Twitter About To Be Hit With A ~$250 Million Fine For Using Your Two Factor Authentication Phone Numbers/Emails For Marketing
from the good dept
There are many things that big internet companies do that the media have made out to be scandals that aren’t — but one misuse of data that I think received too little attention was how both Facebook and later Twitter were caught using the phone numbers people gave it for two factor authentication, and later used them for notification/marketing purposes.
In case you’re somehow unaware, two-factor authentication is how you should protect your most important accounts. I know many people are too lazy to set it up, but please do so. It’s not perfect (Twitter’s recent big hack routed around 2FA protections), but it is many times better than just relying on a username and password. In the early days of 2FA, one common way to implement it was to use text messaging as the second factor. That is, when you tried to login on a new machine (or after a certain interval of time), the service would have to text you a code that you would need to enter to prove that you were you.
Over time, people realized that this method was less secure. Many hacks involved people “SIM swapping” (using social engineering to have your phone number ported over to them), and then getting the 2FA code sent to the hacker. These days, good 2FA usually involves using an authenticator app, like Google Authenticator or Twilio’s Authy or even better a physical key such as the Yubikey or Google’s Titan Key. However, many services and users have stuck with text messaging for 2FA because it’s the least complex for users — and the issue with any security practice is that if it’s not user-friendly, no one will use it, and that doesn’t do any good either.
But using phone numbers given for 2FA purposes for notifications or marketing is really bad. First of all, it undermines trust — which is the last thing you want to do when dealing with a security mechanism. People handed over these phone numbers/emails for a very specific and delineated reason: to better protect their account. To then share that phone number or email with the marketing team is a massive violation in trust. And it serves to undermine the entire concept of two factor authentication, in that many users will become less willing to make use of 2FA, fearing how the numbers might be abused.
As we noted when Facebook received the mammoth $5 billion fine from the FTC a year ago, while the media focused almost entirely on the Cambridge Analytica situation as the reason for the fine, if you actually read the FTC’s settlement documents, it was other things that really caused the FTC to move, including Facebook’s use of 2FA phone numbers for marketing. We were glad that Facebook got punished for that.
And now it’s Twitter’s turn. Twitter has revealed that the FTC is preparing to fine the company $150 million to $250 million for this practice — noting that it violated the terms of an earlier consent decree with the FTC in 2011, where the company promised not to mislead users about how it handled personal information. Yet, for years, Twitter used the phone numbers and emails provided for 2FA to help target ads (basically using the phone number/email as an identifier for targeting).
There’s no explanation for this other than really bad handling of data at Twitter, and the company should be punished for it. There are many things I think Twitter gets unfairly blamed for, but a practice like this is both bad and dangerous, and I’m all for large fines from the FTC to convince companies to never do this kind of thing again.
Filed Under: 2fa, ftc, marketing, notifications, privacy, security, targeting, two factor authentication
Companies: twitter
Comments on “Twitter About To Be Hit With A ~$250 Million Fine For Using Your Two Factor Authentication Phone Numbers/Emails For Marketing”
Parable Time
Once upon a time, a scorpion approached the bank of a river, looking to cross. The scorpion saw a nearby frog, and asked, "Hey there Mr. Frog, can you help me across the river? I can ride on your back!" And the frog replied, "No, I don’t want to give you a ride on my back. You’ll sting me." The scorpion denied it, saying "No I won’t. If I sting you in the middle of the river, I’ll drown too." So the frog agreed.
The scorpion climbed onto the frog’s back, and the frog swam across the river at the top surface, keeping the scorpion dry and above water. But when they got to around halfway, the scorpion stung the frog with its poisonous tail.
As the frog slowed down, struggling to stay above water, the poison filling his veins, and death becoming apparent, the frog asked "Why did you sting me, scorpion? Now we will both die in the river."
And the scorpion replied, "I tried not to, but I couldn’t help it. I’m a scorpion!"
Re: That stupid scorpion parable
It is my nature may explain why a mother with starving children will steal food, but it doesn’t explain well the ill behaviors of a ten-billion dollar company, and tends rather to imply a failure of upper management, or at worst, a poor business model.
