.

Facebook has partnered with Amazon, Google, Microsoft, Twitter and others on the OAuth standard for access delegation. Log into one, and you’re automatically logged into the rest.

Microsoft is pushing this in their Visual Studio programming environment for web sites, desktop and mobile apps to the extent that they’ve removed other user authentication tools.

I have a new Ricoh camera. To use its full functionality I need to log into the Ricoh web site. Which doesn’t have its own user authentication system. To log in I had to set up a Facebook account and use THAT to authenticate on the Ricoh site.

This is the future of all your apps, websites and devices. What could possibly go wrong?

An Onymous Coward (profile) says:

Re: Re: Re: Re:

Log into one, and you’re automatically logged into the rest.

That simply isn’t true. They each offer their own OAuth implementations. While "login with Facebook/Google" is ubiquitous on the web they are not shared authentications. OAuth is simply a standard that allows a web site operator (and others) to offload the work of authenticating users to a 3rd party. OAuth is no less secure than regular username+password authentication*.

  • On most sites, anyhow. OAuth isn’t perfect but most basic auth isn’t either.
Roger Strong (profile) says:

Re: Re: Re:2 Re:

OAuth is simply a standard that allows a web site operator (and others) to offload the work of authenticating users to a 3rd party.

But that’s exactly what I’m saying.

Sure, a password won’t be shared between sites. But if Facebook passwords were ever to leak, a crook could authenticate using that, and now he’s also authenticated for the user’s non-Facebook sites and services.

Anonymous Coward says:

Re: Re: Re:3 Re:

Sure, a password won’t be shared between sites.

How do we know that? You go to some site, click "log in with Facebook", and then what? Enter your Facebook password into whatever box it gives you? Does the average person know how to check whether they’re really on Facebook’s site and not a lookalike (and remember to do it every time)?

I’ve seen people type URLs into Google, so I’m not hopeful about this…

PaulT (profile) says:

Re: Re:

“Are we witnessing the next myspace/orkut/whatever?”

If so, people should be reminded that users of those services merely went to use competitors who met their needs better. That FB is currently one of the leaders in connecting people is not necessarily an indicator of longevity if a better option comes along.

“No seriously, there are other means of keeping in touch.”

Depends on your needs and who you’re trying to keep in touch with. Some people find it invaluable, some people prefer other methods, some people can be easily persuaded to use other methods if all their friends start moving there.

TRX (profile) says:

Re: Re: Re: Re:

An acquaintance works for a DOD subcontractor. One that is co-located at a national arsenal.

The company “outsourced” its HR department to a third party…

…which only communicates via Facebook.

Later, they replaced their internal email system with some kind of Facebook service. Given they’re a military contractor, and that they’re subject to stringent regulations concerning business mail, I’ve wondered how that works…

Anonymous Coward says:

Re: SMS 2FA? What about TOTP?

I had to stop and read the sentence again. SMS is the ideal 2FA method? What?! SMS can be easily spoofed given most carriers current standards, giving the black hats open access to run targeted individual attacks. Not to mention the other security risks that come with having your 2FA delivered via the same system people use for texting in general. What should be the very lowest base standard in all cases is a software authenticator.

How could you be a tech journalist, writing a scathing article about InfoSec being abused by Facebook, and not have the level of self awareness that would lead you to at least DuckDuckGo the topics that you’re going to be writing so assuredly of? People trust sites like techdirt to provide information that’s at least as accurate as an average Reddit post. I never write comments like this on news articles, but this author is spreading misinformation that lead to ruined lives. Please, do some brushing up on the current 2FA scene and edit your article to accurately reflect how terrible SMS is for this purpose and maybe mention the basic alternatives. Man, I’m sorry if I came across as a jackass. Please know that it wasn’t my intent if that’s how I do come across.

TRX (profile) says:

Re: Re: SMS 2FA? What about TOTP?

I’ve already run into trouble with that in a few places. I carry a dumbphone becuse a client pays me to, but I had the service provider turn off SMS. I have a real desktop computer with a real keyboard, monitors, and real SMTP email. I’m not going to jerk around squinting and poking at a phone.

