HideOnly 2 days left to get your copy of the CIA's declassified training game by backing CIA: Collect It All on Kickstarter »
HideOnly 2 days left to get your copy of the CIA's declassified training game by backing CIA: Collect It All on Kickstarter »

Facebook 'Security': A New VPN That's Spyware And Two-Factor Authentication That Spams You

from the insecurity dept

Facebook's definition of protection isn't quite up to snuff. Last week, some Facebook users began seeing a new option in their settings simply labeled "Protect." Clicking on that link in the company's navigation bar will redirect Facebook users to the “Onavo Protect – VPN Security” app’s listing on the App Store. There, they're informed that "Onavo Protect helps keep you and your data safe when you browse and share information on the web." You're also informed that the "app helps keep your details secure when you login to websites or enter personal information such as bank accounts and credit card numbers."

What you're not told is that Facebook acquired the company back in 2013, and is now using it as little more than glorified spyware, allowing Facebook to track and monetize your travels around the internet (especially time spent wandering around competing social media platforms). That is, understandably, upsetting some people who believe that security tools should, well, actually protect you from surveillance, not open up an entirely new avenue for it:

"Facebook, however, purchased Onavo from an Israeli firm in 2013 for an entirely different reason, as described in a Wall Street Journal report last summer. The company is actually collecting and analyzing the data of Onavo users. Doing so allows Facebook to monitor the online habits of people outside their use of the Facebook app itself. For instance, this gave the company insight into Snapchat’s dwindling user base, even before the company announced a period of diminished growth last year."

Amusingly, as one Facebook team was busy pushing a VPN service that spies on you, other parts of the company have been busy pushing a new two-factor authentication system (good) that the company also thought should be co-opted for marketing purposes (not so good). Ideally, two-factor authentication should use your phone number exclusively to send you authentication codes via SMS. But Facebook apparently got the nifty idea to immediately take that number and spam customers in the hopes this would drive additional engagement at the website:

On a positive note, Facebook was quick to acknowledge that the SMS spam isn't intentional, and that it would be rolling out out a fix shortly (hopefully before too many people get disgusted by 2FA):

"It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused. We are working to ensure that people who sign up for two-factor authentication won't receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug."

While Facebook was quick to own its 2FA problem, the company has been somewhat mute regarding the backlash to its "VPN" service offering. That effort likely began with good intentions among Facebook's security team, then got hijacked by company higher ups nervous about the fact Facebook's engagement and subscriber numbers have begun a precipitous dive. The solution to that problem is making Facebook better and more secure, not pushing security and privacy services whose real agenda is monetization and, apparently, annoyance.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 20 Feb 2018 @ 10:33am

    Are we witnessing the next myspace/orkut/whatever?

    In any case, put aside the latest shenanigans from Facebook there's still the negative impact it causes psychologically speaking. I personally felt better after I stopped using it. No seriously, there are other means of keeping in touch.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Feb 2018 @ 12:11pm

      Re:

      Facebook should be burned to the ground, then nuked from orbit just to make sure. Everyone who has ever worked there should be blacklisted for life from IT. And sociopathic monster Mark Zuckerberg should be locked in a deep, dark hole forever.

      reply to this | link to this | view in chronology ]

      • icon
        Gary (profile), 20 Feb 2018 @ 12:31pm

        Re: Re:

        Sounds like someone is jealous they didn't invent Facebook first!

        reply to this | link to this | view in chronology ]

        • icon
          orbitalinsertion (profile), 20 Feb 2018 @ 12:39pm

          Re: Re: Re:

          Kind of like Zuckerberg?

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 20 Feb 2018 @ 3:06pm

          Re: Re: Re:

          I try to invent things that I can be proud of. Mostly I fail. Once in a while, I succeed modestly.

          I would never even *try* to create something as horrible as Facebook. That takes a sociopath, which is exactly why it's played out as it has.

          reply to this | link to this | view in chronology ]

          • icon
            An Onymous Coward (profile), 20 Feb 2018 @ 3:10pm

            Re: Re: Re: Re:

            I'm no fan of facebook, never used it either. But you sound as though you have no knowledge of how facebook came to be what it is today. Before you burn zuckerberg at the stake, do a little reading. Facebook looks nothing at all today as it was originally built to be used. Its users and the need to show a profit drove it where it is now.

            reply to this | link to this | view in chronology ]

      • icon
        Roger Strong (profile), 20 Feb 2018 @ 12:45pm

        Re: Re:

        Facebook should be burned to the ground, then nuked from orbit just to make sure. Everyone who has ever worked there should be blacklisted for life from IT.

