Quite literally, every business school on the fucking planet will tell you do something if it’s cheaper. It is cheaper for them to not give a fuck, than to give one. Unless they are fined upwards of $20-50bn it’ll never stop because it’s always going to benefit their bottom line. Full stop.
If you don’t take 10-15% from a company they won’t ever be incentivized to stop. This 5% or less bullshit has to stop if folks want change.
Edit: small grammar fix.
They shouldn't be learning about the breaches from the company that has been breached because that gives the company too much power. Instead we should empower watchdog organizations to be our source of news for data breaches.
Facebook users (notably not customers) are the ones being harmed here, and they don't exactly have free reign to choose the platform their communities talk and organize on. If I choose not to use Facebook then I'm isolating myself from my community.
What the hell is the FTC and DOJ doing allowing these obvious anti-competitive mergers and acquisitions? How is Amazon able to sell physical and digital products, control distribution channels, and sell significant infrastructure? I am no monopoly expert, but in my opinion, AWS is a significant competitive issue. Did we learn nothing from US Steel and Standard Oil? Has the Clayton Act been ignored? It seems like the Sherman Act matters as well: companies all agreeing, within hours, to ban certain apps or content. That’s not competition.
The answer is probably strong anti-competitive legislation that makes it easier to move service, easier to inter-operate between services, and making services more granular.
If you quit using FB and were still leaked, now what? If you were leaked because they hold a shadow account?
The problem is even worse: if your friend shares their contact list and that is the data that gets leaked, what then? I think that brings to question the entire idea of a phone number belonging to one person. A friend can give consent to share your information. Maybe we are focusing on the wrong set of problems?
Maybe phone numbers / email addresses being leaked is a problem that cannot be solved and instead we should focus our efforts on spam filtering or being able to easily change those identifiers.
Likewise we shouldn't expect people to all be computer security experts, but we should expect regulators to keep us safe by creating standards and enforcing penalties for companies failing to meet them. I'm not saying we need a new regulatory agency, but we do need enforced regulation with scalable teeth.
This centralizes power to a few at the expense of the many. Furthermore I deem the social contract to be unethical so I would not include myself in the "everyone" camp. I'd much rather see watchdog organizations regulate the market.
But just as a colony of ants can destroy a house, so too can we puny humans, when united, extract demands from huge corporations. Individual regulators do the actual fighting, but they do so on our behalf, with our collective backing.
(Side note: so cool of you for disagreeing with the social contract, though your edgy dissent is only possible because the majority do accept government.)
However, the FTC needs to play a bigger role in enforcing Clayton. Facebook should never have been allowed to buy Instagram or WhatsApp.
I don't understand why the government doesn't go for these type of things. On one side... it is easy money for the federation. On the other side, in a "personal" level for the bureaucrats, it is at least some good money they can keep corruptly.
One thing I will tell you, when I was in charge of the data of a FinTech in Mexico, we were VERY aware of those fines and took a lot of care regarding our security.
Perhaps companies should buy insurance for this and then that would incentivize insurance companies to help protect their clients. Insurance requirements are a significant safety factor at many physical businesses. The law is important, but being denied insurance claims is a great private-sector solution. Or course for insurance to be meaningful, the penalties have to have significant teeth. However, a mega-Corp (by revenue) would likely self-insure, however they’d still have incentive to do right if the penalties were per record, not per breach. For HIPAA, there’s a fine of up to $10k per record for a breach. 10k times 200,000,000 users affected becomes real money even to Facebook. And, let’s make the fines payable to the user, not the government. The user is the one incurring the harm, not the government. The government still gets their slice since such awards are taxable.
I agree. I meant that market cap should be taken into account along with factors such as damage. The goal is that for the same wrong, a small and a large company face the same penalty, but adjusted in proportion to their financials.
They literally do, and I think it lightens the blow more than anything.
This should be a 25 billion dollar fine.
For a business entity this is the only thing that will motivate them to try harder in the future.
But Governments rarely have a fine based on the entity's revenue, let alone calculating fine based on the impact of the negligence like this. I guess FB has decided even if GDPR fine is triggered, paying that is better than reminding half-billion users that using their platform is dangerous.
I've witnessed while literally getting sick due to the compliance burden when running the company as a single person i.e. in make sure I don't fall behind any of them; Large companies calculating the expenditure to 'fix the fine' if raised by the Govt. after several years and deciding NTGAF as the fine/fix is 'negligible' for them.
Services like social networks don't need to store physical addresses, SSNs, phone numbers, etc. Therefore, that data should be looked at like a liability rather than an asset. It shouldn't be collected in the first place.
Data like private messages, friends-only posts, etc are needed for the features they want to provide, and they should only provide those features if they can protect that data.
I don't think there's much that would wholesale get Facebook to withdraw from a huge market like the US but if they did then competitors that did obey the new laws would take their place, as long as the entire business model wasn't completely defunct.
That said, I think the parent comment that suggests “20-50B” fines is dramatically overestimating what it would take to promote more depositor behaviour here. Even much smaller fines with the threat of larger ones would likely be sufficient.