The scorpion in this case don a fucking cork on its stinger, or hire a turtle. Or take some don’t-sting-the-frog lessons. But instead not only does he die with the frog, but no future frogs will trust future scorpions in need.
Re: Re: That stupid scorpion parable
It’s easier to blame nature, than one’s own fucking culture.
Re: Re: Re: That stupid scorpion parable
The corporation may die but the prick will still be there to do it again
Re: Parable Time
Let me guess – you not only think this is original and clever to invoke (it’s not), but somehow uniquely applicable to Twitter and not every major corporation?
Re: Re: Parable Time
you not only think this is original and clever to invoke (it’s not)
No, what’s unique and clever is attacking and arguing with someone over something they so obviously never said. What’s unique and clever is implying bad faith where none was evident to anyone else, and what’s unique and clever is being an asshat for no other reason that it’s the Internet.
It’s literally the first time each and every one of these things has been done. Congratulations on staying original.
Re: Parable Time
What is the reasoning behind this so-called parable? It makes no sense.
Does the illustration mean to imply that some bad actors should be excused for their wrongdoing, due to their inherent wicked natures?
That’s a blaming-the-victim paradigm.
I’ve heard this parable over and over again, during my lifetime, and it’s always seemed to be pure foolishness.
Re: Re: Parable Time
"Does the illustration mean to imply that some bad actors should be excused for their wrongdoing, due to their inherent wicked natures?"
I’ve always read it as being "certain types of creatures are just evil and should be avoided, don’t be surprised when they act evil if you’re dumb enough to trust them".
Which, depending on how you read it can have some disturbing connotations in general life.
Re: Re: Re: disturbing connotations
I always read it as a justification for racism or distrust of rival religious faiths.
e.g. Not to trust Jews and their evil knishes.
Re: Re: Re:2 disturbing connotations
I always read it as a justification for racism or distrust of rival religious faiths.
Of course you did. Why not …
Re: Re: Parable Time
I’ve heard this parable over and over again, during my lifetime, and it’s always seemed to be pure foolishness.
It takes a measure of abstract thinking to get ones like this. Abstract thinking, at least in it’s most commonly-acknowledged forms, begins at an IQ somewhere around 110. This Is a full standard deviation above the average US national IQ of 98.
There are no doubt plenty of people confused by it. They tend to be bamboozled by parables like this, and read into them all kinds of things that were never intended. You are doing that here. Some of you desperately want a straw man to attack so badly, that you’re creating it out of all kind of non-strawman things.
This does not imply "blaming" the victim or anything of the like. That’s a creation of your own mind. Break free from the buzzword salesmen, those people who promise salvation if only you return the favor and fail to point out their hypocrisy.
Jut say no to their temptations and false rewards of absolution.
Not wanting voicemail/text message spam is the main reason I’ve avoided turning on 2FA for several online accounts that offer it, despite knowing the security advantages.
It’s definitely bad that Twitter was doing something that undermined trust. But to me, the underlying problem is only grazed:
In many of the cases I’ve avoided 2FA, it’s because the terms of service explicitly state that the cell phone number I provide can and will be used for marketing purposes, and that by providing it I am consenting. I don’t, so I don’t.
So, yes, what they were doing was bad. But it sounds like they’re getting fined because they weren’t following their stated promise not to, not because of the inherent badness of the behavior itself.
Re: Re:
I concur with your analysis, but the reason I don’t use 2FA is that I don’t have a phone, cell or landline. I don’t need one, and 2FA isn’t a good enough reason for the expense or other inconveniences that come along with having one. But there are reasons to use 2FA, for instance I have a gmail account (one I got a long time ago) but if I want another one, I have to be able to receive a text message for authentication. Apparently, in the past, there were Internet based sms sights that would satisfy this need, but no longer, Google has disallowed these.
So if a service were to require 2FA, they will be without my business, and as you point out, it isn’t necessary to lack a phone to have a reason to opt out of 2FA.
Re: Re: Re:
I believe Authy has a desktop version of their authenticator, so you don’t need a phone to use 2FA. Any site that supports the Google Authenticator supports Authy too.
(note, I have no connection to authy, and don’t use it)
Re: Re: Re: Re:
The reviews for Google Authenticator and Twilio’s Authy both present issues. Maybe they will mature and become better.
