Facebook told Axios that "a very small group of people have the option of entering their email password to verify their account when they sign up for Facebook," but noted that people could choose instead to confirm their account with a code or link sent to their phone or email.
"That said, we understand the password verification option isn't the best way to go about this, so we are going to stop offering it,” the company said in a statement.
Those being asked for their e-mail passwords were users who listed an e-mail address that doesn't use the secure OAuth protocol, which allows users to verify their identity to a third party without sharing their passwords.
"That said, we understand the password verification option isn't the best way to go about this, so we are going to stop offering it, now that we've been caught."
Facebook always leaves that part out of its responses to these problems.
It wasn’t announced on their News site, and when the press asked about it, their first on the record statement is ‘we’ve coincidentally reached the same conclusion at just this same time and will shut it down sometime’.
I do not give Facebook the benefit of the doubt here, but coincidence is technically possible.
>Caught? They offered the feature directly to users.
Who didn't know any better, nor why it is bad in general and how it can harm them specifically.
So yes, FB was caught; exposed, if you wish. Especially given that they didn't roll out this feature to everyone, including you and me, which would result in immediate disaster.
They shouldn't need to log in to the user's password account at all through OAuth or any other way!
A side problem with this is that if it's truly easier for the user than clicking on an emailed link, then users are going to expect that from all of us. So you have to do the sleazy shit or from the users' point of view you are "behind" and less good.
I wish there was some good way to educate the user to privacy dangers. I mean, we could make an online workshop but would have to support it by advertising because we would have to reach the people who don't realize there even could be a problem. And the people willing to drop $5 on it are the ones who don't need to (classic problem in education).
They did something similar around 2010 when they (repeatadly) asked users to enter their email address and password "to see if any of your contacts are on Facebook so you can connect with them" with a "don't sorry, we won't save your password" note next to it. What they didn't say was that they pulled in all of the user's contacts and added also them to their "super graph".
Would be really interesting if one of those non-OAuth email providers scoured their logs to find the Facebook "logins" and see what, if any, requests FB made against the server after successful authentication.
Last service that I remember asking me for the signup email password was ...wait for it ...MySpace!
It was years ago, but it sounds a bit like a swan song pattern to my ears despite the lack of any rational connection...
...they should find a new WhatsApp or a Snapchat to buy ASAP because sooner or later they'll be too uncool for people to share the interesting content in their garden, so their humongous user base's value will start asymptoting to $0.
They feel Facebook is about to pass on, so to speak.
That Facebook will cease to be. That it will expire and go to meet its maker (as its last user). That it's about to be stiff, bereft of life, resting in peace. That if it hadn't been propped up by the network effect, it'd be pushing up the daisies. That Facebook is about to kick the bucket, to shuffle off its mortal coil, run down the curtain and join the bleedin' choir invisible.
I just don't understand how this gets implemented without someone speaking up and saying "hey, wait, isn't this an insane thing to do?".
I would guess it's some combination of the complainers being ignored, and people at a higher level thinking "well we're doing this in a secure way, as long as the user trusts us, and why wouldn't they trust us, we're Facebook!".
The engineers who built it care mostly about their total compensation and getting promoted. They therefore gleefully implement the product requirements.
The PMs behind the idea also care about the above, except they are held to account by business objectives. By narrowly optimizing for a particular objective (reducing account fraud) in an unprincipled manner, they come up with an insane feature idea like this.
The lowly L3 engineer fresh out of college understands how crazy this is and speaks up, but is hammered down by the culture. The decision is quite literally above their pay grade. They begrudgingly fall in line as they have the most to lose in this situation.
Finally a story like this breaks and upper management realizes the contradiction with the narrative that they're trying to create - that Facebook really does care about your privacy. The whole project gets scrapped, and by the time it's all said and done, over $1M is wasted.
I find it fascinating how big tech companies are intent on spending enormous sums of money seeking out the top tech talent in the world. Then rather than listen to them when they voice concerns they try to beat them down into submission. I get that if you worked at a company whose core mission is evil that you just have to accept that when you sign up, but there's no reason facebook needs to be make these active moral choices to pursue things in the worst possible way and yet they consistently do.