The first move is usually to legally object to the fine if it's more than the cost of doing business, leading to years of back and forth. Look at the fine the EU imposed on Intel in 2009 which keeps getting contested and reexamined. Increasing the cost and friction for the ones trying to recoup the fine makes them more willing to negotiate a faster settlement (usually better deal for the company). It's a good bargaining chip for the company if they have very few assets under that jurisdiction or it's a market they can afford to lose. So the company pays some of the fine and then sees much stricter controls applied to them in particular, not via law but via the settlement.
Finally the company is represented by a CEO and/or board and those are the people ultimately responsible for disregarding a court decision. There could be attempts to hold them responsible but the US is famous for protecting any CEO from prison time (inside or outside of US borders). The US has a history of refusing to extradite CEOs convicted simply because they can purchase their way out of any trouble, it's only a matter of price. So this last step is mostly symbolic, the CEO is convicted because justice has to be served in the accusing jurisdiction.
We have a three strikes law in CA. I haven't done any research to find out how effective its been in reducing crime - but something similar for big companies like Facebook might be a way of dealing with this nonsense?
I know, Facebook has made an egregious error. But overreacting (kill them all!) is not a good solution?
But that's clearly not what's happening in this case:
> Facebook Inc did not notify the more than 530 million users whose details were obtained through the misuse of a feature before 2019 and recently made public in a database, and does not currently have plans to do so, a company spokesman said on Wednesday.
> Ireland’s Data Protection Commission, the European Union’s lead regulator for Facebook, said on Tuesday it had contacted the company about the data leak. It said it received “no proactive communication from Facebook” but was now in contact.
> The July 2019 FTC settlement requires Facebook to report details about unauthorized access to data on 500 or more users within 30 days of confirming an incident.
I'm not sure how that can be categorised as making every effort?
We all know how badly that goes with speed traps and red light cameras - instead of improving, the road conditions and sometimes even local rules are tweaked to maintain steady cashflow.
Say no to revolving doors of regulators, say no to moral hazard of what effectively amounts to vice tax. Apply criminal penalties when reasonable, don't make data leaks & privacy breaches just another cost of doing business.
Clarification: a fine works well when it's expected to be a rare penatly enacted on a singular player - as it makes that player noncompetitive in the market. Conversely, when fines are expected to apply regularly and at proportional rate to most, or all, players in a market, the fine no longer makes the player noncompetitive - it merely shifts the market. Perhaps some alternative markets (print? radio & TV?) would pick up some of the advertising slack, but largely it'd be a regular money transfer from corps to the government. And a "vice tax" like that is a clear moral hazard, with no natural end in sight.
Make it a "third sector", properly audited NGO (watchdog, thinktank, foundation ...), with ties to some appropriate umbrella (UN, ICJ), that uses some sort of blockchain solution to fine as needed, and then allocate compensation from this to aggrieved parties, or social programs, compensating not only for loss of privacy, but for the other nasty effects (fake news, emotional distress, political polarization ...) that F'book is causing.-
Otherwise, our souls are just another cost of doing business to them.-
The key consideration is avoiding perverse incentives. A stellar example is how the GDPR disaster is unfolding: the smaller websites are still plastered with "cookie warnings" making them less usable, while the larger platforms - Youtube, Google - already pivoted the warning dialog into nagging for logging in, making anonymous browsing incrementally less practical. The difference in power lets the larger players use as a moat the regulation that's prima facie about privacy.
I like your approach to these damages as stochastic, broad, ergo "actuarially" manageable ...
How perverse indeed.
> A specific branch of government, a select agency, to become a profit center
So don't directly give them the money from the fines, simple.
How can they be trusted anymore?
This also strikes a great point about the data sharing between Facebook and WhatsApp. Linking data between services augments the dangers and the consequences are not obvious to the end user.
I think Facebook should offer their users the option to remove their phone numbers with a real deletion.
Man sometimes I think people forget phone books existed for a long time.
I noticed this even back when phonebooks were a thing that a 'private' number was not something random people should call. Yet the reality is that number is kind of public but not. If you did accidently call one you would get 'how did you get this number' from the person you called.
Judging by the amount of phone calls I get these days. They have also already correlated a huge number of these. Short of me changing my number every few years there is not much I can do. I am getting cold calls on property I bought 20+ years ago and them asking if I want to sell.
At the bottom of this though is the 'data' these companies are scouring on us. Then cross correlating it. I have for the past few years come to the conclusion data is harmful to keep for both the end users and the companies that do it. Companies like google and fb seem to be of a very different opinion. Companies should be going into collecting data with 'how do we get rid of it after some period of time', not lets buy more HD to keep it on.
If the notion were introduced today, nobody would tolerate them. That they once existed is hardly an argument that such things are a good idea.
They never could be.
This, of course, due fines aside ...
Edit: See my further comment upthread on this, or other solutions.
