Twitter About To Be Hit With A ~$250 Million Fine For Using Your Two Factor Authentication Phone Numbers/Emails For Marketing

from the good dept

There are many things that big internet companies do that the media have made out to be scandals that aren't -- but one misuse of data that I think received too little attention was how both Facebook and later Twitter were caught using the phone numbers people gave it for two factor authentication, and later used them for notification/marketing purposes.

In case you're somehow unaware, two-factor authentication is how you should protect your most important accounts. I know many people are too lazy to set it up, but please do so. It's not perfect (Twitter's recent big hack routed around 2FA protections), but it is many times better than just relying on a username and password. In the early days of 2FA, one common way to implement it was to use text messaging as the second factor. That is, when you tried to login on a new machine (or after a certain interval of time), the service would have to text you a code that you would need to enter to prove that you were you.

Over time, people realized that this method was less secure. Many hacks involved people "SIM swapping" (using social engineering to have your phone number ported over to them), and then getting the 2FA code sent to the hacker. These days, good 2FA usually involves using an authenticator app, like Google Authenticator or Twilio's Authy or even better a physical key such as the Yubikey or Google's Titan Key. However, many services and users have stuck with text messaging for 2FA because it's the least complex for users -- and the issue with any security practice is that if it's not user-friendly, no one will use it, and that doesn't do any good either.

But using phone numbers given for 2FA purposes for notifications or marketing is really bad. First of all, it undermines trust -- which is the last thing you want to do when dealing with a security mechanism. People handed over these phone numbers/emails for a very specific and delineated reason: to better protect their account. To then share that phone number or email with the marketing team is a massive violation in trust. And it serves to undermine the entire concept of two factor authentication, in that many users will become less willing to make use of 2FA, fearing how the numbers might be abused.

As we noted when Facebook received the mammoth $5 billion fine from the FTC a year ago, while the media focused almost entirely on the Cambridge Analytica situation as the reason for the fine, if you actually read the FTC's settlement documents, it was other things that really caused the FTC to move, including Facebook's use of 2FA phone numbers for marketing. We were glad that Facebook got punished for that.

And now it's Twitter's turn. Twitter has revealed that the FTC is preparing to fine the company $150 million to $250 million for this practice -- noting that it violated the terms of an earlier consent decree with the FTC in 2011, where the company promised not to mislead users about how it handled personal information. Yet, for years, Twitter used the phone numbers and emails provided for 2FA to help target ads (basically using the phone number/email as an identifier for targeting).

There's no explanation for this other than really bad handling of data at Twitter, and the company should be punished for it. There are many things I think Twitter gets unfairly blamed for, but a practice like this is both bad and dangerous, and I'm all for large fines from the FTC to convince companies to never do this kind of thing again.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 2fa, ftc, marketing, notifications, privacy, security, targeting, two factor authentication
Companies: twitter


Reader Comments

Subscribe: RSS

View by: Thread


  • icon
    Koby (profile), 4 Aug 2020 @ 11:10am

    Parable Time

    There's no explanation for this other than really bad handling of data at Twitter, and the company should be punished for it.

    Once upon a time, a scorpion approached the bank of a river, looking to cross. The scorpion saw a nearby frog, and asked, "Hey there Mr. Frog, can you help me across the river? I can ride on your back!" And the frog replied, "No, I don't want to give you a ride on my back. You'll sting me." The scorpion denied it, saying "No I won't. If I sting you in the middle of the river, I'll drown too." So the frog agreed.

    The scorpion climbed onto the frog's back, and the frog swam across the river at the top surface, keeping the scorpion dry and above water. But when they got to around halfway, the scorpion stung the frog with its poisonous tail.

    As the frog slowed down, struggling to stay above water, the poison filling his veins, and death becoming apparent, the frog asked "Why did you sting me, scorpion? Now we will both die in the river."

    And the scorpion replied, "I tried not to, but I couldn't help it. I'm a scorpion!"

    reply to this | link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 4 Aug 2020 @ 11:22am

      That stupid scorpion parable

      It is my nature may explain why a mother with starving children will steal food, but it doesn't explain well the ill behaviors of a ten-billion dollar company, and tends rather to imply a failure of upper management, or at worst, a poor business model.

