BlankGo without your number, boost Facebook safety By Rob Pegoraro, Special to
USA
TODAY
A phone number can mean much more when it's stored on Facebook's servers - even
if
you provided it only to help secure your account.
Last February, software engineer Gabriel Lewis tweeted that adding your mobile
number
to your account as a two-step verification method (in which you confirm a login
by
entering a one-time code sent to your phone) could result in Facebook sending
you
text-message notifications about everyday activity on the social network.
At the time, Facebook apologized and said the text spam was an error.
In March, another developer, Jeremy Burge, tweeted that numbers you add for
two-step
verification still aren't reserved for that security use. Instead, other
Facebook
users can search for them -- and advertisers who upload contacts lists, called
Custom
Audiences, also can match you that way.
That time, Facebook did not apologize, noting that it hasn't required you to
secure
your account with a phone number since May 2018.
After a month of correspondence with USA TODAY, Facebook said it had changed
its
system to stop numbers newly added for two-step verification from being matched
for
advertising.
The correct response is to take Facebook up on its earlier, implicit invitation
to
remove your number from your account - but only after switching to a different
form
of two-step verification.
The cheapest option is to use the "Code Generator" authentication option built
into
Facebook's mobile app, which will compute a one-time code that you can then
enter
into your browser when Facebook thinks your login falls outside of your usual
activity. This is free and fairly simple, but you need to set this up anew
every time
you switch phones. And Facebook's mobile app gathers more data than its mobile
Web
site.
You also should consider using a security key, a special USB key that confirms
your
login by matching a unique cryptographic signature for a site. They're not free
but
are cheap, starting at $20 from the best-known vendor, Yubico; Amazon sells
other
models, also certified by the FIDO (Fast IDentity Online) trade group, for as
little
as $10. Buy one, add it to your Facebook account, and from then on you can
confirm a
login by popping it into the USB port on your desktop or laptop. (Some also
communicate with phones and tablets via NFC wireless.)
The key can't be fooled by phishing sites because it will ignore pages that
don't sit
at the right domain name. And the key will work even if you change phones or
lose
yours. Plus, you can use the same key to secure your Google, Twitter and
Microsoft
accounts, among others.
Rob Pegoraro is a tech writer based out of Washington, D.C. To submit a tech
question, e-mail Rob at rob@xxxxxxxxxxxxxxx. Follow him on Twitter at
@robpegoraro.