1. I don't trust Facebook to not track me. When I left Facebook for good in 2014 it was because, for the second time after setting all my settings as private as I could (show photos only to friends, etc.), Facebook somehow reverted everything to "public".
2. Their algorithm is still aimed at generating controversy rather than truth, and that's enough for me to not use it.
Google does the same, they've even published a paper showing just adding an email address is enough to eliminate 90+% of phishing attempts.
In particular, there could easily be a postal system implemented where the sender would not need the actual physical address of the receiver. The receiver could easily ask the postal service to generate an arbitrary key which could either be single use, or multiple use, in order to deliver, so that one could receive mail and packages without having to surrender information regarding one's place of residence to the sending party.
Recently, I was hand delivered something from my sports club at my address as an apology for COVID. All quite considerable but I'm not so comfortable with that apparently my physical address is known to arbitrary members of said club, and that I was required to give it in order to sign up, which is necessary with modern technology.
There is no theoretical need to surrender one's physical address to join a sports club in theory, but physical addresses are exchanged everywhere as though there be no problem with this. They are of course the easiest way to stalk and harm someone.
- Names, addresses, and phone numbers were published by the phone company in a book and given to everyone.
- Hospital admissions/discharges were published in the local newspaper.
- Social Security Number was used for everything. Many people included it on their pre-printed checks. Engraving it on valuable personal posessions was encouraged, for help identifying them if they were stolen.
None of this was considered a real violation of privacy, or at least I never heard anyone really express any concerns about it. Unlisted phone numbers were a thing, but very few people had them and it cost extra to have one. Most people wanted to be in the phone book so others could contact them.
I guess the big thing that's changed is identity theft is now a thing. That's because it's become possible to "identify" yourself by providing enough information about yourself without actually being physically present. Also online harassment/doxxing. All of which is only a problem because everything and everyone is online now. That is the real problem, not the information itself. Of course there's no putting the genie back in the bottle.
Yes, and I think it was wrong to do so.
I think it's ridiculous to be worried about websites tracking one's noncorporeal identity tied to an integer on the internet compared to that everyone in my sport's club can easily retrieve my physical place of residence.
Or the end user's friends and family who's privacy was also affected by being in the user's contact list.
"People just submitted it. I don't know why. They 'trust me'. Dumb fucks." -Mark Zuckerberg
I don't know if they can. I had specific conversations about things life preferring TOTP to phone in internship and job interviews, but I struggled to land the prestigious roles others did, though people I've spoken with informally certainly like to parrot key phrases I liked to use when we'd socialize at conferences.
@Facebook here you go: https://haveibeenpwned.com
According to that site, my personal email has been leaked by Adobe, and by a bunch of shady database firms I've never heard of.
(On further reflection, I probably used my Google account to log into Adobe, which leaks my personal email to the site I'm logging into.)
Ex: You might see [email protected] in the report for those db, even though Joe Smith only ever had [email protected]
And sometimes its legit scum collection. Some of the spam you get is just verify what email addresses work and what don't. If it doesn't bounce, you know you got a valid email address. Works for a lot of businesses (but not if you've got a personal catchall)
They can’t assume that, or trolls or unscrupulous competitors would start creating ‘Facebook’ data dumps left and right.
I do wonder what EU regulators will say about their viewpoint that they do not have to inform their users, though.
Mark Zuckerbergs phone number was in the dataset. It came from Facebook.
The GDPR in Europe would require them to delete that data in a bunch of circumstances.
Think about it... If you asked a company to delete your data, are you giving them permission to go refind that data on the dark web, cross reference it with records they should have deleted, and use it to send you email? Clearly not.
Source? Nothing prevents Facebook from making a public announcement that anyone that had an account on Facebook between dates X and Y might have been affected.
Unfortunately there's a lot a misinformation around GDPR spreading online.
> They could (and must) notify the ones they still have data about.
I agree strongly. For what it's worth, this is absolutely not what I took away from your other comment.
The sentence structure is a strong indicator that this is something other than a question.
This could easily be interpreted as:
"They no longer have an obligation to notify the rest, because they might have deleted some of the accounts...duh"
The commenter's clarification removed the ambiguity, but let's not pretend the original statement was crystal clear. I think the difficulty interpreting the comment is also partially a result of just how passive-aggressive many comment threads have become. After clarification, I understand the original intent. Without that clarification, there are two interpretations.
A different way to say this would be:
> "Are you saying they no longer have an obligation to notify the rest just because some of the accounts might have been deleted?"
That would totally defy logic.
I don't think that Facebook deletes anything ever.
I mean, GDPR is a joke but that would be absolutely nonsensical.
It's insane. I've heard banks using SMS!!!! To send a code. We have TOTP for that! Or even perhaps a push notification or something better than bloody SMS.
I refuse to use the networking system altogether. No phones, no calls. Of course you do 'need' a number so I keep one handy, but I haven't read a text or made a phone call in a long while.
It needs to die. NOW. Outlaw SMS!
It sounds like you're incredulous that even banks are being insecure, but history has shown that you can expect banks to be roughly last in terms of competent and secure IT. I trust my Walmart.com account info to be safer than my bank info.
