Maksim Kabakou - Fotolia
Risk & Repeat: Inside the Facebook 2FA fail
This week's Risk & Repeat podcast discusses the latest controversy for Facebook, which has been using two-factor authentication numbers for advertising purposes.
After initially denying it had misused mobile numbers submitted for two-factor authentication earlier this year, Facebook admitted that it does, in fact, use the numbers for advertising purposes.
According to an article in Gizmodo, researchers from Northeastern University and Princeton University discovered that when a user submits a mobile number for two-factor authentication (2FA) purposes, the number quickly becomes targetable by advertisers on the social networking site.
The Facebook 2FA controversy follows complaints from users who claimed earlier this year that the company was misusing 2FA mobile numbers to send users notifications. Former Facebook CISO Alex Stamos said the text notifications were the result of a bug and not intentional misuse.
But the latest Facebook 2FA misfire was a different story; the company admitted to Gizmodo that it does harvest 2FA mobile numbers for advertising purposes, and that if users don't like it, they could use Facebook's own authentication app instead of SMS notifications. Nevertheless, many in the infosec community criticized the practice as an abuse of users' trust.
How will Facebook's 2FA misuse affect the company? Is there any data that is off-limits to Facebook for advertising purposes? Will the controversy discourage people from adopting multifactor authentication? SearchSecurity editors Rob Wright and Peter Loshin discuss those questions and more in this episode of the Risk & Repeat podcast.