Sophos Cloud Optix
Facebook is being accused of spamming people via the phone numbers they used to turn on two-factor authentication (2FA) and posting their “PLEASE STOP!!” replies to their walls.
Software engineer Gabriel Lewis noticed it late last month and told Facebook to please knock it off: a request that 1) Facebook’s systems ignored, merrily continuing to spam him and then 2) auto-posted to his wall.
https://twitter.com/Gabriel__Lewis/status/963121814166630400Nobody’s sure if it’s a feature meant to drive engagement – is Facebook suffering separation anxiety over its recent traffic decline? – or if it’s a bug.
From the sounds of the statement it’s sending to press, Facebook itself apparently doesn’t know. A Facebook representative told The Verge, for one, that it’s looking into the text notification issue.
We’re looking into this situation to see if there’s more we can do to help people avoid unexpected or unwanted communications.
Its statement says that users can refrain from using their phone numbers for its 2FA system and instead use a code generator with an authenticator app such as Sophos Authenticator (also included in our free Sophos Mobile Security for Android and iOS).
We give people control over their notifications, including those that relate to security features like two-factor authentication. We’re looking into this situation to see if there’s more we can do to help people manage their communications. Also, people who sign up for two-factor authentication using a U2F security key and code generator do not need to register a phone number with Facebook.
The Verge says it confirmed that this is happening with any reply to a Facebook 2FA text message. At least one user said on Twitter that Instagram has also spammed them with notifications to their 2FA phone number.
Facebook is also abusing 2FA contact details for Instagram spam. https://t.co/u9njcm9HT1 pic.twitter.com/8f4of7uBZ5
— Nick Heer (@nickheer) February 14, 2018
Lewis says he never opted in to notifications via text messaging to begin with, yet still, he and other sufferers have to put up with text spam.
As of Wednesday, some people were getting pretty steamed, with many insisting that this is clearly not a bug and accusing Facebook’s marketing of running amok:
A lot of people are suggesting the Facebook SMS spam is a bug. Bullshit. Someone at FB made a deliberate decision to “re-engage users” by spamming all those mobile phone numbers 2FA users had entered. No bug here at all.
— Matthew Green (@matthew_d_green) February 14, 2018
Of course, simply insisting that something must be deliberate doesn’t make it so.
We’re trying to get more details out of Facebook and we’ll update the story if we get them.
In the meantime users might want to look at Facebook’s Code Generator for 2FA. Not only could it help with this feature/bug, it’s also widely considered to be a safer sort of 2FA than using SMS.
Update. Facebook’s Chief Security Officer, Alex Stamos, has publicly stated that “this was not an intentional decision; this was a bug“. The reason why replies sent via SMS ended up published as status notifications turned out to be a left-over feature from when people actually used SMSes to interact with Facebook. According to Stamos, “this feature is less useful these days.” No kidding! Apparently, Facebook is “working to deprecate this functionality soon.” Deprecate doesn’t mean the same as discontinue, and soon doesn’t really mean anything – but Facebook has officially used the words “we are sorry” and “this was a bug”, which is a lot better than many companies manage in the aftermath of a breach, vulnerability, bug or outage. [Added by Paul Ducklin @ 2018-02-17T15:30Z.]
This serves as a reminder that the user is the product. If its free….
Facebook has done post-by-SMS for ages. This is how you posted from your phone before everyone had a smartphone, and again before everyone had the FB app.
The problem is that they’re
1. Using the same shortcode for notices/posts and 2FA.
2. Sending SMS notices to people who didn’t opt into it, and therefore don’t have any reason to know it’s the post-by-SMS gateway.
That was my assumption, too – that there was an innocent (but OMG, Facebook forgot that SMS used to be quite the thing!) reason for the unexpected status updates.
Turns out you were spot on. As George Santayana famously said (and is now widely and infamously misquoted), “Those who cannot remember the past are condemned to repeat it.”
I have tried and tried to get Facebook Messenger to quit taking over my messages on my phone. They still intercept my phone number messages, which I never authorized and after reporting it a hundred times, insist that they told me how to stop it from happening. There instructions told me how to go to settings and do this, but Messenger still takes control when I get a plain text and overrides my phone with notifications from SMS, Messenger and through the chrome app I am signed into for other email features. I don’t see a fix to this and I may sue as I never opted into this take over my phone thing.
I would think you have a large chance of success. Cell phone numbers are regulated, and for anybody to intercept your messages (without a warrant) is a violation of the wiretap law.
Further, it shouldn’t matter whether you opt in or out; it’s still a legal breach.
Go for it!
If I’m not mistaken, such spam would be illegal in the United States. There’s an old FAX anti-spam law from the 80s that bans solicitation calls to cell phones without permission. Courts have consistently held that any solicitation to a cell phone number (or exchange) is in violation of that law (even though cell phones seemingly have nothing to do with FAXes). I’m pretty sure that SMS and other texting would fall under the same umbrella.