      The scorpion in this case don a fucking cork on its stinger, or hire a turtle. Or take some don't-sting-the-frog lessons. But instead not only does he die with the frog, but no future frogs will trust future scorpions in need.

      reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 5 Aug 2020 @ 12:07am

      Re: Parable Time

      Let me guess - you not only think this is original and clever to invoke (it's not), but somehow uniquely applicable to Twitter and not every major corporation?

      reply to this | link to this | view in chronology ]

      • icon
        Seattle Rex (profile), 3 Dec 2020 @ 12:08am

        Re: Re: Parable Time

        you not only think this is original and clever to invoke (it's not)

        No, what's unique and clever is attacking and arguing with someone over something they so obviously never said. What's unique and clever is implying bad faith where none was evident to anyone else, and what's unique and clever is being an asshat for no other reason that it's the Internet.

        It's literally the first time each and every one of these things has been done. Congratulations on staying original.

        reply to this | link to this | view in chronology ]

    • icon
      catsmoke (profile), 6 Aug 2020 @ 2:22am

      Re: Parable Time

      I couldn't help it. I'm a scorpion!

      What is the reasoning behind this so-called parable? It makes no sense.

      Does the illustration mean to imply that some bad actors should be excused for their wrongdoing, due to their inherent wicked natures?

      That’s a blaming-the-victim paradigm.

      I’ve heard this parable over and over again, during my lifetime, and it’s always seemed to be pure foolishness.

      reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 6 Aug 2020 @ 2:58am

        Re: Re: Parable Time

        "Does the illustration mean to imply that some bad actors should be excused for their wrongdoing, due to their inherent wicked natures?"

        I've always read it as being "certain types of creatures are just evil and should be avoided, don't be surprised when they act evil if you're dumb enough to trust them".

        Which, depending on how you read it can have some disturbing connotations in general life.

        reply to this | link to this | view in chronology ]

        • icon
          Uriel-238 (profile), 6 Aug 2020 @ 11:42am

          disturbing connotations

          I always read it as a justification for racism or distrust of rival religious faiths.

          e.g. Not to trust Jews and their evil knishes.

          reply to this | link to this | view in chronology ]

      • icon
        Seattle Rex (profile), 3 Dec 2020 @ 12:17am

        Re: Re: Parable Time

        I’ve heard this parable over and over again, during my lifetime, and it’s always seemed to be pure foolishness.

        It takes a measure of abstract thinking to get ones like this. Abstract thinking, at least in it's most commonly-acknowledged forms, begins at an IQ somewhere around 110. This Is a full standard deviation above the average US national IQ of 98.

        There are no doubt plenty of people confused by it. They tend to be bamboozled by parables like this, and read into them all kinds of things that were never intended. You are doing that here. Some of you desperately want a straw man to attack so badly, that you're creating it out of all kind of non-strawman things.

        This does not imply "blaming" the victim or anything of the like. That's a creation of your own mind. Break free from the buzzword salesmen, those people who promise salvation if only you return the favor and fail to point out their hypocrisy.

        Jut say no to their temptations and false rewards of absolution.

        reply to this | link to this | view in chronology ]

  • identicon
    Jason, 4 Aug 2020 @ 12:35pm

    Not wanting voicemail/text message spam is the main reason I've avoided turning on 2FA for several online accounts that offer it, despite knowing the security advantages.

    It's definitely bad that Twitter was doing something that undermined trust. But to me, the underlying problem is only grazed:

    noting that it violated the terms of an earlier consent decree...where the company promised not to mislead users about how it handled personal information.

    In many of the cases I've avoided 2FA, it's because the terms of service explicitly state that the cell phone number I provide can and will be used for marketing purposes, and that by providing it I am consenting. I don't, so I don't.