I think you misunderstand the real purpose of these major companies fighting to hire as much talent as possible. Anyone in the Bay Area that cannot afford FAANG total comp knows how hard it is to hire top engineering talent. This is the end goal of these companies hiring policies: to remove talent from the market.
Before these companies where FAANG most of them were small, crazy startups that were able to easily acquire talent because tech was pretty boring at the time. You could pay market rates, but give someone an exciting project and they'd join you. That allowed all of these companies to completely disrupt the market. Having disrupted the market they are no longer interested in this happening again.
The current hiring practices are to basically drain talent from the startup pool. Paying an engineer 500k is much cheaper than acquiring the new darling startup they ended up creating (DeepMind), which is much cheaper than acquiring the now large company that is threatening you (instagram), which is still much cheaper than allowing existential threats to you to eventually IPO.
There's the added benefit that you now have a bunch of great engineers on your team, but this isn't the real purpose. The tech giants of the past, IBM, Oracle etc all failed to realize how important it was not only to have good engineers, but to also remove great engineers from the market.
It is an authoritarian mentality fundamentally of "social order" - that they are beneath them so it is the "proper order" to obey. Above profitability even. You can see that bit of outright sadism with retail in particular but the pathology exists elsewhere. Rivals of Costco are angry with them for paying their employees more to get better motivated ones and less shrinkage - when if they think it is a waste of money be happy about it. Instead irrational rage because they transgress their precious social order.
It is part of the norm but the norm is horrifying and stupid yet you are the crazy one for suggesting something different like actually listening to the people you pay to think.
> Rivals of Costco are angry with them for paying their employees more to get better motivated ones and less shrinkage - when if they think it is a waste of money be happy about it
I don't have a citation, but I have read repeatedly that stock analysts cite "overpaying" their workers as a place where they could cut costs and boost short term profits.
Stock analysts is not the same thing as rivals, though. If people think it's needlessly costly, competitors would cheer because their competitor is pricing themselves out of the market. As for stock analysts, if it turns out Costco gets more efficiency out of their better-paid employees because they're better, more motivated and less likely to leave, then that will eventually reflect in profits and stock price.
That's exactly why they spend that much money. They know you can be submitted. They want tech talent. Not revolutionists. It's a rough world out there and it's better to get in line than lose your pot of gold.
Doesn't make it right at all. But if you were that engineer, it's easier to say to yourself that you'll work your way up and change things the day you are in charge.
It's not revolutionary to say that asking for user passwords is stupid and dangerous. Nothing good will come from giving your email account password to Facebook (or any company). It's also a basic human rights violation. We all have a right to our passwords. We do not have to share them with organizations seeking to exploit us and our information. It's just basic common sense, not revolutionary.
> Many professionals set out to make a contribution to society and add meaning to their lives. Yet our system of professional education and employment abusively inculcates an acceptance of politically subordinate roles in which professionals typically do not make a significant difference.
Companies are not democracies. Is it a contradiction that we both praise democracy and spend our working time in dictatorships? Probably but we usually don't even notice it.
I feel like you may share the same interest I have in this crazy giant federation of worker cooperatives (mondragon). I'm curious of many things in regards to it.
I think large corporations are a threat to both democracy and to capitalism. Excessive concentrations of wealth and power are dangerous. Clearly they can be leveraged for money and power, which is why they exist, but we might be better off with smaller scale enterprises and more equal co-operations.
It is kinda funny when you tell their headhunters you will never work for them because they don't meet your ethical standards. I highly recommend the experience.
I was looking for the Steve Jobs quote in this thread, thought this was going to be "It doesn't make sense to hire smart people and tell them what to do; we hire smart people so they can tell us what to do."
The industry standard appears to be "click on a link in an email", I think that's what FB did for me. So the question still remains what the RoI is that makes getting users passwords better. The only answers I can give are very bad, I can't see a legitimate reason to change to do it that way.
I'm not even sure if that is even true about mediocre tech talent, most people have some inkling of how their company makes money or at least how it intends to (some startups may obfuscate this information however, or not actually know).
Tech talent of all sorts generally don't know how the business manages money and what rules might apply to that management however.
I studied Electrical Engineering and in my experience, the only thing my classmates cared about was the technical aspects of the field, and often they couldn't see the big picture. Great talents of course, but more like robots, not even capable of understanding the humanitarian aspects of life. Such a waste.