        That's too subtle and optimistic for my tastes.

        Facebook has partnered with Amazon, Google, Microsoft, Twitter and others on the OAuth standard for access delegation. Log into one, and you're automatically logged into the rest.

        Microsoft is pushing this in their Visual Studio programming environment for web sites, desktop and mobile apps to the extent that they've removed other user authentication tools.

        I have a new Ricoh camera. To use its full functionality I need to log into the Ricoh web site. Which doesn't have its own user authentication system. To log in I had to set up a Facebook account and use THAT to authenticate on the Ricoh site.

        This is the future of all your apps, websites and devices. What could possibly go wrong?

        reply to this | link to this | view in chronology ]

        • icon
          An Onymous Coward (profile), 20 Feb 2018 @ 3:14pm

          Re: Re: Re:

          Log into one, and you're automatically logged into the rest.

          That simply isn't true. They each offer their own OAuth implementations. While "login with Facebook/Google" is ubiquitous on the web they are not shared authentications. OAuth is simply a standard that allows a web site operator (and others) to offload the work of authenticating users to a 3rd party. OAuth is no less secure than regular username+password authentication*.

          • On most sites, anyhow. OAuth isn't perfect but most basic auth isn't either.

          reply to this | link to this | view in chronology ]

          • icon
            Roger Strong (profile), 20 Feb 2018 @ 4:25pm

            Re: Re: Re: Re:

            OAuth is simply a standard that allows a web site operator (and others) to offload the work of authenticating users to a 3rd party.

            But that's exactly what I'm saying.

            Sure, a password won't be shared between sites. But if Facebook passwords were ever to leak, a crook could authenticate using that, and now he's also authenticated for the user's non-Facebook sites and services.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 21 Feb 2018 @ 7:36am

              Re: Re: Re: Re: Re:

              Sure, a password won't be shared between sites.

              How do we know that? You go to some site, click "log in with Facebook", and then what? Enter your Facebook password into whatever box it gives you? Does the average person know how to check whether they're really on Facebook's site and not a lookalike (and remember to do it every time)?

              I've seen people type URLs into Google, so I'm not hopeful about this...

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 21 Feb 2018 @ 2:35pm

                Re: Re: Re: Re: Re: Re:

                That's why I make it a habit to close my browser before logging into any "important" site, (banking, credit card, bill pay, etc.) That way I KNOW I have a new session and there is no cross-contamination with "referring URLs" being transmitted.

                reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 20 Feb 2018 @ 12:59pm

        Re: Re:

        As ever, I'm impressed by the factual information and lack of hyperbole by people who dislike a particular company.

        Do you guys ever actually think this gets you support for your cause, or did it ever dawn on you that a more subtle approach might be more effective?

        reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 20 Feb 2018 @ 12:57pm

      Re:

      "Are we witnessing the next myspace/orkut/whatever?"

      If so, people should be reminded that users of those services merely went to use competitors who met their needs better. That FB is currently one of the leaders in connecting people is not necessarily an indicator of longevity if a better option comes along.

      "No seriously, there are other means of keeping in touch."

      Depends on your needs and who you're trying to keep in touch with. Some people find it invaluable, some people prefer other methods, some people can be easily persuaded to use other methods if all their friends start moving there.

      reply to this | link to this | view in chronology ]

      • icon
        orbitalinsertion (profile), 20 Feb 2018 @ 2:04pm

        Re: Re:

        For sure, there will be people you simply lose if you don't use FB, even though they hate it too, getting them on a reasonable messaging client like Threema is akin to pulling teeth since they have to use FB for other stuff anyway. In some situations, it is outright required by school or work.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 20 Feb 2018 @ 2:11pm

          Re: Re: Re:

          The thought of a school requiring facebook reminds me of blackboard.

          reply to this | link to this | view in chronology ]

        • identicon
          TRX, 24 Feb 2018 @ 2:25am

          Re: Re: Re:

          An acquaintance works for a DOD subcontractor. One that is co-located at a national arsenal.