I have thought about the Yubi key, but I am not sure the hassle is worth it. I use a password manager, with very strong and very obscure passwords that are easily changed, though visiting each site and finding the place to change passwords is a pain.
Re: Re: Re:2 Re:
Not to mention the lack of support. FIDO doesn’t help on sites or apps that don’t support it.
Re: Re: Re:2 Re:
Google Authenticator uses TOTP, a standard protocol. There are various compatible programs, or you can use a few lines of python (plus the pyopt module):
import pyotp
totp = pyotp.TOTP(key)
print(totp.now())
You just need to get ‘key’ in base32 format, e.g. by reading it from a file or piping it from your password manager. The key will be given by the service that wants you to enroll in 2FA (it might be in QR-code form). It’s not quite a second factor if the manager has both secrets, but it should satisfy any site requiring this form of 2FA.
Re: Re: Re:2 Re:
"I use a password manager, with very strong and very obscure passwords that are easily changed,"
Which, of course, makes it so that you have no backup protection in the unlikely event you have been compromised. It’s good practice, but if either the site you log into gets compromised or the password manage site itself is compromised, you won’t have any way of stopping abuse until after it’s happened.
It’s up to you whether you trust the 2FA method you choose and accept the downsides of each (and none is perfect), but I’d personally recommend having the sites where you have your most important data stored be set up to at least inform you when someone’s logged in if not require 2FA. Better to be annoyed by the occasional demand for a second factor to be confirmed than find out that someone had access to your data when a site compromise is announced days or weeks after it’s been breached.
Re: Re: Re:3 Re:
The password manager I use is passwordsafe, originally by Bruce Schneier and now maintained by others. It does not use a website, it has a self contained database, which I rename and number by version. They stopped making a Linux build but there is a clone by Marc Deslauriers called passafe which reads the same file types, you just need to copy your database to the correct folder (/home/user/.local/share/pasaffe/) and rename it passaffe.psafe3.
I also use SpiderOak cloud backup (recommended by Edward Snowden and is fully encrypted), and the SpiderOak_Hive system which syncs between machines set up for it (Even the Windows side of my dual boot laptop) so I never actually could loose my database, though I came close recently as various updates put my protections askew. My savior was that I also had a copy on my Android tablet which is not on SpiderOak. I hard link the passafe database to the Hive and make a copy that is renamed for use with the Windows/Android versions, and then backed up to the cloud and other Hive instances. That way, I have the same database everywhere, though the transfer to the Android tablet is manual.
Re: Re: Re:4 Re:
OK, that’s very good, though it still won’t protect you from your account on any website getting compromised on the server end. It doesn’t matter how good your password is if their database gets compromised.
Re: Re: Re:5 Re:
If you are referring to your password getting stolen from their database, any remotely competent admins will ensure that this does not matter. So hopefully you’ll be OK anyway. If you mean other personal information getting compromised server side, 2FA doesn’t help with that either.
The password storage will be encrypted, possibly with multiple passes, and hopefully a very strong password. You could hand an attacker your password file and user name, and they should be able to do nothing useful with it. You will have at minimum many trillions of years to change your passwords before they’re able to brute force it.
https://scrambox.com/article/brute-force-aes/
Re: Re: Re:6 Re:
"If you are referring to your password getting stolen from their database, any remotely competent admins will ensure that this does not matter"
That’s a reasonably large assumption with some companies. How many times do you read about some unencrypted stash being leaked or plaintext details left on the open web? I regularly get emails from haveibeenpwned.com regarding leaks, some of them years after the event.
"If you mean other personal information getting compromised server side, 2FA doesn’t help with that either."
I simply mean that if your password is compromised in some way and someone logged in successfully, you at least get informed with 2FA, whereas without it you won’t know until they have done whatever they want in your account without it.
"The password storage will be encrypted, possibly with multiple passes, and hopefully a very strong password."
Based on a number of assumptions that don’t hold true for every site. Sure, if you’re careful the risk is minimal, but we constantly hear of things like this:
https://www.vice.com/en_us/article/qvy9k7/facebook-hundreds-of-millions-user-passwords-plaintext-data-leak
Sure, supposedly the passwords weren’t visible to anyone outside of Facebook in that case, but no password manager will help you if the site you’re logging in to allows people to view plain text passwords. 2FA will.
