TECH

Facebook two-factor authentication spams users via SMS
Facebook just can not catch a break these days, which is probay nothing unexpected for being one of the world's biggest social networks. It is involved in one privacy issue after another, not to mention lawsuits springing from those. This may be definitely added to the latter if some law firm takes interest. Users are reporting they are receiving SMS notifications about Facebook posts without them agreeing to it. But more worryingly, Facebook seems to have used the phone number users have connected to the network's two-factor authentication system.Two-factor authentication, or 2FA for short, often uses a phone number, mobile app, or email for sending PIN to your login. Considering 2FA is a tool for security, the last thing you'd expect is to use that phone number or email to send you unsolicited information, a.k.a. spam. Facebook might not agree.Software engineer Gabriel Lewis noticed that he was receiving text messages from Facebook when his friends posted something, even when he never set SMS notifications up. To his shock, I realized that the number Facebook was sending these notifications to the number that I used for two-factor authentication. To add insult to injury, replying to the SMS sender causes that message to be automatically posted on the user's timeline. Since the news broke out, multiple users have confirmed the situation.
Like the mythical Hydra, this issue has multiple heads. None of the users set up SMS notifications. Facebook did not explicitly ask the user's permission to send them such messages, which is illegal in some jurisdictions. There is the fact that Facebook is using the phone number for a different purpose than 2FA, and that has connected that number to the user's timeline. The working theory at the moment is that Facebook connected the 2FA phone number with its system for posting via SMS and receiving notifications through the same, the feature it enables in some markets where cellular data connections are not as prevalent or affordable.That, however, does not exactly explain why Facebook did so. A Facebook representatively expertly dodged admitting there is an issue and simply said that they are investigating the matter. The rep further explains that Facebook gives users control over their notifications, though apparently not as much. And finally, Facebook's 2FA can also use an authenticator app instead of a phone number so it's really not forcing you to give it your phone number. But in case you make the mistake of doing so (the phone number is the first option users will see), you might be implicitly giving it permission to spam you.

J. C. T.