Facebook 'Security': A New VPN That's Spyware And Two-Factor Authentication That Spams You
from the insecurity dept
Facebook’s definition of protection isn’t quite up to snuff. Last week, some Facebook users began seeing a new option in their settings simply labeled “Protect.” Clicking on that link in the company’s navigation bar will redirect Facebook users to the ?Onavo Protect ? VPN Security? app?s listing on the App Store. There, they’re informed that “Onavo Protect helps keep you and your data safe when you browse and share information on the web.” You’re also informed that the “app helps keep your details secure when you login to websites or enter personal information such as bank accounts and credit card numbers.”
What you’re not told is that Facebook acquired the company back in 2013, and is now using it as little more than glorified spyware, allowing Facebook to track and monetize your travels around the internet (especially time spent wandering around competing social media platforms). That is, understandably, upsetting some people who believe that security tools should, well, actually protect you from surveillance, not open up an entirely new avenue for it:
“Facebook, however, purchased Onavo from an Israeli firm in 2013 for an entirely different reason, as described in a Wall Street Journal report last summer. The company is actually collecting and analyzing the data of Onavo users. Doing so allows Facebook to monitor the online habits of people outside their use of the Facebook app itself. For instance, this gave the company insight into Snapchat?s dwindling user base, even before the company announced a period of diminished growth last year.”
Amusingly, as one Facebook team was busy pushing a VPN service that spies on you, other parts of the company have been busy pushing a new two-factor authentication system (good) that the company also thought should be co-opted for marketing purposes (not so good). Ideally, two-factor authentication should use your phone number exclusively to send you authentication codes via SMS. But Facebook apparently got the nifty idea to immediately take that number and spam customers in the hopes this would drive additional engagement at the website:
So I signed up for 2 factor auth on Facebook and they used it as an opportunity to spam me notifications. Then they posted my replies on my wall. ???? pic.twitter.com/Fy44b07wNg
— Gabriel Lewis ? (@Gabriel__Lewis) February 12, 2018
On a positive note, Facebook was quick to acknowledge that the SMS spam isn’t intentional, and that it would be rolling out out a fix shortly (hopefully before too many people get disgusted by 2FA):
“It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused. We are working to ensure that people who sign up for two-factor authentication won’t receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug.”
While Facebook was quick to own its 2FA problem, the company has been somewhat mute regarding the backlash to its “VPN” service offering. That effort likely began with good intentions among Facebook’s security team, then got hijacked by company higher ups nervous about the fact Facebook’s engagement and subscriber numbers have begun a precipitous dive. The solution to that problem is making Facebook better and more secure, not pushing security and privacy services whose real agenda is monetization and, apparently, annoyance.
Filed Under: 2fa, marketing, security, sms, spam, tracking, two factor authentication, vpn
Companies: facebook
Comments on “Facebook 'Security': A New VPN That's Spyware And Two-Factor Authentication That Spams You”
Are we witnessing the next myspace/orkut/whatever?
In any case, put aside the latest shenanigans from Facebook there’s still the negative impact it causes psychologically speaking. I personally felt better after I stopped using it. No seriously, there are other means of keeping in touch.
Re: Re:
Facebook should be burned to the ground, then nuked from orbit just to make sure. Everyone who has ever worked there should be blacklisted for life from IT. And sociopathic monster Mark Zuckerberg should be locked in a deep, dark hole forever.
Re: Re: Re:
Sounds like someone is jealous they didn’t invent Facebook first!
Re: Re: Re: Re:
Kind of like Zuckerberg?
Re: Re: Re: Re:
I try to invent things that I can be proud of. Mostly I fail. Once in a while, I succeed modestly.
I would never even try to create something as horrible as Facebook. That takes a sociopath, which is exactly why it’s played out as it has.
Re: Re: Re:2 Re:
I’m no fan of facebook, never used it either. But you sound as though you have no knowledge of how facebook came to be what it is today. Before you burn zuckerberg at the stake, do a little reading. Facebook looks nothing at all today as it was originally built to be used. Its users and the need to show a profit drove it where it is now.
Re: Re: Re:
That’s too subtle and optimistic for my tastes.
Facebook has partnered with Amazon, Google, Microsoft, Twitter and others on the OAuth standard for access delegation. Log into one, and you’re automatically logged into the rest.
Microsoft is pushing this in their Visual Studio programming environment for web sites, desktop and mobile apps to the extent that they’ve removed other user authentication tools.
I have a new Ricoh camera. To use its full functionality I need to log into the Ricoh web site. Which doesn’t have its own user authentication system. To log in I had to set up a Facebook account and use THAT to authenticate on the Ricoh site.
This is the future of all your apps, websites and devices. What could possibly go wrong?