Disclaimer: It's just my experience, not necessarily true for all engineers and engineering schools.
That's one part of it, I'm sure. Another part is that if you pipe up, you risk getting shunned: loss of income, loss of status, loss of being "part of the cool kids". Sure, you can get another job (that pays less) but you'll probably not work at the same cutting edge technology, and when you tell relatives or friends who you work for, their eyes don't light up.
If somebody offered me five to eight times as much as I make today with a huge boost in status and other positive side effects, and all they ask is to quiet down those silly principles, I'm not so sure I'd say no. "You can still do good in 5 years when you've made enough money to be set for life", I'd probably tell myself.
<quote>If somebody offered me five to eight times as much as I make today with a huge boost in status and other positive side effects, and all they ask is to quiet down those silly principles, I'm not so sure I'd say no. "You can still do good in 5 years when you've made enough money to be set for life", I'd probably tell myself. </quote>
The worst thing is, sticking to those principles just means someone else will take the job.
Coming out of university, I had one job offer (it was a bad down market at the time). My principles made me say no. I didn't want to work on guidance systems for military applications, thank you very much. That choice has cost me a great deal in earning potential. Even so, I would find it hard to blame someone for compromising their principles.
Did they not pay any attention during the humanities portion of their education? That's part of why it's there.
Disclaimers: I'm not an engineer, but my CS degree is ABET accredited. I also took a few more Archaeology, Cog Sci, and Philosophy classes than strictly necessary.
When I was in college I did have to take philosophy 101. It and all of the other core classes such as biology and English were nothing more than annoying hurdles. I do enjoy learning about philosophy and such, but that is not at all what happened while I was trying to get my degree.
Though to be totally honest, to a large extent I considered the entire degree earning process to be little more than an about hurdle to entering the job market. I spent practically zero time reflecting in any of it during the process.
Did a Bachelor's + Master's degree in CS in Europe. Only around 5% of my coursework had (and could!) be outside CS. And you could fill that with things like Game Theory 102 or Copyright Law 101 or something without issue.
That's more like the typical engineering school format. I went to a Liberal Arts university, nearly half my classes were general humanities and sciences. The rest were in my major (also required an additional 18-21 credits for the ABET accredited degree option).
This makes sense, as you get your broad education before university. School focusses on a well-rounded education, whereas universities let you specialise. I realise this is a bit of a contrast to the US education system, with majors and minors, etc.
I partially agree with you. When I used to work at one of the big five, PMs for my team would regularly disregard the engineers' output on most matters (apart from occasionally letting us make purely technical decisions). This, of course, ultimately led to almost the entire team leaving, including me, and the rest transferring internally.
It's not all the engineers' fault. One can push back as much as one wants, but it rarely changes anything at all. However the PMs' success is measured based on delivered features and projects. In most big enterprises the engineers are just worker bees, for the queen PM bee and if they don't perform or don't want to do something, they can be somewhat easily replaced with someone who will. And don't forget that a lot of the engineers might be on a working visa, for example. And why would they jeopardize their job and their way of life on moral grounds, instead of keeping their head down and just going through the motions. I'm not saying that I agree with them, but putting all engineers in the same basket seems unfair.
Now that's why realistically it is much rarer for a group of engineers to take a stance than you'd think. This is why cases like the Google engineers who refused to work on military contracts got so much attention. As inspiring and empowering as it might seem, in reality it (almost) never happens.
But frankly, when you think about it, the only amazing thing about FB is how it got popular, that's all. As for the user experience it's very far from amazing, in spite of all the tech used. It's slow, and on mobile not only slow but also resource hungry, it has several glitches, plus there is a ton of things that annoy users.
Now, I can understands that someone working for SpaceX can think they're all amazing, but if you work for FB? It's like working for MS in late 90s - maybe good for you cash-wise, and that's pretty much it.
Not really as an engineer who had been in similar problem.
It's not that I am programmed to keep my head down and focus on technical stuff only and that I don't see the big picture and
externalities of our actions.
Having a technical degree instead of humanity or philosophy doesn't make you less ethical. I'd bet a broke and uneducated person can be more ethical than me despite not having the technical education I possess.
I can see the ethical problems but when I raised them to the management.
