Two-factor authentication (2FA) is a widely recommended method for safeguarding your online accounts from hackers. But you might want to disable it on some of your social accounts.
For Facebook, the additional security measure appears to be an opportunity to exploit users by spamming them with notifications.
Software engineer Gabriel Lewis noticed sometime this week that the social network was using the phone number he provided for 2FA to send him notifications about friends’ posts. When he sent furious texts back, like “STOP” and “DO NOT TEXT ME,” they magically posted to his Facebook wall. Other users chimed in, confirming the behavior on both Facebook and its sister site Instagram. One user said he accidentally told friends and family to go to hell when he replied to the spam.
Most disturbing is that Lewis claims he doesn’t have notifications turned on. He told Mashable he signed up for two-factor authentication on Dec. 17 and started seeing texts on Jan. 5. Lewis isn’t an active Facebook user, which suggests the company may be trying to re-engage him.
Unless Facebook is trying to deceitfully boost its slowing monthly active user base by tricking people into posting status updates, the troubling behavior may just be a bug. However, the vague explaination Facebook sent to the Daily Dot suggests the behavior is normal, and that users are at fault for not knowing that a security measure would end up spamming them.
“We give people control over their notifications, including those that relate to security features like two-factor authentication,” a Facebook spokesperson said. “We’re looking into this situation to see if there’s more we can do to help people manage their communications. Also, people who sign up for two-factor authentication using a U2F security key and code generator do not need to register a phone number with Facebook.”
A lot of people are suggesting the Facebook SMS spam is a bug. Bullshit. Someone at FB made a deliberate decision to “re-engage users” by spamming all those mobile phone numbers 2FA users had entered. No bug here at all.
— Matthew Green (@matthew_d_green) February 14, 2018
It’s still unclear why the notifications are sent in the first place. Facebook also failed to say whether users are notified of the texts before they sign up for two-factor authentication. Its claim that users don’t need to register a phone number, while technically valid, is also misleading. Yes, there are other ways to set up two-factor authentication, but for most users, using their cell phone is the most convenient. The method Facebook recommends requires you to purchase a U2F security key.
This isn’t the first time Facebook has sent texts without user permission. The company was hit with a lawsuit in 2016 for sending unauthorized texts notifying users of their friend’s birthdays. The suit claims Facebook breached the Telephone Consumer Protection Act, which restricts organizations from sending unsolicited texts and phone calls. The company could find itself on the wrong end of more lawsuits if it fails to justify its latest intrusive behavior.