Re: Re: Re: Re:
That simply isn’t true. They each offer their own OAuth implementations. While "login with Facebook/Google" is ubiquitous on the web they are not shared authentications. OAuth is simply a standard that allows a web site operator (and others) to offload the work of authenticating users to a 3rd party. OAuth is no less secure than regular username+password authentication*.
Re: Re: Re:2 Re:
But that’s exactly what I’m saying.
Sure, a password won’t be shared between sites. But if Facebook passwords were ever to leak, a crook could authenticate using that, and now he’s also authenticated for the user’s non-Facebook sites and services.
Re: Re: Re:3 Re:
How do we know that? You go to some site, click "log in with Facebook", and then what? Enter your Facebook password into whatever box it gives you? Does the average person know how to check whether they’re really on Facebook’s site and not a lookalike (and remember to do it every time)?
I’ve seen people type URLs into Google, so I’m not hopeful about this…
Re: Re: Re:4 Re:
That’s why I make it a habit to close my browser before logging into any “important” site, (banking, credit card, bill pay, etc.) That way I KNOW I have a new session and there is no cross-contamination with “referring URLs” being transmitted.
Re: Re: Re:
As ever, I’m impressed by the factual information and lack of hyperbole by people who dislike a particular company.
Do you guys ever actually think this gets you support for your cause, or did it ever dawn on you that a more subtle approach might be more effective?
Re: Re:
“Are we witnessing the next myspace/orkut/whatever?”
If so, people should be reminded that users of those services merely went to use competitors who met their needs better. That FB is currently one of the leaders in connecting people is not necessarily an indicator of longevity if a better option comes along.
“No seriously, there are other means of keeping in touch.”
Depends on your needs and who you’re trying to keep in touch with. Some people find it invaluable, some people prefer other methods, some people can be easily persuaded to use other methods if all their friends start moving there.
Re: Re: Re:
For sure, there will be people you simply lose if you don’t use FB, even though they hate it too, getting them on a reasonable messaging client like Threema is akin to pulling teeth since they have to use FB for other stuff anyway. In some situations, it is outright required by school or work.
Re: Re: Re: Re:
The thought of a school requiring facebook reminds me of blackboard.
Re: Re: Re: Re:
An acquaintance works for a DOD subcontractor. One that is co-located at a national arsenal.
The company “outsourced” its HR department to a third party…
…which only communicates via Facebook.
Later, they replaced their internal email system with some kind of Facebook service. Given they’re a military contractor, and that they’re subject to stringent regulations concerning business mail, I’ve wondered how that works…
Re: Re:
Facebook is already dying because it’s not cool enough for the kids. Of course, they’ve found other “apps” to give away their personal information to, but such is life.
You don’t have to buy into the Zuke’s fever dreams to be affected by them.
SMS 2FA? What about TOTP?
Does Facebook also support time-based one-time passwords? These are the 6-digit codes that change every 30 seconds.
I don’t have a lot of confidence in the security of SMS-based authentication schemes.
Re: SMS 2FA? What about TOTP?
I had to stop and read the sentence again. SMS is the ideal 2FA method? What?! SMS can be easily spoofed given most carriers current standards, giving the black hats open access to run targeted individual attacks. Not to mention the other security risks that come with having your 2FA delivered via the same system people use for texting in general. What should be the very lowest base standard in all cases is a software authenticator.
How could you be a tech journalist, writing a scathing article about InfoSec being abused by Facebook, and not have the level of self awareness that would lead you to at least DuckDuckGo the topics that you’re going to be writing so assuredly of? People trust sites like techdirt to provide information that’s at least as accurate as an average Reddit post. I never write comments like this on news articles, but this author is spreading misinformation that lead to ruined lives. Please, do some brushing up on the current 2FA scene and edit your article to accurately reflect how terrible SMS is for this purpose and maybe mention the basic alternatives. Man, I’m sorry if I came across as a jackass. Please know that it wasn’t my intent if that’s how I do come across.
Re: Re: SMS 2FA? What about TOTP?
I’ve already run into trouble with that in a few places. I carry a dumbphone becuse a client pays me to, but I had the service provider turn off SMS. I have a real desktop computer with a real keyboard, monitors, and real SMTP email. I’m not going to jerk around squinting and poking at a phone.
This has led to some interesting incidents, like showing up for a doctor’s appointment and having them tell me that A) they had canceled my appointment and B) they felt I owed them $50 for doing that, since I didn’t respond to a text verifying that I still intended to show up. I got the strong impression they will be changing their policies so as to not accept new patients without text, email, and Farcebook accounts they can spam.
Reason 2,341,829 that I have all but stopped using Facebook.
Re: Re:
Indeed, I check log into Facebook at least 2 or 3 times a year.
Masnick pro-Facebook damage control post incoming
what's the newest or rising alternative for facebook
I don’t follow social media much. Who or what is the newest rising star in that arena? I heard snapchat is losing users so what are people flicking to now?
