Facebook claimed phone number was only for 2FA. Now it's searchable (opens in new tab)

(twitter.com)

156 pointswaymon7y ago16 comments

16 comments

Synchrony branded credit cards do the same thing, they use your SSN to obtain phone numbers from one of the Transunion skip trace databases. So even though I’ve only ever given Synchrony my dummy number, when I try to change my password I get a selection of phone numbers that they want to send a verification code to, and those numbers only exist in that Transunion database.

You can’t correct or remove anything from the Transunion database, because it’s not used for credit decisions there is no way to force them to do it.

So instead I’ve made it a game to try and see how many phone numbers I can get added to the database. My goal is to request a free copy of my file one day and have it arrive on a pallet.

Maybe if I fill out a credit card application and list Kevin Bacon’s address as a former residence then they’ll add him to my list of known associates...

luckylion7y ago

Hey, if you can automate the process, you have a free backup service with unlimited storage ;)

jrnichols7y ago

I'm not sure if it's Transition, but those "verify information only you'd know" questions that credit card companies ask now has bogus data on me, and I've had trouble getting into my own accounts because of it. For example, "which one of these did you work at?" and all 4 answers are false. But they expect one of them to be true. It's a huge hassle.

godzillabrennus7y ago

When you figure out how to game the system charge others to do it.

People would pay to create fuzz in their records.

zxcvbn40387y ago

I think they key is that data brokers are greedy and accept all inputs with little validation. Their data quality teams are more focused on algorithmicly removing “obvious” duplicates due to small transpositional errors and such. They are usually not geared towards stoping people from intentionally entering incorrect but valid data. Even in cases where they might hold back data because they are uncertain about, they don’t delete it, as soon as there are enough “signals” that it might be correct they pass it through.

So knowing that data brokers are greedy the trick isn’t to get governments to force them to delete and protect information, the trick is to give them so much bad information that the good data becomes indistinguishable.

mthoms7y ago

Some mobile apps have two account creation options: Facebook login or phone number.

I recently chose phone number (because screw FB) but then noticed that the SMS verification is performed by Facebook anyways.

What the hell are App developers thinking? If I choose not to use my FB login in your app it's because I don't want FB snooping on me.

But then you turn around and use Facebook to validate my phone number without proper consent?

NowThenGoodBad7y ago

I totally agree with you.

From a developer side: Google, Facebook, etc have well developed and much safer password and login authentication and the liability technically falls on them for any screw ups. Although I have a very secure hashing system for my online game login I still plan to make logging in with your Google and, maybe, Facebook account. It also adds convenience.

I’m imagining the dev found some tool to do sms verification that Facebook makes simple (or maybe that’s all they know how to use considering you didn’t mention any google login...).

technofiend7y ago

For some unfathomable reason Google no longer allows Google Voice clients to forward their calls to Project Fi numbers. So my new layer of abstraction is a $3/mo Call Centric number routed to a $12 SIP deskset.

Call Centric lets you whitelist so step one is to upload your contacts to them and then drop any calls not in your list. Goodbye telemarketers. Second step is to leave the phone unplugged altogether unless you need to use it since anyone you know has your mobile number anyway. :-)

If you really need it, you can add the Call Centric number to your cellphone via a SIP client but in my experience that's a bit of a battery sucker and call quality can be poor with noticeable voice delay.

tylerl7y ago

"No longer..."?

No, it never was possible. The two systems use the same underlying infrastructure but for different purposes, which leads to a frustrating interplay of technical constraints and security/privacy controls.

technofiend7y ago

I distinctly remember being able to do it at one time. Then a friend complained he could never reach me and I discovered my cell number was dropped from forwarding and couldn't be added back. I may have managed to sneak it in by porting in a forwarded number.

dplgk7y ago

Does the ACLU care about this kind of stuff?

__blockcipher__7y ago

https://fixitalready.eff.org/facebook/#/

https://www.eff.org/press/releases/eff-implores-nine-compani...

EFF does!

KiDD7y ago

It has always done this... the very reason I do not add my phone number.

Criper1Tookus7y ago

Never provided a phone number for this reason

ChlorophZek7y ago

could this be a GDPR violation of any sort in the EU?

MatthewWilkes7y ago

I should think so. They don't have consent; vital interest, public task, legal obligation and contract do not apply; they must be relying on legitimate interest. I can't imagine this would pass an unbiased balancing test.

j / k navigate · click thread line to collapse

16 comments

zxcvbn40387y ago

You can’t correct or remove anything from the Transunion database, because it’s not used for credit decisions there is no way to force them to do it.

So instead I’ve made it a game to try and see how many phone numbers I can get added to the database. My goal is to request a free copy of my file one day and have it arrive on a pallet.

Maybe if I fill out a credit card application and list Kevin Bacon’s address as a former residence then they’ll add him to my list of known associates...

luckylion7y ago

Hey, if you can automate the process, you have a free backup service with unlimited storage ;)

jrnichols7y ago

godzillabrennus7y ago

When you figure out how to game the system charge others to do it.

People would pay to create fuzz in their records.

zxcvbn40387y ago

mthoms7y ago

Some mobile apps have two account creation options: Facebook login or phone number.

I recently chose phone number (because screw FB) but then noticed that the SMS verification is performed by Facebook anyways.

What the hell are App developers thinking? If I choose not to use my FB login in your app it's because I don't want FB snooping on me.

But then you turn around and use Facebook to validate my phone number without proper consent?

NowThenGoodBad7y ago

I totally agree with you.

I’m imagining the dev found some tool to do sms verification that Facebook makes simple (or maybe that’s all they know how to use considering you didn’t mention any google login...).

technofiend7y ago

tylerl7y ago

"No longer..."?

technofiend7y ago

dplgk7y ago

Does the ACLU care about this kind of stuff?

__blockcipher__7y ago

https://fixitalready.eff.org/facebook/#/

https://www.eff.org/press/releases/eff-implores-nine-compani...

EFF does!

KiDD7y ago

It has always done this... the very reason I do not add my phone number.

Criper1Tookus7y ago

Never provided a phone number for this reason

ChlorophZek7y ago

could this be a GDPR violation of any sort in the EU?

MatthewWilkes7y ago

j / k navigate · click thread line to collapse