I doubt that most of the people that complain about SMS live in rural areas.
It seems to be more of a US thing. The country is so large that unless you live in a city you just won't be able to get data reliably. This leaves SMS as the only form of phone communication that isn't a voice call.
Even installing and using a TOTP app, and configuring it to work with an online login, is a hurdle that a non-negligible number of users cannot pass.
It's better than nothing.
Maybe Starlink will be able to provide a mobile phone service that only offers a data connection one day, and that will be the "disruption" the mobile industry needs.
Is this worldwide or US? I for now trust the senderid and assume them to be valid if they are coming from bank etc. I also haven't heard of anyone spoofing SMS. Should I be more cautious?
The reason is that phone companies interoperate grudgingly and do the minimum required to pass calls and messages between each other, and also most phone companies are 100+ year old companies who have just layered modern tech on top of their old stuff.
They handle a massive unending stream of calls/messages and they can't possibly validate each one (even if they wanted to), so when a call comes into your provider (mobile or land line) it comes with all the metadata fields (sender, etc) populated, and your provider just passes that along without any verification.
This was less of a problem with there was a reasonably limited number of phone companies (a few per country) and they were all large enterprises..
Now with the rise of Twilio and tons of other pay-as-you-go companies that can hook into the global phone network to send calls and messages, and MVNOs (virtual phone companies that sit on top of the incumbent ones), there are too many players to track and in the name of convenience (and cost-savings) we haven't kept up with the verification part of the chain.
They don't pass on all metadata, that's part of the problem. If a call originates in $foreign_country, the sender gets to spoof it as a local call (sometimes they even use your own phone number). Are you really telling me there's no way to tell the difference between an off-shore call and a local one. It seems if this were true that billing is impossible, yet somehow the origin gets billed (though admittedly that might only be the immediate upstream, but usually this will be enough to disambiguate a scam call).
Phone companies make money from scammers. It doesn't seem to be a technical bar, rather a financial disinclination that stops phone companies from robust action.
I'll give you one simple example of the magnitude of this. In Ontario & Quebec, Canada, in the 1920s, there were almost 800 local phone companies operating, and "The Bell Telephone Company of Canada" was the long-distance provider that connected all those companies together. Even back then they handled almost 3M long distance calls per day (from roughly ~500,000 phones).
Over time, Bell bought up all those local independent companies and merged their records, customers, infrastructure, operations, etc..
That's Ontario and Quebec only, 2 provinces out of 10.
Fast forward like 60 years and in Canada local/regional phone companies in various parts of the country were still a thing in the early 1980s, and even now we still have distinct phone companies for some of our provinces.
And this is just one country that has less than 40M people. Now repeat this process in the US, and other parts of the world, going back almost a century, and you can start to understand the complexity we're dealing with here.
The insanity of these merged and glued-together tech stacks would make most people faint.
Obviously they're not all still running on super old tech, but if you look at any major incumbent telco's DCs you will commonly find switching systems from as far back as the 1960s that have been wrapped in layer after layer of "modernization" but are still there routing calls and running old code.
I know you believe what you are saying is "simple enough", and it probably should be, but sadly it's not.
And while you're right to say it's a cost thing, it is also a technical problem in that it would require massive coordination both internally within telcos but also between companies that are competitors to each other, and aren't naturally inclined to work together in the first place.
It’s been a long time since I dabbled with Asterisk (IP PBX), IIRC, by default the call forwarding/redirection function uses metadata from the original incoming call. Let’s say, you’ve programmed your PBX that after 30 seconds of incoming call ringing, you want to redirect/forward the call (that is to make a new leg, and then connect them together) to your mobile phone number. I’m pretty sure, on your mobile phone you’d want to see the original caller’s number for incoming call, not the PBX’s phone number.
I'm curious to see if it rolls out as smoothly as we hope.
Worldwide. SMS is just like e-mail, you can put anything you want in the sender field. You should absolutely not trust SMS.
SMS for 2FA is known to be a very bad idea, and some security experts have been shouting about the need to stop doing that for a while.
I also can't see any country managing to implement more restrictions on SMS without either breaking a lot of "legitimate" sources of SMS or being ineffective outside of a very narrow window (e.g. only blocking forged SMS for numbers originating within one country)
"known to be very bad ... been shouting ..." Right, yeah, to put it in some perspective remember that you're talking second factor here. This is not your login, this is a secondary confirmation and you still need some serious motivation to bypass it. It's definitely doable, I work in security and I know what kind of attacks you're thinking of, but it's not the opportunistic kind of thing that a common thief will do without technical research and planning it out. If you know how to do it, you can probably find better jobs than this. It also doesn't scale well because you can only use it on people whose bank login you've already cracked in the first place.
I'm aware it's not your login, but it feels the same as asking someone for publicly searchable information to "verify your identity" - an additional "security" step that doesn't actually slow down any attacker more dedicated than a passing whim, but makes people feel good about whoever is using it, when there are better options that don't have the problems of SMS.
