/ SUBMIT / SEARCH / STORE / MENU
Seamus Bellamy / 11:52 am Thu, Sep 27, 2018

Facebook's been caught using their customers' 2FA information to spam them with text ads

Just when you thought that Facebook couldn't get any more greasy, they have outdone themselves in a manner that places them well beyond even the most succulent of French Chef finger-kisses: the phone numbers that many folks gave them in order to activate the service's two-factor authentication protection? Zuckerberg and his crew are using it to serve up advertisements to unsuspecting users.

From TechCrunch:

Facebook’s confession follows a story Gizmodo ran a story yesterday, related to research work carried out by academics at two U.S. universities who ran a study in which they say they were able to demonstrate the company uses pieces of personal information that individuals did not explicitly provide it to, nonetheless, target them with ads.

While it’s been — if not clear, then at least evident — for a number of years that Facebook uses contact details of individuals who never personally provided their information for ad targeting purposes (harvesting people’s personal data by other means, such as other users’ mobile phone contact books which the Facebook app uploads), the revelation that numbers provided to Facebook by users in good faith, for the purpose of 2FA, are also, in its view, fair game for ads has not been so explicitly ‘fessed up to before.

The best part of all of this is that, according to TechCrunch, Facebook had the chance to confess to their shitty behavior some time ago when it was revealed that users who submitted a phone number for 2FA purposes were being spammed with texts ads sent to their smartphones. Read the rest

Cory Doctorow / 12:03 pm Fri, Aug 3, 2018

Fraudsters offers thousands to low-waged telco employees for help with SIM Swap scams

SIM Swapping is a powerful form of fraud in which criminals convince the phone company to switch your phone number to a SIM they control; once they have your phone number, they can bypass the SMS-based two-factor authentication protecting your cryptocurrency wallets, social media accounts, and other valuable systems. Read the rest

Cory Doctorow / 10:04 am Fri, Jul 20, 2018

Your phone company's shitty security is all that's standing between you and total digital destruction

Online services increasingly rely on SMS messages for two-factor authentication, which means on the one hand that it's really hard to rip you off without first somehow stealing your phone number, but on the other hand, once someone diverts your SMS messages, they can plunder everything Read the rest

Cory Doctorow / 6:43 am Thu, Jun 22, 2017

How hackers can steal your 2FA email account by getting you to sign up for another website

In a paper for IEEE Security, researchers from Cyberpion and Israel's College of Management Academic Studies describe a "Password Reset Man-in-the-Middle Attack" that leverages a bunch of clever insights into how password resets work to steal your email account (and other kinds of accounts), even when it's protected by two-factor authentication. Read the rest

Cory Doctorow / 7:42 am Thu, May 4, 2017

Mobile phone security's been busted for years, and now 2-factor auth is busted too

The SS7 vulnerability has long been understood and publicized: anyone who spends $1000 or so for a mobile data roaming license can use the SS7 protocol to tell your phone company that your phone just showed up on their network and hijack all the traffic destined for your phone, including those handy SMSes used to verify sketchy attempts to log into your bank account and steal all your money. Read the rest

Cory Doctorow / 12:05 pm Thu, Jan 26, 2017

At least twice, Sean Spicer has accidentally tweeted the password to his official White House spokesman Twitter account

Day six! It's also a pretty shitty password. Let's hope he's got 2-factor auth turned on! Also, Trump's still using his insecure personal Android device. Read the rest

Cory Doctorow / 8:46 am Thu, Dec 22, 2016

What we can learn from 2016: the year of the security breach

Ryan McGeehan, who specializes in helping companies recover from data-breaches, reflects on the worst year of data breaches (so far) and has some sound practical advice on how to reduce your risk and mitigate your losses: some easy wins are to get your staff to use password managers and two-factor authentication for their home computers (since everyone is expected to work in their off-hours, most home computers are an easy way to get into otherwise well-defended networks); and stress-test your network for breach recovery. Read the rest

Cory Doctorow / 1:52 pm Thu, Dec 8, 2016

12 days of two-factor authentication: this Xmas, give yourself the gift of opsec

The Electronic Frontier Foundation has launched a new series, 12 Days of 2FA, in which every installment explains how to turn on two-factor authentication for a range of online services and platforms. Read the rest

Cory Doctorow / 7:24 am Mon, Dec 5, 2016

How governments and cyber-militias attack civil society groups, and what they can do about it

The University of Toronto's Citizen Lab (previously) is one of the world's leading research centers for cybersecurity analysis, and they are the first port of call for many civil society groups when they are targeted by governments and cyber-militias. Read the rest

Cory Doctorow / 6:34 am Thu, Aug 27, 2015

Elaborate spear-phishing attempt against global Iranian and free speech activists, including an EFF staffer

Citizenlab details an "elaborate phishing campaign" against Iranian expats and activists, combining phone-calls from fake Reuters reporters, mostly convincing Google Docs login-screens, and a sophisticated attempt to do a "real-time man-in-the-middle attack" against Google's two-factor authentication. Read the rest