While two-factor authentication does not guarantee account security – social engineers can talk their way around it – it is wise to enable that extra layer of security. Any company entrusted with a phone number for 2FA purposes should not decide to engage users by pushing out any other type of notifications to the phone. Facebook is sorry for crossing that line, blaming the text spams on a “bug.”
Numerous people have been complaining about Facebook spamming them with random notifications via the phone number provided when turning on 2FA; spam sent included things like status updates, shared links or comments. If people replied to the spam notification, texted back something like “STOP,” then their replies were autmatically posted on their walls.
One of the most widely cited examples came from software engineer Gabriel Lewis.
So I signed up for 2 factor auth on Facebook and they used it as an opportunity to spam me notifications. Then they posted my replies on my wall. 🤦♂️ pic.twitter.com/Fy44b07wNg
— Gabriel Lewis 🦆 (@Gabriel__Lewis) February 12, 2018
On Friday, Facebook Chief Security Officer Alex Stamos apologized for spamming people who signed up for 2FA with non-security related SMS notifications. He rightfully explained that 2FA is “an important security feature,” while also pointing out that users have control over notifications. “The last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications.”
It was not our intention to send non-security-related SMS notifications to these phone numbers, and I am sorry for any inconvenience these messages might have caused. We are working to ensure that people who sign up for two-factor authentication won’t receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past. We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug.
Yet there is some debate as to if this was even a “bug.” Johns Hopkins University professor Matthew Green tweeted:
A lot of people are suggesting the Facebook SMS spam is a bug. Bullshit. Someone at FB made a deliberate decision to “re-engage users” by spamming all those mobile phone numbers 2FA users had entered. No bug here at all.
— Matthew Green (@matthew_d_green) February 14, 2018
Green also pointed out that Facebook’s spam looked “exactly like real 2FA login attempts when you phone screen is locked,” prompting people to check it. He added, “This in turn drives decision fatigue for users, which can harm security across all of the accounts they use. ‘Oh, just more FB spam, I’ll ignore that’.”
As to why people’s replies to the notifications were being posted as status updates on Facebook, Stamos explained that Facebook has long supported posting via text message. “This feature is less useful these days” and Facebook is “working “to deprecate this functionality soon.”
Lauren Weinstein, found of the Privacy Forum, and co-founder or both the Network Neutrality Squad and the People for Internet Responsibility, suggested, “What’s most revealing here is what this situation suggests about Facebook’s own internal privacy practices. Proper proactive privacy design would have compartmentalized those phone numbers and associated data in a manner that would have prevented a ‘bug’ like this from ever triggering such abuse of those numbers. Facebook’s sloppiness in this regard has now been exposed to the entire world.”
Weinstein wondered what other systemic privacy design failures would result in “bugs” that Facebook could exploit to “harass innocent” users.