Yes, it doesn't scale well to bulk attacking, but most of my interactions are with people who take reasonable precautions like keeping their machines patched, not installing random crap from the internet, and generally avoiding other fun ways people get swept up in low-hanging fruit campaigns.
SMS 2FA is better than no 2FA at all, it's just frustrating to watch many companies deploy it and go home when there are better options, some of which solely also require a phone.
edited to correct my statement: I originally said "SMS 2FA is better than no 2FA at all in a number of cases", but no, I'm pretty confident it's strictly better, even with all my laments about it.
SMS works with every conceivable phone, even most landlines if need be, users don't have to install a separate authenticator app, which may require a Google/iCloud password (now where did I put that post-it note?), that takes up space that may be scarce on low-end phones and that may not even be compatible with very old phones, leaving affected people in a really unsatisfactory spot.
Then they need to set up codes for every login, figure out how to switch back and forth between apps and how to copy codes, which is not very discoverable at least in Google Authenticator – most people seem to memorize and type instead, cumbersome.
Hardware tokens are even worse, people misplace those a lot and unless you are a bank with a mature process for issuing these, setup is probably even more of a hassle.
All of this may be big deal if you (also) target less technical people and want them to use your product when they have the option not to.
With SMS, all the user needs is a phone number. Pretty much everyone is familiar with that, most will readily share it, too. iOS will even extract codes and show them on top of the keyboard, just wait a second or two and tap the code, done. It's about as painless and frictionless as it can reasonably be, with apparently relatively inconsequential security drawbacks – given it's supposedly trivial to fake SMS, there don't seem to be a lot of people doing so at scale. Maybe a breach like this one will finally change that? Remains to be seen.
For now I can totally see why one might stick with SMS as a second factor.
If they wish to use Apple then that is their own choice, but on Android it's quite trivial to download Red Hat's open source authenticator app from f-droid (the website, you don't even have to install the store if you don't want that). It's quite bare bones on graphics and features, doing only what you need it to (the f-droid build is 0.5MB, frankly still large for what it does but consider that it's like half of a single photo).
And if people don't have a phone with support for apps, then you can still fall back to SMS. Doesn't mean you need to force everyone down to that level.
Fun fact: my grandpa can't use SMS either, your solution is not as universal as you make it seem. He never has been able to due to sight issues (it's not an age thing, though it doesn't help if you're close to illiterate and now need to start to learn how to use solutions for sight-impaired people due to this information age having onset). Does that mean we cannot support anything better than sending a letter, which is accessible to him as well? Can't we have the better solution as well as the accessible one?
> With SMS, all the user needs is a phone number.
No no, you got that backwards. All Facebook needs is your phone number, or whoever it is that pinky promises to only use your phone number for security. I get what you're saying about everyone having a phone number that you can identify them by, but that is also the issue: everyone has typically a very very limited amount of phone numbers (and typically linked to a government ID) whereas a throwaway email is easy to make and each TOTP code is throwaway by design. I think there's something to say for supporting this.
That's even less intuitive than using the default app store. That's a whole new slew of concepts you need to grok (you can download an app from the web and install it without an app store; what is this fdroid thing? is this a virus? what do these dialogs mean?), plus training people to do this without also giving them the knowledge when and why this is safe isn't exactly helpful, but that's a lot to ask from a simple sign-up flow for a hypothetical niche app built by a hypothetical two-person team.
> And if people don't have a phone with support for apps, then you can still fall back to SMS.
You can, but that adds to the complexity and support burden and probably also costs you users due to sign up friction.
> Fun fact: my grandpa can't use SMS either, your solution is not as universal as you make it seem. He never has been able to due to sight issues (it's not an age thing, though it doesn't help if you're close to illiterate and now need to start to learn how to use solutions for sight-impaired people due to this information age having onset).
That's an interesting case. I'd like to think there would be a fallback for people like him, but I guess, in the vast majority of cases, he'd just be left out. The current state of inclusivity in tech is abysmal, though I've seen vision-impaired and deaf people get around their devices surprisingly well; it's still an embarrassment that this industry won't do better. It's hard to get this right when it should be hard to break this, but current frameworks and paradigms don't prioritize this. It's shameful IMO.
I do think SMS is a lot more accessible than authenticator apps and the like, even though that still will not work for everyone.
> Can't we have the better solution as well as the accessible one?
I'm not saying you can't or shouldn't offer the best solution you can. By all means give me Yubikey support and several fallbacks. But I can see quite well how not everyone might want or be able to.
> No no, you got that backwards. All Facebook needs is your phone number, or whoever it is that pinky promises to only use your phone number for security.
Facebook definitely should get rid of SMS factors. If anyone has the resources to do much better, it would be them and the other giants. Not sure how they handle that, though. They'd still collect phone numbers in any case, but they'd happily image people's internal organs if they could, so that is a separate issue.
Apart from that people seem to be quite happy to use their phone number for signup if it makes signup quicker and less annoying. Even if the primary flow is email and alternatives are hidden in another tab, phone number still tends to get used a lot, in my limited experience. Same with Facebook/Google login.
Plus, for most people ai guess it isn't as black and white; in quite a few cases I've given my phone number even if signing up via email, because it helps a lot if people can just call me in case of issues (e.g. the restaurant is out of my extra topping).
That said, I'm all for offering as much choice as possible, and I'm not happy with the inflationary use of phone numbers as the only way to sign up, and I'm all for Yubikey support in every app, and it's disappointing that OS/browser vendors don't make this easier and more convenient, and if anyone wants to let me have as many anonymous phone numbers as I need, I'm very interested.
But, still, I can totally see why a resource-strapped product/dev team might come to the conclusion that SMS second factors are sufficient for now.
I do agree with you there. To be clear, while I think the problem is of a smaller magnitude, I do agree with your general point. Other alternatives like very simple TOTP tokens additionally don't require a phone number and so you don't have this stupid "add your phone number now, we'll use it only for security, pinky swear!" prompts.
Heck, there could even be an argument that SMS OTP is now illegal with GDPR unless the user gives explicit consent. You can't use user data (PII) if it's not with consent, for a legitimate purpose, to fulfill a contract, for the user's own good, to comply with law enforcement, and I'm probably forgetting one or two reasons. Now that it's clear that stuff like TOTP is a better alternative, there is no reason to process people's phone number anymore for this purpose, making it impossible for you to send that SMS OTP. (Of course, you'd have to convince a judge that TOTP is better than SMS before we actually get case law on this specific use of a phone number so... *mumbles something about nine-tenths of the law*.)
Look up M-Pesa. Which is a hugely successful, mobile phone based payment system in multiple countries.
In Kenya alone, where it started, it had 17Million subscribers. In 2011, that was.
In India, for every card transaction, for every DMAT transaction, for every password/PIN change SMS is used as 2FA. It is also mandated to require SMS 2FA for every one of these cases.
If my bank has any means to use TOTP/Yubikey, it is absolutely not made obvious, led alone clear or even possible.
Unfortunately, quickly looking,  suggests at least one of the listed services for sending arbitrarily forged SMS messages explicitly works in India, so it seems like this is still true for you. :(
 - https://www.usethistip.com/5-websites-to-send-anonymous-or-f...
I kinda assumed this was a widespread modus operandi, apparently it's not?
Another problem with Android could be that the operating system might not have enough control over the SIM-Card/Modem to spoof phone numbers.
I have heard about people using some services to send/call from spoofed numbers though
(Btw a Google search for "Hushsms" results in shady/cancerous app stores that all seem to mirror each other. Where is the official website/thread?)
Never trust any information from SMS, or from a telephone call (or email) - both SMS and CallerID can both be trivially spoofed, and frequently are.
If they have e.g. found out what bank you use, they can make the number look like it came from your bank ("See, this number is listed on the back of your card" is a common approach)
If you get a call or SMS requiring followup, then look/ask for a reference number and a publicly listed number you can call back on - _and verify this number is listed on the organisation website before calling_, ideally on a telephone you know they can't "hold the line open" on (less of a problem now people mostly don't have landlines). It's okay to "engage" with a caller as long as you are careful to not give up any personal information - especially in cases where it's a bank they should be fine with you refusing security until you can call back.
Don't ever relay information between channels e.g. if you _think_ you are talking to the bank, don't relay the contents of a 2-factor SMS you get, even if they say they are "sending" one to you. There have been cases where scammers have called the bank at the same time as calling the mark, so that when the scamee called the bank on a different line the bank verified that "they" were on another line.
In reflection, it's kind of crazy the things you have to be suspicious/paranoid and aware of, I'm not surprised that even competent/intelligent people get scammed, it often seems that the infrastructure that we rely on for trust is even flimsier than you could imagine.
Probably there are more extreme cases where these general rules aren't enough but probably unless you are a big CEO or something you are below the targeting threshold (see e.g. https://nakedsecurity.sophos.com/2019/09/05/scammers-deepfak... which will probably only become easier over time). A healthy skepticism about complicated workflows is probably helpful.
It's not really new data, it's just scam SMS I've received in the past has never shown any sign of knowing anything other than my phone number. Now you can buy phone numbers and pull personalisation data unrestricted from your copy of Facebook's database for each of them. I'm sure sophisticated scammers already were, but now everyone will.
This is why facebook can say to advertisers, "We mostly have young people using our service. So please put your money on our company"
And yes using account of 60-70 year old always receives less ads :D
Suppose you can get a list of people studying there, their names, and their phone-numbers. Faking this SMS and putting a payment that goes to you instead of uni would be a nice way to earn about 2000 euros per student who falls for it.
They don't email this information? They don't put it on an online notification system? I have no idea why SMS seems like the logical option for this.
That doesn’t justify the security implications of doing this...
I have considered faking the SMS message, with the payment link saying "imagine this wasn't a warning message but an actual payment request, please tell the university this is unsafe". But sending that kind of mass SMS is not easy, nor is finding the correct phone numbers.