          The company "outsourced" its HR department to a third party...

          ...which only communicates via Facebook.

          Later, they replaced their internal email system with some kind of Facebook service. Given they're a military contractor, and that they're subject to stringent regulations concerning business mail, I've wondered how that works...

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Feb 2018 @ 11:53am

      Re:

      Facebook is already dying because it's not cool enough for the kids. Of course, they've found other "apps" to give away their personal information to, but such is life.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2018 @ 12:39pm

    You don't have to buy into the Zuke's fever dreams to be affected by them.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2018 @ 1:12pm

    SMS 2FA? What about TOTP?

    Does Facebook also support time-based one-time passwords? These are the 6-digit codes that change every 30 seconds.

    I don't have a lot of confidence in the security of SMS-based authentication schemes.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Feb 2018 @ 9:22pm

      Re: SMS 2FA? What about TOTP?

      I had to stop and read the sentence again. SMS is the ideal 2FA method? What?! SMS can be easily spoofed given most carriers current standards, giving the black hats open access to run targeted individual attacks. Not to mention the other security risks that come with having your 2FA delivered via the same system people use for texting in general. What should be the very lowest base standard in all cases is a software authenticator.

      How could you be a tech journalist, writing a scathing article about InfoSec being abused by Facebook, and not have the level of self awareness that would lead you to at least DuckDuckGo the topics that you’re going to be writing so assuredly of? People trust sites like techdirt to provide information that’s at least as accurate as an average Reddit post. I never write comments like this on news articles, but this author is spreading misinformation that lead to ruined lives. Please, do some brushing up on the current 2FA scene and edit your article to accurately reflect how terrible SMS is for this purpose and maybe mention the basic alternatives. Man, I’m sorry if I came across as a jackass. Please know that it wasn’t my intent if that’s how I do come across.

      reply to this | link to this | view in chronology ]

      • identicon
        TRX, 24 Feb 2018 @ 2:35am

        Re: Re: SMS 2FA? What about TOTP?

        I've already run into trouble with that in a few places. I carry a dumbphone becuse a client pays me to, but I had the service provider turn off SMS. I have a real desktop computer with a real keyboard, monitors, and real SMTP email. I'm not going to jerk around squinting and poking at a phone.

        This has led to some interesting incidents, like showing up for a doctor's appointment and having them tell me that A) they had canceled my appointment and B) they felt I owed them $50 for doing that, since I didn't respond to a text verifying that I still intended to show up. I got the strong impression they will be changing their policies so as to not accept new patients without text, email, and Farcebook accounts they can spam.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2018 @ 1:16pm

    Reason 2,341,829 that I have all but stopped using Facebook.

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 20 Feb 2018 @ 2:06pm

    Masnick pro-Facebook damage control post incoming

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2018 @ 2:09pm

    what's the newest or rising alternative for facebook

    I don't follow social media much. Who or what is the newest rising star in that arena? I heard snapchat is losing users so what are people flicking to now?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2018 @ 3:10pm

    Never had Myspace, Facebook, Twitter, Instagram, Snapchat,or any other social media site. Never will. If I buy anything that requires one to use the product it's going right back to the store.

    reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 21 Feb 2018 @ 12:48am

      Re:

      But you will rant about things you don't do on non-social media sites because it makes you feel superior in some way? Well done, your life must be so fulfilled in all aspects.

      "If I buy anything that requires one to use the product it's going right back to the store."

      This makes me laugh a little as what you just said was that not only will you not do the most basic research on a product before you buy it, you'll happily drive miles back and forth to a retail outlet to replace it if a feature you could have educated yourself about was present. I'd say that someone who uses social media and is aware of what they're buying is probably more suited to feel superior, to be honest.

      reply to this | link to this | view in chronology ]

      • icon
        The Wanderer (profile), 21 Feb 2018 @ 8:17am

        Re: Re:

        I think that may be a bit farther than is justified.

        I, too, would return a product if I discovered after buying it that it would not work without Facebook authentication - but that does not imply that I wouldn't do the research before buying; I would, and generally do, and then don't buy such products (though I can't remember any examples of such products just off the top of my head).

        All it says is that if I missed the requirement in my pre-purchase research, or if I failed to do the research in one instance and it turned out that that instance was one where it actually mattered, I would go through with the return.

