Anyone Can Trace Your Facebook Profile Using Your Phone Number If You Do Not Hide It

Security experts' job is not easy. For years, they have been saying that people must turn on two-factor authentication (2FA) wherever possible. They have been arguing that it brings a level of security that a set of login credentials simply can't match on their own. It turns out that when it comes to Facebook, having two-factor authentication enabled might have some serious privacy consequences that people wouldn't normally expect. Security experts now have egg on their faces, and the worst thing about it is, it's not even their fault.

Yet another Facebook privacy problem

It's the next in a long line of privacy scandals around the world's biggest social network, and it was sparked over the weekend by Jeremy Burge – founder and "Chief Emoji Officer" of Emojipedia. In addition to making very important emoji-related decisions, Burge is also the admin of a large Facebook page with plenty of fans, and he said that over a period of a few months, he received countless notifications urging him to enable 2FA in order to minimize the risk of account hijacking. He was ignoring the warnings until Facebook told him that if he doesn't turn 2FA on, the page would be deleted. Reluctantly, he turned on Facebook's SMS-based two-factor authentication system. Over the weekend, he was reviewing his privacy settings when he noticed something unusual.

One of the options read: "Who can look you up using the phone number you provided?". By default, it was set to Everyone, with the other options being Friends of friends and Friends. This, you have to agree, is not what you'd expect after you give your phone number for the sole purpose of turning on 2FA. Burge shared his findings on Twitter which, rather predictably, caused a bit of a stir.

The backlash, as you might imagine, is huge. Armies of people have now taken it upon themselves to tell you how evil Facebook is and how you should delete your account as quickly as possible. We reckon, however, that before trying to influence people's life choices, some things need to be cleared up.

Looking up vs. searching vs. seeing

There seems to be some confusion around Jeremy Burge's findings. Some people have misunderstood the emoji guru's tweet and appear to think that having 2FA enabled will make their phone numbers visible to everyone. This is not the case. Facebook, for all its shortcomings, gives you a rather simple and easy way of managing the visibility of your contact information. Just go to your timeline, click on the "About" tab, and make the necessary corrections.

The second misconception is that everyone can go to Facebook and use the search bar to find your profile using your phone number. This functionality was removed in the wake of the Cambridge Analytica scandal.

The problem Jeremy Burge found is a bit different. Let's say you've given Facebook your phone number for the purpose of 2FA. Someone else who you may or may not know has your phone number entered into their contact book on their phone, and they have allowed Facebook to access their contacts. Although you don't want your phone number to be used to connect you with other people, Facebook will try to hook you up.

There is a slightly more disturbing scenario. If cybercriminals have large lists of phone numbers, they can use them to associate phone numbers with real identities which, under certain circumstances, can be pretty damaging. And you don't even have to give your number away. By giving Facebook access to your contacts, you give it access to the phone numbers of all your friends, family, colleagues, and peers. Facebook not only gets these numbers without their owners' explicit consent, but it also uses them in targeted advertising campaigns.

All in all, the way Facebook handles people's phone numbers is not always as transparent as it should be, and it presents a few serious concerns for privacy-conscious people.

This time, it wasn’t a mistake

The words "Facebook", "privacy", and "concerns" have appeared quite a few times in the same sentence, especially over the last few months. Few can forget the picture of a slightly pale-looking Mark Zuckerberg appearing in front of the US Congress after the Cambridge Analytica fiasco. And since then, we've heard people from the social media business utter the word "sorry" a few more times, claiming that they'll try to sort things out and better protect the private data of the billions of users that interact with Facebook every day.

These vows are in stark contrast to what Jeremy Burge discovered. The option to look up people using the phone numbers they've provided for 2FA purposes isn't new. It's been around for a while, and we doubt that nobody knew about it because Facebook accidentally "forgot" to tell people how their phone numbers are going to be used outside the 2FA system. We also doubt that someone has forgotten to add another item to the drop-down menu which lets you opt out completely and use your number for 2FA and nothing else. Even Alex Stamos, Facebook's former (and, in his own words, "recovering") Chief Information Security Officer, said that this isn't a mistake but a product choice.

Keep two-factor authentication on

As you can see, we've deliberately avoided giving unwanted advice on which social networks you should and shouldn't use. Over the last few months, people have seen a few strong arguments for staying away from Facebook, but as always, the choice is entirely yours.

If you decide to stay, you should bear in mind that you can keep 2FA enabled without revealing your phone number. The social network also gives you the option of using U2F tokens or an authentication app as a second factor. Weaknesses in SMS-based 2FA systems show that you are better off picking one of the other two options anyway, and the fact that they exist means that you have no excuses for not using them.