Facebook and Twitter admit that marketers accessed the phone numbers people gave them for security verification. Here’s how to protect yourself without handing over your digits.
BY SEAN CAPTAIN Fast Company “Compass” 3 MINUTE READ
First Facebook, and now Twitter. On Tuesday, Twitter admitted that it allowed marketers to access the phone numbers that users had registered with the site. Many had given their numbers to enable two-factor authentication (2FA)—that process where a website sends you a text message to verify it’s really you who’s logging in. Users didn’t realize they were also allowing marketers to verify who they are in order to build better advertising profiles incorporating Twitter user data. (Twitter says this was an inadvertent mistake and that it has closed the hole.)
That’s especially scary because our phone numbers have become powerful tools to identify and track us, not just for companies but for anyone who wants to look up our personal information stored in a myriad of public records such as court filings, voter registration, real estate transactions, and marriage records.
Twitter’s admission is a nasty case of déjà vu, since Facebook admitted to misusing phone numbers for ad targeting about a year ago. “For a lot of people, [text-message authentication] is a totally reasonable protection that you should feel comfortable using,” says Gennie Gebhart, a researcher on consumer privacy and security at the Electronic Frontier Foundation. “But Facebook was irresponsible, and now we can’t have nice things.”
In many ways, it may be too late to prevent these big social networks from using your phone number how they see fit. Facebook told me that they will only delete your phone number from their records if you delete your entire account. (And much as I’ve been tempted to, I’ve been unable to take that drastic step.) Twitter requires a phone number for 2FA, even if you use an app, although it says that may be changing.
Fortunately, there are other ways to secure your online accounts without handing over a phone number. Facebook, Twitter, and most major sites allow a second 2FA method that uses a free app to generate short-term codes you can enter into the site to verify your identity, just as you would with a code that is texted to you.
Authentication apps remain the best way to secure your online accounts, particularly Authy, a free app for Android, iOS, Windows, and macOS that’s intuitive to use. After you register your Authy account with the websites you use, the app backs up your 2FA setup registration to the cloud and syncs it across multiple devices, making it easy to log in even if your phone breaks or is lost. (Though that makes it a tad less secure.)
Some sites and apps make it even easier by replacing codes with push notifications. When you log in to a website, you get an alert on the authenticator app and press a button to confirm your identity. A site called Two Factor Auth provides an extensive list of whether major sites offer authentication based on your phone number or if they’ll also accept app-based 2FA.
WHAT IF YOU STILL NEED A PHONE NUMBER?
While most major sites allow authenticator apps, some are still stuck on phone numbers. But you have an option here too: Instead of your cellphone number, give them a Google Voice number.