Facebook Admits SMS Notifications Sent Using Two-Factor Number Was Caused by Bug (theverge.com) 50
Facebook has clarified the situation around SMS notifications sent using the company's two-factor authentication (2FA) system, admitting that the messages were indeed caused by a bug. From a report: In a blog post penned by Facebook Chief Security Officer Alex Stamos, the company says the error led it to "send non-security-related SMS notifications to these phone numbers." Facebook uses the automated number 362-65, or "FBOOK," as its two-factor authentication number, which is a secure way of confirming a user's identity by sending a numeric code to a secondary device like a mobile phone. That same number ended up sending users Facebook notifications without their consent. When users would attempt to get the SMS notifications to stop, the replies were posted to their own Facebook profiles as status updates.
common sense (Score:1)
Without even checking, it seems obvious that 362-65 isn't FBOOK... there's no doubles.
No. No it is not. (Score:5, Interesting)
No. No it is not.
Some may be stupid enough to believe that, but not I.
Re:No. No it is not. (Score:5, Insightful)
Re: (Score:1)
Whoever did it can see the IP address and has drunk the kool aid, and is working to suppress free discussion.
It is about harvesting your phone numbers, not about your account security. That is why it is insecure. It has nothing to do with security.
With your phone number your location is known and your movements tracked.
Me, I have no cellphone, never will.
Re: No. No it is not. (Score:2)
Re: (Score:2)
"Yes, and door locks are useless and inherently insecure because it has been proven that keys can be stolen! Yes, you are a fucking idiot."
No, you're the idiot in this case, boss. Your analogy is flawed, the OP is more correct. 2FA can be 'picked' by 'tricking' the phone company into thinking a legit user "the key" is requesting a transfer.
Thus doors and locks are inherently secure because they can be picked, keys be damned.
I say that as I hold 9 different acrylic-body locks, made specifically for the purpo
Re: No. No it is not. (Score:2)
Re: (Score:2)
No, you are for failing at analogies. Notice how all you can say is an insult instead of having an actual rebuttal.
Try again when you can do something higher than kindergarten-level replies.
Re: No. No it is not. (Score:2)
Re: No. No it is not. (Score:1)
Picking a lock requires geographic proximity: a thief has to go to your door.
Hacking SMS to steal 2FA creds can be done from anywhere with internet access.
Re: (Score:1)
We're trying to stop script kiddies and password list leaks, not targeted attacks. There is no such thing as secure, just a sliding scale, and SMS based 2FA is none the less better than password logins alone.
Dear Facebook users (Score:5, Insightful)
We are very sorry we prematurely started sending you Facebook advertisements using the phone number you provided for 2-step verification. Our intention was to not do so until we had finished our latest marketing plan and updated the wording of our terms of service.
Please accept our apologies. We hope you continue to enjoy Facebook and provide us with what little of your valuable personal information we have not already collected.
- Your Facebook Team
Re: (Score:2)
Re:Dear Facebook users (Score:5, Insightful)
Re: (Score:2)
Except Occam's Razor is on the side of Facebook with this one. There is no reason the same system used for 2FA should be tied to a system that automatically posts messages on a wall.
Google on the other hand was building a WiFi database long before they decided to collect the data on people. There was not only intent in their actions but it also made perfect sense from a business point of view.
Comparing the two is silly.
Re: (Score:2)
"There is no reason the same system used for 2FA should be tied to a system that automatically posts messages on a wall."
Other than posting wall updates from an old 'stupid' fliphone, an SMS capable landline , ....
Re: (Score:2)
From a single phone number that is also used for 2FA.
Again: all this points to bug, architectural oversight, or plain stupidity from someone who wasn't thinking clearly. Quite different from the Google case.
Not a bug (Score:2, Insightful)
I am at a loss as to how this could be a bug. We almost all here write code, making a computer do anything requires effort, concentration and time.
This was done on purpose. To what end I do not know but the idea that through some mystery code all this happened is just not logical, it makes much more sense that it was crafted to perform the actions it performed.
At some point in the code during the authentication process it had to capture the response, that response then had to be applied to a users 'wall'
*hugs* (Score:1)
Just here passing out the *hugs*!
Re: (Score:3, Funny)
You have just violated the FreeBSD Code of Conduct [freebsd.org] for harassment. Specifically:
Re: (Score:2)
But how do you know there wasn't consent?
*dopeslap*
Re: (Score:2)
Is that you Pinkie Pie? Is this me?
Loss of Face (Score:2)
Re: (Score:2)
Re: it is NOT a secure method (Score:2)
No, Facebook *claims* it was a bug... (Score:2)
Re: (Score:2)
We're all slowly boiling -- it's more a question of how fast you can turn up the heat. Maybe we should start explicitly distinguishing between sarcasm and prediction in our dystopian posts so it's easier to find when we've crossed various lines. Either that, or we need to condition our sense of privacy to be more warm-blooded than cold-blooded, per your analogy.
Re: (Score:1)
We may not have AI yet... (Score:3)
Private information (Score:1)
What's that old chestnut? (Score:3)
Bug? (Score:2)
The bug was they got caught and someone fussed about it.