In the above case, all it takes is for some other part of Facebook to be compromised in a way that allowed the plain text to be viewed (or a corrupt employee leaking the list to external bad actors), and someone’s logging into your account without you knowing about it until after the damage is done.
It’s simply worth putting extra protection into place for anything important and not depend on a single type of security. Sure, it’s unlikely that my decently maintained car driven within normal limits will have a crash, but I still wear a seatbelt in case something happens beyond my control.
Re: Re: Re:7 Re:
All the time, but usually not plain text passwords. That Facebook issue is pretty awful though. I hope I’m not being naive about how many places might log a plain text password.
What password manager stores passwords unencrypted?
I completely agree, I just wanted to push back a bit on how vulnerable passwords and password managers are (generally, with a significant caveat of proper password security).
Re: Re: Re:8 Re:
"I hope I’m not being naive about how many places might log a plain text password."
Well, it’s always better to be safe than sorry. You would hope that anywhere you’re trusting with your data is better than that, but there’s no accounting for incompetence and/or corrupt employees. There are a great many examples where even the most basic security procedures you would hope be in place have not been there, and you can’t trust that you’ll find out of a company’s problems before someone else has exploited them.
"What password manager stores passwords unencrypted?"
Hopefully none, but again it’s down to having a layer of extra security should the one you mainly depend on fail.
I’m not saying that badly secured password managers are common nor that every company you deal with is likely to have a problem as big as Facebook’s was. Only that there’s no harm in having the extra security and it’s always good to have notification of when the main security method you rely upon is breached, especially if that notification method also prevents the attacker from getting past the login screen on a successful password entry.
Re: Re: Re:7 Re:
Sure, it’s unlikely that my decently maintained car driven within normal limits will have a crash, but I still wear a seatbelt in case something happens beyond my control.
You couldn’t have told me this BEFORE I went on Jeopardy? $10,000 grand prize, down the drain.
Thanks buttwipe.
Re: Re: Re:5 Re:
<b>OK, that’s very good, though it still won’t protect you from your account on any website getting compromised on the server end. It doesn’t matter how good your password is if their database gets compromised.</b>
Wait, I know you!
https://www.nydailynews.com/resizer/otMpBO682HEELHriNSsX6yZ28IY=/1200×0/arc-anglerfish-arc2-prod-tronc.s3.amazonaws.com/public/RPMJ3ZO2FS2JV4DPKM2L6FP47A.jpg
Re: Re: Re: Re:
However, in the case of GMail, you need to give a phone number and let them call it at least once before they will permit you to configure a TOTP MFA. Therefore, grandparent would still be stuck even if he/she were willing to use a desktop-hosted authenticator.
Re: Re: Re:2 Re:
It seems they allow you to change your phone number after the authentication, to anything. In this way one could use a friends phone to get the sms, and then go in and change the number to that of the White House. Doesn’t quite make sense to me.
Re: Re:
So, yes, what they were doing was bad. But it sounds like they’re getting fined because they weren’t following their stated promise not to, not because of the inherent badness of the behavior itself.
Do you guys bend over backward to not understand things, or is this genuine?
They promised not to after the FTC declared the behavior "bad" 9 years ago. Its "badness" underlines the entire set of exchanges between the FTC and Twitter.
I can’t wait to read the next comment. I expect something like:
"So, what I think this means is this that the scorpion was a misogynist and the frog was a racist. The snail wasn’t even mentioned because they is transgender, so the bottom line is the whole thing is about sexually assaulting ostriches."
I mean, why not. I means what you want it to mean I guess.
good grief
The Facebook 2FA abuse was particularly bad. I have a bad habit of replying to automated messages for catharsis. Turns out that when Facebook decided it was a good idea to text alerts of status updates from friends it decided were important to you, it also decided that any replies to said text would then be posted on said status update under your account. Had a fun time explaining THAT one to my friend.
This is similar to Microsoft pushing its Windows 10 upgrades through its security updates channel.
This comment has been flagged by the community. Click here to show it.