Management acted like my friend and told me, look pal, there are many people in the world and we can't just think for everyone. You need to care about yourself and your family and we care about you. This is our group and we only care how much our group prospers (read: makes money) and we don't care about outsiders.
It's ingroup and outgroup politics here and it's much easier to sympathize with the people who are in front of you acting desperate to make money than those who you'll never see.
Then they bring their legal team, who assure me that this plan is completely legal, so we will not run into any problems!
Have you ever seen Wolf of Wall Street? It's much similar to that, we live in bubble where it's okay to do those things and no one around us judges us for that, so we feel safe and secure.
There is no one telling me that I am doing something unethical.
If you want to study this problem then go back to history and see how much unfair the world was and people who had it easy were pretty okay with all that.
I can choose to leave this job but it basically means being stripped of your status, income and group (which took years of hard work) and even then someone else will right? And I can move up the chain, some day I might do ethical work, system can only be changed from the top, right? It's easy to justify your actions to yourself this way and stay at the place.
This is why control > salary for me. I would much rather (and do) work at a smaller company making less money, but where I have real input in the company itself.
We routinely have clients ask for more tracking data on users and we explain/teach why it is a bad idea. In some way these FB stories help me, because I can point to these articles and ask 'do you want to end up associated with this?'
That's great when you have the ability to forego potential salary.
It's also why manufactured scarcity (especially in housing) enables people who wish to apply engineering effort in unethical ways.
If 10 engineers are bidding on 5 houses, the 5 highest-paid ones will get it. Any pay raise they get will get dumped in to their house - give them all 100k raises and the house will go up by whatever another 100k a year in mortgage payments gets you (I simplify, but not that much)
Not only that, those 5 highly-paid engineers who got the houses have every incentive to make it illegal to build more.
It's hard to stick to your principles when it means getting kicked out of your home, pulling your kids out of school, your spouse having to move away from their job, etc.
It's not just housing, of course, it's a huge part of it. The engineer with a $750 a month mortgage will have a MUCH easier time saying "fuck off this is evil" than one with a $7500 a month mortgage.
First, no one is talking about getting paid incredibly less (especially if you factor in COLA). It's more generally about not maximizing for only salary. Second, unless you want to work in one of the big companies, why work where it is only engineers bidding on houses? Engineers have the luxury right now of taking less pay and still making much more than a large majority of the population.
Most of this is, as you've correctly spelled out, just due to perverse incentives, and there's not really any intentional malfeasance. The REAL problems start when you get a neurotic psychopath with a modicum of power, and an agenda to climb the ladder, who pushes through ideas they KNOW are bad for the company, as a whole, in the long run, but do so anyway because they know it will help their career in the short run. I've been powerless to try to stop this from happening at two Fortune 250's.
The finance industry gets (often rightfully) vilified for having flexible morals and reckless profit seeking, but this is not something unique to finance. Finance was traditionally the environment that enabled this sort of behavior, but the root cause is that fundamental human behavior is still fairly reptilian in nature.
As technologists we like to think that we are above this behavior, but we are not. All it takes is someone to wave enough dollar bills in front of our eyes and we'll mostly justify our actions with a mixture of whataboutism and by saying "I'm just a lowly cog in the machine".
I'm seeing a great many parallels in the short term predatory and risky behavior in the financial machinations of the past and the behavior of tech firms including FAANG today. Even with the best intentions, the system eventually evolves to a point where the show is being run by fundamentally the same sort of people in both industries. Perhaps it is because it is these sort of people who strive in a cut-throat corporate environment that is itself in a cut-throat capitalist environment.
I'm not saying this as some sort of hard line leftist either - hell, I work in systematic trading so I'm as much part of the system as one can be. Yeah sure, I should hold true to my morals, but what about all the others who are willing to replace me at a moments notice? I'm just a cog in the machine, my action will not make an ounce of difference and only cause hardship for myself.
I agree partially. First of, I don't think the finance industry gets vilified for having flexible morals, they attract hate for having no morals at all.
Certainly, you're right that we depend on each one to say "no, I won't do that", but I feel like there's a difference in quality: evil intent vs willful ignorance/negligence. There might be borderline illegal tax-dodging with large tech companies, there might be irresponsible data security, but there's not a lot that is comparable to the cum-ex-trades that large banks engaged in: no active defrauding of the government and/or citizens. Granted, it may happen once tech corporations have as strong a grip on governments as banks do, and feel secure enough that they won't have to face repercussions if it blows up.