This has led to some interesting incidents, like showing up for a doctor’s appointment and having them tell me that A) they had canceled my appointment and B) they felt I owed them $50 for doing that, since I didn’t respond to a text verifying that I still intended to show up. I got the strong impression they will be changing their policies so as to not accept new patients without text, email, and Farcebook accounts they can spam.

PaulT (profile) says:

Re: Re:

But you will rant about things you don’t do on non-social media sites because it makes you feel superior in some way? Well done, your life must be so fulfilled in all aspects.

“If I buy anything that requires one to use the product it’s going right back to the store.”

This makes me laugh a little as what you just said was that not only will you not do the most basic research on a product before you buy it, you’ll happily drive miles back and forth to a retail outlet to replace it if a feature you could have educated yourself about was present. I’d say that someone who uses social media and is aware of what they’re buying is probably more suited to feel superior, to be honest.

The Wanderer (profile) says:

Re: Re: Re:

I think that may be a bit farther than is justified.

I, too, would return a product if I discovered after buying it that it would not work without Facebook authentication – but that does not imply that I wouldn’t do the research before buying; I would, and generally do, and then don’t buy such products (though I can’t remember any examples of such products just off the top of my head).

All it says is that if I missed the requirement in my pre-purchase research, or if I failed to do the research in one instance and it turned out that that instance was one where it actually mattered, I would go through with the return.

That seems like a reasonable position, to me – if nothing else, then because such a requirement makes the product useless to me, because I do not have a Facebook account and (for reasons of my own) refuse to create one.

PaulT (profile) says:

Re: Re: Re: Re:

Well, something like requiring social media authentication from a third party not directly related to the device seems like something that should at least be mentioned on the box. It would certainly be mentioned in a reputable review.

I’d also say that anyone who depends on whatever limited stock a brick and mortar store happens to have on a particular day is asking for trouble unless there’s a real need to have the item immediately. I can’t remember the first time I made any significant purchase without at lead reading online reviews while stood in from of the shelf. OK, there may be circumstances where that can’t be done, but the image in my head is this guy looking at the screen telling him to log in, even though the Facebook logo is on the packaging.

It just seems meaningless to boast about what you don’t do as if it makes you special. There’s lots of things I also don’t use, but you won’t find me making special effort to tell everyone about them.

The Wanderer (profile) says:

Re: Re: Re:2 Re:

Just as a nit, I don’t think “the store” necessarily implies a brick-and-mortar shopfront; last I checked (which admittedly may not have been recently), it was still relatively common to refer to online merchants as “stores”, or at least “Web stores”.

Also, the Facebook logo being present on the packaging does not necessarily imply “requires Facebook in order to use the device” (although it should certainly be enough of a red flag to get someone who’s anti-Facebook to do extra research before buying); it could simply imply “supports Facebook connectivity”, much as a Facebook logo on a Website or in an app often means nothing more than “we make it easy for you to share (things related to us) via Facebook!”.

I agree that “not using Facebook or anything like it” isn’t necessarily anything to boast about, though. Even I don’t tend to bring my personal Facebook avoidance up in public discussions, even ones where Facebook is the topic, unless it’s directly relevant; I might mention it if Facebook comes up in individual conversation, but that’s about as far as that goes.

PaulT (profile) says:

Re: Re: Re:3 Re:

Fair enough. I was only being half serious anyway. The guy didn’t exactly have anything relevant or of interest to anyone else to say, so I was having a little dig.

But generally speaking – if you’re that fundamentally opposed to something and you don’t realise you’ve bought a product that’s irrevocably tied to it until you have it in your home, you seriously need to step up your due diligence when choosing products.

John85851 (profile) says:

Zero tolerance for "bug"

With all this talk about zero tolerance for different things, is it time to have zero tolerance for “bugs” on sites such as Facebook?
After all, Facebook literally has billions of users. Isn’t it safe to assume they have all manner of testing, QA, beta testing, and alpha testing before any feature goes live?
Then who approved the idea to spam people using their two-factor authentication number? And then who approved posting their reply to their wall? I can easily see a programmer coming up with the idea, but team leads and managers are supposed to not allow these things. And where are the testers saying this isn’t a good idea?

Or is this “bug” actually a feature passed down from higher management as yet another way to spy and track people?

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...