With a correlated leak like this, it's super easy for me to find your profile, see who you are, what you look like, even from just your profile picture I could potentially see you have a daughter yourself, so I can target your mother that something happened to her granddaughter and you, which would make her pay up even faster possibly.
> This huge leak has definitely killed the
> SMS text messaging service.
As someone who has much friction already convincing people to use SMS with me instead of the WhatsApp account that I've never had (nor a Facebook account), making SMS even more problematic is great for Facebook. Many people assume bad intentions or some other undesirable status when telling them that I don't have WhatsApp and that I'm not willing to install it.
What is truly damaging about this breach is that it allows for bidirectional mapping of phone
⭤ name (and often location, since the data can include town/employer).
The risk is much bigger than "I'm going to get more phone spam."
- An abusive ex/stalker type can now search by name and find his ex's phone number and maybe even city/town.
- Have you ever dealt with an irate person via phone? (craigslist deal gone wrong/creepy, for example). This person can now know your name and even photo since the leak includes your fb id.
I am certain that both of these things will happen in the next few months or years. If privacy changes are to happen at the legislative/personal responsibility level, it would behoove an organization like the EFF to find one such case and use it to sue the living daylights out of FB. I think it's also worth mentioning these sorts of risks instead of focusing on "spam".
Unfortunately, even if that were to happen, we'd end up with a moral panic, which almost always ends up punishing the wrong people. What we really need is a change in the kinds of data that are allowed to be kept, and a change in data/identification infrastructure.
- The creation of a standardized & subsidized token/OTP platform. In the US for example, you should be able to go to the post office and get a NIST approved token generator, which should be mandated to be used by all banks and replace SMS and SSN as authentication.
- A pseudonimity middle-layer (ie, Stripe for Privacy). For example, when I buy a t-shirt online, I should be able to simply give the merchant my pseudonym, and they shouldn't store my actual name & address. If they want to store that there should be much much higher data protection requirements.
This infrastructure should be free market but with a "public option" in order to prevent oligopolization of these services.
But of course I couldn't resist grepping for a few other things. For example, there were about 25,000 phone numbers, emails, and names of single people in my home city.
The same info is available for about 180,000 US-based people who list Facebook as their employer. I sure hope that nobody takes it into their head to complain about the breach to those people!
It is hella creepy that anybody can search through such a vast quantity of extremely personal information so easily. But this is also a predictable late-stage result of mass-scale social media use.
>The creation of a standardized & subsidized token/OTP platform. In the US for example, you should be able to go to the post office and get a NIST approved token generator, which should be mandated to be used by all banks and replace SMS and SSN as authentication.
>A pseudonimity middle-layer (ie, Stripe for Privacy). For example, when I buy a t-shirt online, I should be able to simply give the merchant my pseudonym, and they shouldn't store my actual name & address. If they want to store that there should be much much higher data protection requirements.
Deid, paired with the fact that i don't give them anything. I send them the money instead of giving away my information. This is a key distinction. When i pay for things with my credit card, I am swiping my card, they are saving my information and running my card. Sending them money, with some DeID to acknowledge receipt is entirely different. Instead of them 'Taking', I am 'Giving'.
Also, the Deid can come with a parsing function that 'Shares' the keys to your address and name, without the ability to capture your information. It works directly with the EDI to provide the 'keys' to your address but never allows them to store it.
>This infrastructure should be free market but with a "public option" in order to prevent oligopolization of these services.
Polkadot and many other cryptos with governance is also solving this problem.
I remember when Facebook launched I had a visceral reaction after seeing all the content being shared out in the open. My dad didn’t even want our phone number in the phonebook, and now I saw everyone else sharing every detail of their identity online.
The state does not give you name, but it registers it and uses it to recognize you in various situations. Usually the name is not enough to identify a person (and fun/disaster ensues when this is attempted) so, usually, more information is needed to identify a person.
While I don't agree that it's obvious even now that that using real names is damaging (i.e. makes things worse than anonymity/pseudonymity) the assumption that it's a scam goes 100% against Hanlon's razor.
It's pretty easy to claim that using real names online does more harm than good when pointing at a data leak but we should also consider the opportunity costs, the outcome of the alternative scenario. I'd say that all the fake and troll profiles show that anonymity makes people behave in a way that's damaging to online communication (and hence is a lot, maybe most communication is online these days, all communication). You can say that fake profiles are there anyway, which is true, but it still doesn't mean that everyone going anonymous wouldn't be a lot worse. So at best it's an undecided question as opposed to being a deliberate scam.
From my point of view it is their obligation to notify all the affected users. It's morally the right thing to do, and legally, well, I don't know, but maybe the GDPR says that yes, that it's their obligation to do so.
And with notification I mean to send a notification email, since I haven't logged in for months and don't intend to this year.
> whilst each record included phone, only 2.5 million contained an email address
This is Facebook ffs, they almost have a monopoly on communication.