    So, yes, what they were doing was bad. But it sounds like they're getting fined because they weren't following their stated promise not to, not because of the inherent badness of the behavior itself.

    reply to this | link to this | view in chronology ]

    • icon
      Anonymous Anonymous Coward (profile), 4 Aug 2020 @ 1:05pm

      Re:

      I concur with your analysis, but the reason I don't use 2FA is that I don't have a phone, cell or landline. I don't need one, and 2FA isn't a good enough reason for the expense or other inconveniences that come along with having one. But there are reasons to use 2FA, for instance I have a gmail account (one I got a long time ago) but if I want another one, I have to be able to receive a text message for authentication. Apparently, in the past, there were Internet based sms sights that would satisfy this need, but no longer, Google has disallowed these.

      So if a service were to require 2FA, they will be without my business, and as you point out, it isn't necessary to lack a phone to have a reason to opt out of 2FA.

      reply to this | link to this | view in chronology ]

      • icon
        Ben (profile), 4 Aug 2020 @ 1:51pm

        Re: Re:

        I believe Authy has a desktop version of their authenticator, so you don't need a phone to use 2FA. Any site that supports the Google Authenticator supports Authy too.
        (note, I have no connection to authy, and don't use it)

        reply to this | link to this | view in chronology ]

        • icon
          Anonymous Anonymous Coward (profile), 4 Aug 2020 @ 2:03pm

          Re: Re: Re:

          The reviews for Google Authenticator and Twilio's Authy both present issues. Maybe they will mature and become better.

          I have thought about the Yubi key, but I am not sure the hassle is worth it. I use a password manager, with very strong and very obscure passwords that are easily changed, though visiting each site and finding the place to change passwords is a pain.

          reply to this | link to this | view in chronology ]

          • icon
            Thad (profile), 4 Aug 2020 @ 3:39pm

            Re: Re: Re: Re:

            I have thought about the Yubi key, but I am not sure the hassle is worth it.

            Not to mention the lack of support. FIDO doesn't help on sites or apps that don't support it.

            reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 4 Aug 2020 @ 5:00pm

            Re: Re: Re: Re:

            The reviews for Google Authenticator and Twilio's Authy both present issues. Maybe they will mature and become better.

            Google Authenticator uses TOTP, a standard protocol. There are various compatible programs, or you can use a few lines of python (plus the pyopt module):
            import pyotp
            totp = pyotp.TOTP(key)
            print(totp.now())

            You just need to get 'key' in base32 format, e.g. by reading it from a file or piping it from your password manager. The key will be given by the service that wants you to enroll in 2FA (it might be in QR-code form). It's not quite a second factor if the manager has both secrets, but it should satisfy any site requiring this form of 2FA.

            reply to this | link to this | view in chronology ]

          • icon
            PaulT (profile), 5 Aug 2020 @ 12:23am

            Re: Re: Re: Re:

            "I use a password manager, with very strong and very obscure passwords that are easily changed,"

            Which, of course, makes it so that you have no backup protection in the unlikely event you have been compromised. It's good practice, but if either the site you log into gets compromised or the password manage site itself is compromised, you won't have any way of stopping abuse until after it's happened.

            It's up to you whether you trust the 2FA method you choose and accept the downsides of each (and none is perfect), but I'd personally recommend having the sites where you have your most important data stored be set up to at least inform you when someone's logged in if not require 2FA. Better to be annoyed by the occasional demand for a second factor to be confirmed than find out that someone had access to your data when a site compromise is announced days or weeks after it's been breached.

            reply to this | link to this | view in chronology ]

            • icon
              Anonymous Anonymous Coward (profile), 5 Aug 2020 @ 6:57am

              Re: Re: Re: Re: Re:

              The password manager I use is passwordsafe, originally by Bruce Schneier and now maintained by others. It does not use a website, it has a self contained database, which I rename and number by version. They stopped making a Linux build but there is a clone by Marc Deslauriers called passafe which reads the same file types, you just need to copy your database to the correct folder (/home/user/.local/share/pasaffe/) and rename it passaffe.psafe3.

