Facebook to exclude phone numbers from reverse lookup - for users of two-factor authentication, anyway

Filed Under: Facebook, Privacy

A week or so back, we wrote to warn you about the privacy of your phone number on Facebook.

If you give Facebook your phone number, and mark it "visible to me only", then forward lookups are, as you would expect, blocked.

I can't go from your profile to your phone number.

That's a relief, since presumably you don't want just anyone who can find you on Facebook to be able to start pestering you directly by phone if you stop responding to them online.

But if I use Facebook's reverse lookup service (what is sometimes known pejoratively as a black pages directory), I can get your name from your phone number.

In other words, your phone number isn't "visible to you only." I just have to approach it from the other direction.

According to the researcher who first broke this news, penetration tester Suriya Prakash, Facebook's rate limiting (that's where you prevent computers from automating online lookups at superhuman speed) was poor or non-existent.

Prakash was able to take lists, or ranges, of phone numbers and black-page them automatically, building up an extensive contact list, even of users who had stated their numbers should not be publicly visible.

So far so bad, though there's always the possibility of not giving Facebook your number in the first place.

Unless, of course, you want to use what Facebook calls login approvals. That's what the rest of us call SMS-based two-factor authentication, or 2FA, which is where some logins (though in Facebook's case, sadly, not all) need you to provide a one-off password that's sent via SMS.

This makes it much harder for someone who guesses or keylogs your username and password. Unless they steal your phone as well, they won't have access to the necessary one-off codes.

But to receive those SMS codes, you have to give Facebook your mobile phone number. So to improve security, you have to expose your phone number to the vagaries of the Facebook search system.


The good news is that Facebook announced yesterday that it will exclude numbers given to it for 2FA purposes from black-page searches.

The less good news is that this is almost certainly only temporary, if I have read and understood Facebook's offical comment correctly:

As we constantly iterate on our security tools to better protect our users, we have disabled the reverse lookup functionality for those using Login Approvals until we can provide new systems to make this functionality optional.

What Facebook's spokelady didn't say was what sort of "optional" is meant. I'm hoping that there will be separate entries for your 2FA number and your profile contact number, and that it will be impossible to share the 2FA number, whether by accident or by design.

If Facebook treats 2FA and contact numbers separately, it'll be up to you whether you put the same number in both places. But you ought to be able to specify one number for your security codes that will part of your login security configuration, and another number for your voice calls that will form part of your public profile. And, while Facebook is coding the GUI, it might as well warn you (and require you to opt in) before it lets you set the same number for both. You heard it here first, folks!

, , , , , ,

You might like

3 Responses to Facebook to exclude phone numbers from reverse lookup - for users of two-factor authentication, anyway

  1. Freida Gray · 1046 days ago

    My mobile phone is,basically,a pre-paid phone.If I am a bit delayed in adding air time to my phone the service will remove my phone number from my FB.FB then sends me an e-mail saying that a phone number has been removed from my security setting & that I need to add a phone number.Needless to say,this e-mail can & often is ignored.
    I don't see any reason for FB to have my phone number for any kind of security reasons since I don't have Login Approvals activated.

  2. Charlie Indelicato · 1046 days ago

    Curiously, if I attempt to disable my cell-phone for 2FA, it appears I must remove the code-generator option.

    So I can't have Code-Generator without txt-msg option?

  3. Nigel · 1046 days ago

    Facebook is unwittingly providing a public service in that they're creating a kind of intelligence test. At the rate at which they're developing new ways to abuse the privacy of their users, we are rapidly approaching the point wherein asking an individual user "Do you have a Facebook account?" returns an answer of "Yes" equals the intelligence test result "FAIL!"

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog