OK, you've heard some 50 million Facebook accounts were breached and maybe you've also heard that breach affects not only Facebook but possibly lots of other sites as well, sites that people have used their Facebook credentials to sign in to. But what you might not have heard about because, I'm just saying here, it seems to be beyond the reach of all but a handful of tech journalists, is their security failure and substantial breach of confidence involving 2FA.
You Gave Facebook Your Number For Security. They Used It For Ads.
2FA stands for Two Factor Authentication, a salutary security protocol that requires a special, one-time PIN number in addition to your password when you log into your account on certain web sites. Not every site on the web offers this service but many of the big ones, including Microsoft, Apple, Amazon, Twitter, Google, and, yes, Facebook do.
In order to use your one-time PIN you need to acquire it somehow and one of the favored ways to accomplish this is for the web site in question to txt the PIN, as required, to your phone. Which requires your phone number, of course. Which Facebook was providing to its customers for use in targeted advertising.
Let that sink in. If you gave your phone number to Facebook for security purposes, you were essentially publishing it to the world. Oh yes.
This is naughty, naughty stuff.
Notice, however, as explained in the first of the articles cited above, it's not 2FA that's broken, it's Facebook. 2FA is still a beneficial protocol and you would be wise to enable it on any services you use that offer it.
Also notice this, October, is National Cybersecurity Awareness Month. What luck.
No comments:
Post a Comment