- Facebook users who have activated 2FA are searchable and identifiable by anyone.
- Most users have not realized that their number can be looked up, and many don’t know about the relevant setting.
- The social media giant has taken advantage of people giving out their phone numbers to achieve better ad targeting.
Setting up the two-factor authentication on online platforms is a good practice to secure your account from falling into the wrong hands, but on Facebook, 2FA comes with a serious security-undermining catch. According to multiple reports that were spewed in many forms last week, the phone numbers that are added by Facebook users who enable the 2FA step are searchable by anyone out there. The worst part is that the phone numbers are linked to a unique user ID, so those who can search and find your number can also make the correlation with your identity. The even worst part? There’s nothing you can do about it, as there’s no disabling option for this phone number “lookup” function.
For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there's no way to disable that. pic.twitter.com/zpYhuwADMS
— Jeremy Burge @ WWDC (@jeremyburge) March 1, 2019
Long story short, Facebook’s goal was once again to deliver more targeted ads, and they have dynamically promoted the adoption and setting up of the two-factor-authentication layer on their platform so that they get to go deeper into their users’ private data. As security researcher and academic Zeynep Tufekci put it in a tweet: “Facebook has used security to further weaker privacy”.
Only a couple of months back, Facebook admitted that they had shared the phone numbers that users added on their account for the activation of the 2FA with advertisers. Back then, users reported that a few weeks after activating their 2FA, they also started receiving targeted ads on their phones, something that was conveniently never mentioned when users were bombarded by Facebook to set up their 2FA for additional security. Once someone adds a phone number (or more), there’s no way of getting it back, and while users can restrict the "look up" function to only their “friends”, disabling it all together is impossible.
This renders Facebook users susceptible to SIM swapping attacks, a common account hijacking method that is useful when targeting people who have enabled the 2FA feature. That said, and while 2FA is a generally suggested approach, the way that Facebook handles user data is throwing the benefits out of the window. Now, and since May 2018, Facebook users have had the option of activating 2FA without registering a phone number. The alternative authentication methods come in the form of apps like Duo Security and Google Authenticator, so if you want to activate 2FA on Facebook and still have a peace of mind, do it this way. If you still prefer the phone number way though, at least switch your “look up” setting down to the “Friends only” option.