        That seems like a reasonable position, to me - if nothing else, then because such a requirement makes the product useless to me, because I do not have a Facebook account and (for reasons of my own) refuse to create one.

        reply to this | link to this | view in chronology ]

        • icon
          PaulT (profile), 21 Feb 2018 @ 11:24am

          Re: Re: Re:

          Well, something like requiring social media authentication from a third party not directly related to the device seems like something that should at least be mentioned on the box. It would certainly be mentioned in a reputable review.

          I'd also say that anyone who depends on whatever limited stock a brick and mortar store happens to have on a particular day is asking for trouble unless there's a real need to have the item immediately. I can't remember the first time I made any significant purchase without at lead reading online reviews while stood in from of the shelf. OK, there may be circumstances where that can't be done, but the image in my head is this guy looking at the screen telling him to log in, even though the Facebook logo is on the packaging.

          It just seems meaningless to boast about what you don't do as if it makes you special. There's lots of things I also don't use, but you won't find me making special effort to tell everyone about them.

          reply to this | link to this | view in chronology ]

          • icon
            The Wanderer (profile), 21 Feb 2018 @ 2:31pm

            Re: Re: Re: Re:

            Just as a nit, I don't think "the store" necessarily implies a brick-and-mortar shopfront; last I checked (which admittedly may not have been recently), it was still relatively common to refer to online merchants as "stores", or at least "Web stores".

            Also, the Facebook logo being present on the packaging does not necessarily imply "requires Facebook in order to use the device" (although it should certainly be enough of a red flag to get someone who's anti-Facebook to do extra research before buying); it could simply imply "supports Facebook connectivity", much as a Facebook logo on a Website or in an app often means nothing more than "we make it easy for you to share (things related to us) via Facebook!".

            I agree that "not using Facebook or anything like it" isn't necessarily anything to boast about, though. Even I don't tend to bring my personal Facebook avoidance up in public discussions, even ones where Facebook is the topic, unless it's directly relevant; I might mention it if Facebook comes up in individual conversation, but that's about as far as that goes.

            reply to this | link to this | view in chronology ]

            • icon
              PaulT (profile), 22 Feb 2018 @ 12:00am

              Re: Re: Re: Re: Re:

              Fair enough. I was only being half serious anyway. The guy didn't exactly have anything relevant or of interest to anyone else to say, so I was having a little dig.

              But generally speaking - if you're that fundamentally opposed to something and you don't realise you've bought a product that's irrevocably tied to it until you have it in your home, you seriously need to step up your due diligence when choosing products.

              reply to this | link to this | view in chronology ]

  • identicon
    Kronomex, 20 Feb 2018 @ 3:15pm

    And this sort of crap just reinforces my reasons for dumping farcebook a few years ago.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Feb 2018 @ 3:31pm

    Oh yeah forgot to add thanks for the tip on Ricoh. Won't buy anything from them.

    reply to this | link to this | view in chronology ]

  • icon
    Mononymous Tim (profile), 20 Feb 2018 @ 4:24pm

    this was a bug

    ..in our programmer.

    reply to this | link to this | view in chronology ]

  • identicon
    oliver, 21 Feb 2018 @ 7:51am

    2FA?
    you keep using that word, but it does not mean what you think it means!!!!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Feb 2018 @ 11:11am

    Ideally, two-factor authentication should use your phone number exclusively to send you authentication codes via SMS.

    This is not true. SMS is a terrible method of 2FA. Far from "ideal." NIST has stopped recommending SMS for 2FA.

    reply to this | link to this | view in chronology ]

  • icon
    John85851 (profile), 21 Feb 2018 @ 1:33pm

    Zero tolerance for "bug"

    With all this talk about zero tolerance for different things, is it time to have zero tolerance for "bugs" on sites such as Facebook?
    After all, Facebook literally has billions of users. Isn't it safe to assume they have all manner of testing, QA, beta testing, and alpha testing before any feature goes live?
    Then who approved the idea to spam people using their two-factor authentication number? And then who approved posting their reply to their wall? I can easily see a programmer coming up with the idea, but team leads and managers are supposed to not allow these things. And where are the testers saying this isn't a good idea?

    Or is this "bug" actually a feature passed down from higher management as yet another way to spy and track people?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.