Plenty of banks, and not just the large, global ones have actively engaged in tricking their customers by selling them junk and hiding and/or downplaying important details to get their sales provision, and it wasn't something that was "only known at the top". I've yet to hear of scandals of a similar magnitude in tech. Chrome doesn't contain any hidden crypto-miner, and if it ever will, I doubt that an investigation would reveal everybody on the team knew about it - it would likely just reveal a security breach or a small amount of people subverting the processes.
I do completely agree that tech isn't all sunshine, however. Behind pretty much every large scale data leak is an engineer that said "well okay if you want me to put this database server on the public internet and remove the password, I'm happy to do it" instead of refusing, and behind every horrible overreach in surveillance is an engineer that just blocks out the impact his work has on real people. There are people working on killer drones after all, and I don't think any of them are naive enough to believe that "they only target the bad guys".
> Certainly, you're right that we depend on each one to say "no, I won't do that", but I feel like there's a difference in quality: evil intent vs willful ignorance/negligence.
Oh so you are saying that the willful and deliberate exploitation of people's private data, the willful and deliberate ignorance of laws by companies like Uber, the willful and deliberate "research" done by tech companies to determine the most addictive products to entice people to buy in and stay on particular platforms, the willful and deliberate exploitation of minors by tech companies to get them to spend their parent's money on whatever stupid game or product is the fad of the week, or the fact that there are tech companies running targeted campaigns to influence voter opinion based on stolen private data is all just ignorance/negligence?
I strongly disagree. There is just as much rotten in tech as is in finance, the only difference is that many of the shenanigans enabled by tech have not been outlawed yet. Borderline illegal tax-dodging by large tech companies is business as usual compared to the other crap that they do, but being disruptive and breaking things is hip and cool, and it's Us doing it, and not Them, so we let it slide.
You say that banks are willfully selling junk to customers, and this is true. But this is exactly the whataboutism I was talking about. Tech companies mining people's most private data to get them to buy stuff they don't need is just as insidious, if not more in my book.
I don't see Facebook openly admitting to their users that every single bit of their and their loved one's lives will be exploited to the max to allow thirds parties to influence their opinions based on the wishes of the highest bidder.
I don't see them warning their users that right now they are (maybe) not being profiled by governments for thought crimes, but the data is all there, so if in 10, 20 or 50 years time the government changes, this is a definite and very real risk.
No, I'm not saying that at all. There are _some_ companies that run targeted campaigns to influence elections, sure, but they are a tiny minority in the world of tech. I don't like Uber's business tactics either, but I don't see them as the face of the tech industry - in fact, I don't really see them as a tech company. Count everybody who's main source of income is driving for Uber as an employee and the percentage of employees working tech roles is pretty small. Many large companies (including banks) have more and more complicated tech than Uber.
Again, let me make that clear: I'm not arguing that every company in the tech industry is staffed by angels, but that intentional bad actors in tech are the exception, not the norm.
> Borderline illegal tax-dodging by large tech companies is business as usual
And I haven't said it wasn't, I've merely compared it with what the largest banks have been involved recently. I don't know if it got worldwide coverage - this is what I was referencing: https://en.wikipedia.org/wiki/CumEx-Files
> I don't see them warning their users that right now they are (maybe) not being profiled by governments for thought crimes, but the data is all there, so if in 10, 20 or 50 years time the government changes, this is a definite and very real risk.
And I'd love for them to be legally required to explain privacy considerations to their users in such a way that informed consent can be given. Again: I'm not "pro big tech", I'm saying that big tech still has some room if they want to rub shoulders with big finance when it comes to amoral business practices. Big tech operates in a grey area, big finance hasn't seen anything but #000 in decades.
> Again, let me make that clear: I'm not arguing that every company in the tech industry is staffed by angels, but that intentional bad actors in tech are the exception, not the norm.
Just to be completely clear, are you arguing that the opposite is true in finance - i.e., that the norm is to be intentionally malicious?
I'm much closer to that position than the opposite.
This doesn't go for day to day interactions between you and a bank clerk, but rather for product development, sales etc. Fortunately, the industry is much more heavily regulated that the tech industry.