              I also use SpiderOak cloud backup (recommended by Edward Snowden and is fully encrypted), and the SpiderOak_Hive system which syncs between machines set up for it (Even the Windows side of my dual boot laptop) so I never actually could loose my database, though I came close recently as various updates put my protections askew. My savior was that I also had a copy on my Android tablet which is not on SpiderOak. I hard link the passafe database to the Hive and make a copy that is renamed for use with the Windows/Android versions, and then backed up to the cloud and other Hive instances. That way, I have the same database everywhere, though the transfer to the Android tablet is manual.

              reply to this | link to this | view in chronology ]

              • icon
                PaulT (profile), 5 Aug 2020 @ 11:22pm

                Re: Re: Re: Re: Re: Re:

                OK, that's very good, though it still won't protect you from your account on any website getting compromised on the server end. It doesn't matter how good your password is if their database gets compromised.

                reply to this | link to this | view in chronology ]

                • icon
                  nasch (profile), 6 Aug 2020 @ 5:49am

                  Re: Re: Re: Re: Re: Re: Re:

                  It doesn't matter how good your password is if their database gets compromised.

                  If you are referring to your password getting stolen from their database, any remotely competent admins will ensure that this does not matter. So hopefully you'll be OK anyway. If you mean other personal information getting compromised server side, 2FA doesn't help with that either.

                  It's good practice, but if.. the password manage site itself is compromised, you won't have any way of stopping abuse until after it's happened.

                  The password storage will be encrypted, possibly with multiple passes, and hopefully a very strong password. You could hand an attacker your password file and user name, and they should be able to do nothing useful with it. You will have at minimum many trillions of years to change your passwords before they're able to brute force it.

                  https://scrambox.com/article/brute-force-aes/

                  reply to this | link to this | view in chronology ]

                  • icon
                    PaulT (profile), 6 Aug 2020 @ 6:33am

                    Re: Re: Re: Re: Re: Re: Re: Re:

                    "If you are referring to your password getting stolen from their database, any remotely competent admins will ensure that this does not matter"

                    That's a reasonably large assumption with some companies. How many times do you read about some unencrypted stash being leaked or plaintext details left on the open web? I regularly get emails from haveibeenpwned.com regarding leaks, some of them years after the event.

                    "If you mean other personal information getting compromised server side, 2FA doesn't help with that either."

                    I simply mean that if your password is compromised in some way and someone logged in successfully, you at least get informed with 2FA, whereas without it you won't know until they have done whatever they want in your account without it.

                    "The password storage will be encrypted, possibly with multiple passes, and hopefully a very strong password."

                    Based on a number of assumptions that don't hold true for every site. Sure, if you're careful the risk is minimal, but we constantly hear of things like this:

                    https://www.vice.com/en_us/article/qvy9k7/facebook-hundreds-of-millions-user-passwords-plainte xt-data-leak

                    Sure, supposedly the passwords weren't visible to anyone outside of Facebook in that case, but no password manager will help you if the site you're logging in to allows people to view plain text passwords. 2FA will.

                    In the above case, all it takes is for some other part of Facebook to be compromised in a way that allowed the plain text to be viewed (or a corrupt employee leaking the list to external bad actors), and someone's logging into your account without you knowing about it until after the damage is done.

                    It's simply worth putting extra protection into place for anything important and not depend on a single type of security. Sure, it's unlikely that my decently maintained car driven within normal limits will have a crash, but I still wear a seatbelt in case something happens beyond my control.

                    reply to this | link to this | view in chronology ]

                    • icon
                      nasch (profile), 6 Aug 2020 @ 7:51am

                      Re: Re: Re: Re: Re: Re: Re: Re: Re:

                      How many times do you read about some unencrypted stash being leaked or plaintext details left on the open web?

                      All the time, but usually not plain text passwords. That Facebook issue is pretty awful though. I hope I'm not being naive about how many places might log a plain text password.

                      Based on a number of assumptions that don't hold true for every site.

                      What password manager stores passwords unencrypted?

                      It's simply worth putting extra protection into place for anything important and not depend on a single type of security.

                      I completely agree, I just wanted to push back a bit on how vulnerable passwords and password managers are (generally, with a significant caveat of proper password security).

                      reply to this | link to this | view in chronology ]

                      • icon
                        PaulT (profile), 6 Aug 2020 @ 8:19am

                        Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:

                        "I hope I'm not being naive about how many places might log a plain text password."

