All Data Is for Sale

What happens when a website that sells your personal information asks you to input your phone number to enable two-factor authentication? Your phone number is sold to advertisers:

Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn’t hand over at all, but that was collected from other people’s contact books, a hidden layer of details Facebook has about you that I’ve come to call “shadow contact information.” I managed to place an ad in front of Alan Mislove by targeting his shadow profile. This means that the junk email address that you hand over for discounts or for shady online shopping is likely associated with your account and being used to target you with ads.

There really is no reason for a website to require a phone number to enable two-factor authentication. Short Message Service (SMS) is not a secure protocol so utilizing it for two-factor authentication, which many websites sadly do, is not a good idea. Moreover, as this study has demonstrated, handing over your phone number just gives the service provider another piece of information about you to sell.

Instead of SMS-based two-factor authentication websites should at a minimum offer two-factor authentication that utilizes apps that use Time-based One-time Password Algorithm (TOTP) or HMAC-based One-time Password Algorithm (HOTP) like Authy and Google Authenticator. Better yet websites should offer two-factor authentication that utilizes hardware tokens like YubiKeys.