And in finance, they've developed entire management wings called "compliance" to watch over things and make sure that laws are not broken/the firm is not put at risk. I wonder if that will happen here (there is a distinctly smaller set of laws that can be broken, but Zuck apparently is asking for that now...)
Unless you have been doing deeply corrupt work for them for years you are not going to be making any change at that megacorp. I know someone who worked there and they just remove anyone who does not conform.
At the same time, you help Facebook do what it currently does, i.e. unethical stuff. I dont think an individual engineers ability to influence a company they dont own outweighs their contributions.
Not necessarily. You don't have to lie during the recruitment/interview. If you get in you get in. And you can resign when they ask you to do something you feel you should not participate in.
Simply trying to get in to be on the inside - without lying, is better than not even trying.
Of course, trying to advocate for better political control (privacy, transparency, lower barriers to enter the market) is important, and can and should be done while trying to engage with FB, trying to get close to their internal decision making process.
And, naturally, not everyone has the affinity to work at FB, but since it's a spectrum, likely there are a lot of software engineers that do have some ethical concern with regards to what and how FB does, and they shouldn't be discouraged from working at FB, but they should be very much empowered to be able to stand up and leave when their moral compass signals.
Eh I don't think that holds universally - and even when it does is an inversion of responsibility. A small mutual protection street gang maybe could work for with resources but one doesn't make a vicious gang like the Cartels nicer by joining them and trying to reform them from the inside.
Okay, it might not hold, that it's the best place to try to exert change, but it's undeniably a channel of interaction. Not exploiting it leads to less change.
I would love to take a peak into the meeting where they formulated this idea.
With all the shit being fired at Facebook from all directions these days, I just want to see the faces and reactions of those who thought "Yep, that's a good idea!" when this concept was originally brought up. It's really stretching my curiosity and imagination to the point where I start wondering what type of people they are hiring at Facebook these days.
Is there a name for this phenomenal in psychology where one would insist on doing the exact same things other people are criticizing them, but with an increasingly higher intensity the more they get criticized for it? This is exactly what it is.
LinkedIn asks for email passwords? I knew they encouraged uploading your contacts, but didn't realize they wanted your email too. Guess I shouldn't be surprised. If their's any major social media platform less ethical than Facebook it's probably LinkedIn.
You mean emails? I've managed to turn them all off; if that doesn't work, you can file a complaint with the EU who have strict laws against e-mail spam, and the requirement to unsubscribe with as few actions as possible.
Yeah i've managed to stop all emails with my active LI account, they do occasionally add stuff that triggers them again so I just go into the settings and they're gone.
LI are awful for many reasons, but they do honour these things.
Yeah, I'm not seeing where all this moral indignation is suddenly coming from. Asking for email passwords has been a staple for social networks since the beginning.
I worked at FB briefly so maybe I can explain. FB has a corporate culture that really discourages critique. When things are broken, especially internal things, people look at you funny if you speak up about it. A big part of that is that quarterly bonuses are given for "making an impact" and your group's status (and part of your bonus) is based on delivering a consistent set of "impacts" over time. So it is better for your comp to do things badly really fast since you get (1) did something super fast! and (2) get to record a big impact a few months later when you fix the obvious brokenness.
Pretty quickly, people learn to keep their mouth shut.
Also, many, many FB engineers are early-career folk who are fresh out of school. More senior folk are few and far between and are even more strongly incentivized to keep their mouth shut, because their bonuses are bigger.
Yesterday, this same rationale came up with why Google keeps launching new products and then abandoning them over and over and over.
I guess this is what happens when a startup gets big. They keep all the toxic baggage of startup culture (edit: "move fast and break things") while gaining the impact on people's lives that big companies have.
I think Apple is the only one of the FAANG that's jettisoned startup culture, and I think that's why they're doing so incredibly well.
Facebook also asked users in Australia for their naked photos. This isn't even the weirdest privacy invading request that they've had recently. This is business as usual.
There was also probably some "Well, financial sites/tax softwares do it and they have much higher security requirements than we do!".
Let's not underestimate the power of precedents: someone else said it was crazy at ANOTHER COMPANY, didn't get their idea through, and now other companies are copying it.