Re: what's the newest or rising alternative for facebook
A lot have moved to Instagram. I couldn’t begin to say why or why not.
Re: Re: what's the newest or rising alternative for facebook
Which means they’ve just moved from Facebook… to Facebook.
Re: what's the newest or rising alternative for facebook
E-mail.
Never had Myspace, Facebook, Twitter, Instagram, Snapchat,or any other social media site. Never will. If I buy anything that requires one to use the product it’s going right back to the store.
Re: Re:
But you will rant about things you don’t do on non-social media sites because it makes you feel superior in some way? Well done, your life must be so fulfilled in all aspects.
“If I buy anything that requires one to use the product it’s going right back to the store.”
This makes me laugh a little as what you just said was that not only will you not do the most basic research on a product before you buy it, you’ll happily drive miles back and forth to a retail outlet to replace it if a feature you could have educated yourself about was present. I’d say that someone who uses social media and is aware of what they’re buying is probably more suited to feel superior, to be honest.
Re: Re: Re:
I think that may be a bit farther than is justified.
I, too, would return a product if I discovered after buying it that it would not work without Facebook authentication – but that does not imply that I wouldn’t do the research before buying; I would, and generally do, and then don’t buy such products (though I can’t remember any examples of such products just off the top of my head).
All it says is that if I missed the requirement in my pre-purchase research, or if I failed to do the research in one instance and it turned out that that instance was one where it actually mattered, I would go through with the return.
That seems like a reasonable position, to me – if nothing else, then because such a requirement makes the product useless to me, because I do not have a Facebook account and (for reasons of my own) refuse to create one.
Re: Re: Re: Re:
Well, something like requiring social media authentication from a third party not directly related to the device seems like something that should at least be mentioned on the box. It would certainly be mentioned in a reputable review.
I’d also say that anyone who depends on whatever limited stock a brick and mortar store happens to have on a particular day is asking for trouble unless there’s a real need to have the item immediately. I can’t remember the first time I made any significant purchase without at lead reading online reviews while stood in from of the shelf. OK, there may be circumstances where that can’t be done, but the image in my head is this guy looking at the screen telling him to log in, even though the Facebook logo is on the packaging.
It just seems meaningless to boast about what you don’t do as if it makes you special. There’s lots of things I also don’t use, but you won’t find me making special effort to tell everyone about them.
Re: Re: Re:2 Re:
Just as a nit, I don’t think “the store” necessarily implies a brick-and-mortar shopfront; last I checked (which admittedly may not have been recently), it was still relatively common to refer to online merchants as “stores”, or at least “Web stores”.
Also, the Facebook logo being present on the packaging does not necessarily imply “requires Facebook in order to use the device” (although it should certainly be enough of a red flag to get someone who’s anti-Facebook to do extra research before buying); it could simply imply “supports Facebook connectivity”, much as a Facebook logo on a Website or in an app often means nothing more than “we make it easy for you to share (things related to us) via Facebook!”.
I agree that “not using Facebook or anything like it” isn’t necessarily anything to boast about, though. Even I don’t tend to bring my personal Facebook avoidance up in public discussions, even ones where Facebook is the topic, unless it’s directly relevant; I might mention it if Facebook comes up in individual conversation, but that’s about as far as that goes.
Re: Re: Re:3 Re:
Fair enough. I was only being half serious anyway. The guy didn’t exactly have anything relevant or of interest to anyone else to say, so I was having a little dig.
But generally speaking – if you’re that fundamentally opposed to something and you don’t realise you’ve bought a product that’s irrevocably tied to it until you have it in your home, you seriously need to step up your due diligence when choosing products.
And this sort of crap just reinforces my reasons for dumping farcebook a few years ago.
Oh yeah forgot to add thanks for the tip on Ricoh. Won’t buy anything from them.
this was a bug
..in our programmer.
2FA?
you keep using that word, but it does not mean what you think it means!!!!
This is not true. SMS is a terrible method of 2FA. Far from "ideal." NIST has stopped recommending SMS for 2FA.
Zero tolerance for "bug"
With all this talk about zero tolerance for different things, is it time to have zero tolerance for “bugs” on sites such as Facebook?
After all, Facebook literally has billions of users. Isn’t it safe to assume they have all manner of testing, QA, beta testing, and alpha testing before any feature goes live?
Then who approved the idea to spam people using their two-factor authentication number? And then who approved posting their reply to their wall? I can easily see a programmer coming up with the idea, but team leads and managers are supposed to not allow these things. And where are the testers saying this isn’t a good idea?
Or is this “bug” actually a feature passed down from higher management as yet another way to spy and track people?
If you need real VPN that won’t spam you with texts, try http://topsecur.com, will help for sure.