                        Well, it's always better to be safe than sorry. You would hope that anywhere you're trusting with your data is better than that, but there's no accounting for incompetence and/or corrupt employees. There are a great many examples where even the most basic security procedures you would hope be in place have not been there, and you can't trust that you'll find out of a company's problems before someone else has exploited them.

                        "What password manager stores passwords unencrypted?"

                        Hopefully none, but again it's down to having a layer of extra security should the one you mainly depend on fail.

                        I'm not saying that badly secured password managers are common nor that every company you deal with is likely to have a problem as big as Facebook's was. Only that there's no harm in having the extra security and it's always good to have notification of when the main security method you rely upon is breached, especially if that notification method also prevents the attacker from getting past the login screen on a successful password entry.

                        reply to this | link to this | view in chronology ]

                    • icon
                      Seattle Rex (profile), 3 Dec 2020 @ 12:30am

                      Re: Re: Re: Re: Re: Re: Re: Re: Re:

                      Sure, it's unlikely that my decently maintained car driven within normal limits will have a crash, but I still wear a seatbelt in case something happens beyond my control.

                      You couldn't have told me this BEFORE I went on Jeopardy? $10,000 grand prize, down the drain.

                      Thanks buttwipe.

                      reply to this | link to this | view in chronology ]

                • icon
                  Seattle Rex (profile), 3 Dec 2020 @ 12:33am

                  Re: Re: Re: Re: Re: Re: Re:

                  <b>OK, that's very good, though it still won't protect you from your account on any website getting compromised on the server end. It doesn't matter how good your password is if their database gets compromised.</b>

                  Wait, I know you!

                  https://www.nydailynews.com/resizer/otMpBO682HEELHriNSsX6yZ28IY=/1200x0/arc-anglerfish-arc2-pro d-tronc.s3.amazonaws.com/public/RPMJ3ZO2FS2JV4DPKM2L6FP47A.jpg

                  reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 5 Aug 2020 @ 10:17am

          Re: Re: Re:

          However, in the case of GMail, you need to give a phone number and let them call it at least once before they will permit you to configure a TOTP MFA. Therefore, grandparent would still be stuck even if he/she were willing to use a desktop-hosted authenticator.

          reply to this | link to this | view in chronology ]

          • icon
            Anonymous Anonymous Coward (profile), 5 Aug 2020 @ 10:25am

            Re: Re: Re: Re:

            It seems they allow you to change your phone number after the authentication, to anything. In this way one could use a friends phone to get the sms, and then go in and change the number to that of the White House. Doesn't quite make sense to me.

            reply to this | link to this | view in chronology ]

    • icon
      Seattle Rex (profile), 3 Dec 2020 @ 12:26am

      Re:

      So, yes, what they were doing was bad. But it sounds like they're getting fined because they weren't following their stated promise not to, not because of the inherent badness of the behavior itself.

      Do you guys bend over backward to not understand things, or is this genuine?

      They promised not to after the FTC declared the behavior "bad" 9 years ago. Its "badness" underlines the entire set of exchanges between the FTC and Twitter.

      I can't wait to read the next comment. I expect something like:

      "So, what I think this means is this that the scorpion was a misogynist and the frog was a racist. The snail wasn't even mentioned because they is transgender, so the bottom line is the whole thing is about sexually assaulting ostriches."

      I mean, why not. I means what you want it to mean I guess.

      good grief

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 4 Aug 2020 @ 12:59pm

    The Facebook 2FA abuse was particularly bad. I have a bad habit of replying to automated messages for catharsis. Turns out that when Facebook decided it was a good idea to text alerts of status updates from friends it decided were important to you, it also decided that any replies to said text would then be posted on said status update under your account. Had a fun time explaining THAT one to my friend.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Aug 2020 @ 6:39am

    This is similar to Microsoft pushing its Windows 10 upgrades through its security updates channel.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Aug 2020 @ 2:40pm

    Profound clear-thinking system engine

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads
.

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.