> The Facebook spokesman said the social media company was not confident it had full visibility on which users would need to be notified.
The way privacy protection laws are, especially in Germany, is kinda stupid. On one side they often doesn't protect you in practice, on the other side they effectively hinder and sometimes prevent reasonable usage.
Just a view examples:
- A local government couldn't properly inform elder people that they now can get Vaccinated for free because the interplay of various privacy protection law (and stupidity/inflexibility in other areas tbh.).
- Germany has a privacy respecting anonymized blutooth based contact tracing app (wrt. Covid). But if you do a test you first have to physical sign of that other people are anonymized informed that someone they likely had contact with has covid, then when you get the result you still need to agree again to share this information. And even this was only possible after changing regulations. (I.e. why is one initial agreement not good enough?)
- The government most likely not being able to inform the victims of such data breaches.
This is false. I've been tested about 15 times within the last year and none of the things I "signed" included any of that.
I didn't have to physically sign ANYTHING at all. What are you talking about?? It's just a click field on the online application and that only says that you're okay with your data being shared with the lab that also sends you your test results.
> then when you get the result you still need to agree again to share this information.
This is also absolutely untrue as Covid, among others, is on the list of illnesses that the local Gesundheitsamt has to be notified of. It's not even optional. It's the law. https://www.gesetze-im-internet.de/ifsg/__6.html
Honestly curious where you got that information from?
If you did register a test with the covid app you had got had to sign something when doing the (not "fast"/PCR) test. If not something was legally not quite right. Also maybe in recent month this might also have been changed but it's unlikely..
> This is also absolutely untrue as Covid, among others, is on the list of illnesses that the local Gesundheitsamt has to be notified of. It's not even optional. It's the law. https://www.gesetze-im-internet.de/ifsg/__6.html
I'm speaking about the covid app, not the health agency, which yes gets reporting always but also (at least at the being of Covid) had a completely inefficient procedure which made the German health agencies in most German states at least at the middle unable to process it anywhere close in time. Like they collecting "people you had been in contact with" 3! weeks after you where found to have covid was not uncommon.
> Honestly curious where you got that information from?
People officially working on the developen of the covid app (there is a ccc talk). And various other sources which also overlap with personal experiences (like yes I personally had to give agreement on paper so that I could use the covid app).
Note that the physical confirmation is kinda hidden on a paper containing all kind of information, so meany people might not have been aware of it.
> In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
If you really want to warn people and you have a plausible explanation for the legal basis on which we're doing this, then I would definitely be able to contribute resources to your cause.
But also, frankly, they put this info there and configured it to be public themselves. Doesn't mean they don't need to be warned about this misconfiguration, but it's quite different from if there had been a data leak caused by facebook that facebook isn't telling the users about. I don't feel the need to drop what I'm doing and spend a couple days looking into the legal status, coming up with a good narrative / what to text them, gathering other people, figuring out how a regular human being can send hundreds of text messages without doing custom app development (if avoidable), dealing with the aftermath...
TL;DR: if you cleared the list of todos in the previous sentence, then my resources you shall have.
My issue with haveibeenpwned is that I don't know what's leaked. Note, I'm super happy with the fact that the service exist because I'm happy with the fact to know who of my social circle is in it, so I can notify them. But I don't know exactly what's leaked.
Are passwords leaked, for example? What about my social info is on there?
Assume these columns are compromised. As a general rule it probably doesn't hurt to change the password and any you've reused.
The amount of laxity they have shown in this matter is appalling!!
(The only exception is banks because it has to match what's on my ID and credit report)
I don't have an account, but I'm fairly sure Facebook doesn't let you edit it once you've given it.
With someone's number you can very easily get a rough idea of where they live. I can imagine the living hell this creates for Domestic Violence survivors and others escaping bad situations.
On the flipside I plan on spending my weekends phone free, only carrying a small FM radio to play music.
Wait until you learn we used to collect everyone's name and phone number and often even their address in big books that just anyone could read. You could even have them delivered to your doorstep.
Nope. Account disbanded.
On the other hand, everyone used to get a book delivered to their house every year with the information that is contained in this leak. I remember when you were considered a bit of a crank if you had your number as unlisted in the phone book.
This "leak", has been blown way out of proportion. This leak, if anyone has actually bothered to look into it, will tell you there's very little available of value. For instance, there's no password.
There's about 2.5 mil emails that for all likelihood, it's already out in the wild. For the phone numbers, you can just robo-dial, (there aren't many to be found mind you). For everything else, they are data that the users have set public on their profiles, so they are meant to be seen, and you can readily search for them on Facebook already.
ALL THE LEAKED DATA WAS PUBLIC.
Do better HN.
/s of course, but maybe people really don't care because FB has been in so many of these types of controversies?
From here https://www.dataprotection.ie/en/news-media/press-releases/d...
So the authority is still looking into it. They could still reach an agreement with Facebook on what to do. Then Facebook would probably be shielded from whatever liability those actions would supposedly cause (their excuse "we might make mistakes"), because "we were told to".