Profound clear-thinking system engine
how to know if a chinese girl likes you
Choosing A Photo For Your online dating service Personal Ad
internet surveys suggest that you will receive up to ten times more responses than without a picture! If you contact a person and your profile is without a photo you will be pushed to receive a response back. Would you look at a profile that didn’t have an image, not really. directly for me if I see a dating profile without a picture, I start jumping to <a href=https://www.bestbrides.net/signs-that-vietnamese-women-like-you/>how to tell if a vietnamese girl likes you</a> ideas like the girl must be fat, or perhaps ugly etc.
When selecting a photo for your online dating ad you need to start thinking about a few things. First off there are several single parents out there, citizens. Dating photos with your child might sound like a cute thing to do, but am not for a dating ad. When you use a child in your personal ad you are sending a message that you need someone to take care of your child and you. Another mistake is using pictures within your pet. to heart it just looks cheesy to use a photo with your bird or dog on a dating profile.
Then you will find the big shot who needs to show how rich he is so he uses a photo of him next to his Mercedes Benz 500 SL. A word of advice for the guys, Girls don’t care about what kind of car you drive, Nearly as much as they care about your qualities. turn it down a bit you will still meet more people.
Online Dating sites enable you to have a couple of photo in your ad, So to make use of. It gives the person looking at your ad more of what you look like if you ad more than one photo. you might want smile in the image, Don’t look angry or irritated. Iv’e seen some personal ads with pictures that appear to be prison mug shots, bad. The last impression you will want to give is an unhappy one.
make sure that you smile, Nothing works better than a someone smiling, It’s a inviting than a serious pose. Try to look natural in the photo you use for your dating person, Posed pic look so boring, So go regarding that natural look. the greatest tip I can suggest is to have with this, don’t get overly worried. Be yourself and your personality will glow the dating profile. Happy dating site.
[—-]
how to tell if a vietnamese woman likes you
Dating Online methods to Dress Up for the Club
When we focus on the club, unfortunately we cannot mean the math club, golf wedge or gentlemen’s club. This is any type of club that has a doorman out front and where promoters stage "working days" located on. in other words, This is the kind of place that a lot of guys try to abstain, But exactly how hot girls in short skirts dancing, Still merits many potential customers. So whether the community is kind of alien to you or not, you ought to exercise diligence, Especially if you want to stop paying those hot girls in short skirts. Here are essential dating online tips to help you out.
Skip dressing in your nicest threads
yes,that’s right, we know, We know where else you will too wear that awesome looking weekend outfit? But you have to note that it’s going to sweaty in there. And to be honest, Nobody is really going to rate that nice cashmere sports coat, specially in a club’s lighting.
Avoid being dressed in black
This may seem hasty, But you need to consider that clubs tend to be bedecked with UV light bulbs, Making black clothes look brownish and ugly. that’s saying nothing of dandruff. however, Gray is best worn to hide sweat, And blue looks always great in bed.
Don’t register your coat
Go with something that can take the heat inside while not having to go through the long coat check line. Try putting on a lightweight blazer or leather jacket. the extra pockets your jacket has, The more likelihood fewer sweat stains.
Know the neighborhood
the reason is because a night club’s institutional etiquette can depend on geography, that also varies widely. for example, you could be wearing the "Right workout shoes" In rhode island and the doorman knows it. But in las vegas, is going to be better if you came in square toes you got from Payless. For a more secure bet, Ditch those workout shoes and go for footwear that "recover with age, Like shoes or boots, Moccasins or most things that isn’t white.
be aware of the club
Each club is different different dress codes, crowd, Or chilling. some on-line research can go a long way towards you being dressed <a href=https://www.bestbrides.net/signs-that-vietnamese-women-like-you/>how to tell if a vietnamese woman likes you</a> inappropriately.
you have got to, Under any considerations, refrain from wearing sunglasses
Only Jack Nicholson will get a pass, and maybe Kanye West. But our dating on the internet tips say this whole concept is downright obnoxious. higher, Wearing sunglasses in a low light environment will only stop you from knowing if a woman is attractive upon first glance. most likely, If she’s talking to you at this time, Meaning you from a club, Sweating and wearing dark glasses, She is not likely.
[—-]