Facebook to exclude phone numbers from reverse lookup – for users of two-factor authentication, anyway

A week or so back, we wrote to warn you about the privacy of your phone number on Facebook.

If you give Facebook your phone number, and mark it “visible to me only”, then forward lookups are, as you would expect, blocked.

I can’t go from your profile to your phone number.

That’s a relief, since presumably you don’t want just anyone who can find you on Facebook to be able to start pestering you directly by phone if you stop responding to them online.

But if I use Facebook’s reverse lookup service (what is sometimes known pejoratively as a black pages directory), I can get your name from your phone number.

In other words, your phone number isn’t “visible to you only.” I just have to approach it from the other direction.

According to the researcher who first broke this news, penetration tester Suriya Prakash, Facebook’s rate limiting (that’s where you prevent computers from automating online lookups at superhuman speed) was poor or non-existent.

Prakash was able to take lists, or ranges, of phone numbers and black-page them automatically, building up an extensive contact list, even of users who had stated their numbers should not be publicly visible.

So far so bad, though there’s always the possibility of not giving Facebook your number in the first place.

Unless, of course, you want to use what Facebook calls login approvals. That’s what the rest of us call SMS-based two-factor authentication, or 2FA, which is where some logins (though in Facebook’s case, sadly, not all) need you to provide a one-off password that’s sent via SMS.

This makes it much harder for someone who guesses or keylogs your username and password. Unless they steal your phone as well, they won’t have access to the necessary one-off codes.

But to receive those SMS codes, you have to give Facebook your mobile phone number. So to improve security, you have to expose your phone number to the vagaries of the Facebook search system.


The good news is that Facebook announced yesterday that it will exclude numbers given to it for 2FA purposes from black-page searches.

The less good news is that this is almost certainly only temporary, if I have read and understood Facebook’s offical comment correctly:

As we constantly iterate on our security tools to better protect our users, we have disabled the reverse lookup functionality for those using Login Approvals until we can provide new systems to make this functionality optional.

What Facebook’s spokelady didn’t say was what sort of “optional” is meant. I’m hoping that there will be separate entries for your 2FA number and your profile contact number, and that it will be impossible to share the 2FA number, whether by accident or by design.

If Facebook treats 2FA and contact numbers separately, it’ll be up to you whether you put the same number in both places. But you ought to be able to specify one number for your security codes that will part of your login security configuration, and another number for your voice calls that will form part of your public profile. And, while Facebook is coding the GUI, it might as well warn you (and require you to opt in) before it lets you set the same number for both. You heard it here first, folks!