Additionally, a lot of people in the comments mentioned how engineers are ignored. Being able to convince your peers (like a product manager) of something is a skill, one that is fairly uncommon among "top tech talent", but happens to be a minimum requirement for roles like PMs. Saying "We can't do that, it's crazy!" and expecting everyone to just agree with you because you're awesome at coding just isn't going to cut it. Yeah, maybe the PM should have realized it was insane on their own. But let's consider that given hundreds or thousands of people in a company, crazy ideas might get deflected thousands of times, but it only take one "failure" for it to slip in.
I was once in a conflict with a bunch of people at a larger e-commerce tech company because I railed against the practices and requirements of one of the stupidest projects that I was pushed into. The 'wisest' amongst the group, justifying his subservience, stated as an argument: 'they debate, they decide, we deliver'. I felt a visceral sense of disgust at hearing that and never spoke to this person again. He is doing quite well slithering up the corporate ladder, last I heard. The stupid project in question cost the company millions and died a well deserved whimpering death within a few months.
That's why they prefer young people?
Yep, they could be smart like anyone else, but they also care/need more about money for obvious reasons and in the long run they tend to fall in line more easily.
It has been established as minimal practice, that NO ONE should be asking you about your password.
If this would become a normal, it would also make regular people more likely to give out their passwords.
And email is key to your online kingdom, so it's a big deal, if it gets compromised.
At the very least, your mail client has to ask you for your email password. Might sound like I'm splitting hairs but I don't think most users have a strong sense of why that's different from Facebook doing it. And with wizzy online features crammed into more and more desktop software (seen Photoshop lately?) you can't really fault them for it.
Your mail client isn't a company, that's not the same.
You're right that the wording is important, and we do a bad job explaining what passwords actually mean, and how to treat them. A simpler analogy: Don't give your house keys to strangers, McDonald's has no business asking you for your keys to confirm your order.
I don't think users need to understand why, they just need to understand what to do / not to do. I've taught my mother to never give anybody her passwords, not even me, and if anyone asks her for her password to call me. She's mildly annoyed when I'm helping her with something and I tell her to please input her password, but she's gotten used to it.
Did it work? It did. The representatives for a car sharing company were poorly trained and asked her to write her email and her password into a form. She refused, walked out and called me because she was worried that they were trying to get into her bank account. Turns out they wanted her to choose a password for their service, and were just very bad at wording it (and had the terrible idea to have customers hand-write it into a form and let somebody transcribe it into the computer system) and the guys working in the office had only been handed a script, they didn't actually know what information they were supposed to get. I'm certain that they accidentally harvested a good number of valid email/password combinations since it's a leading company that is owned by a major car manufacturer and has a good reputation.
This is security by "no one should be asking for your password". The responsibility is with the user and they need to be taught "you must not disclose your password to just anyone who asks for it".
Because most people need to be protected against themselves; a lot of people, even tech savvy ones, only find out later that their data has been stolen or their privacy breached.
I mean a random but common example is stolen credit card details. Out of automatism most people will fill those in when they're ordering something, without wondering whether the site is secure. And usually they are secure enough at the time of writing, only a few years down the line someone dumps them onto a public S3 bucket by accident. Whoops. If the system was secure by default - that is, CC data never passing to the webshop - that would be a preventable occasion.
Email in this case is the same - don't give FB access to your emails in the first place and they'll never be able to "accidentally" read all your emails.
people don't register on facebook to check out this cool new social network, it's bee quite while since FB was cool. But imagine a situation of great social pressure, like your kindergarten parent group is communicating there
You know, when I moved from one country to another I've seen directly how a global action is better than dealing with those things as individual and wearing spikes 24/7 everywhere.
I think Facebook is very desperate and they don't seem to have a choice.
You see, Facebook has Facebook.com, Instagram and Whatsapp.
Facebook.com has already reached it's peak and is not going to grow.
Instagram is likely to have the same trajectory as Facebook.com and Whatsapp is not making them money anyways.
They failed to get into any new market or come up with any decent product.
And they are supposed to compete with Google, which is competing on all fronts with extremely competitive offerings.
* Google Search
* Gmail
* Android
* Youtube
* Chrome
* Chrome OS
* Google Drive
* Google Analytics
* Google Docs
* Google Cloud
* Google Apps
* Google Maps
And they seem to be constantly trying new things (Stadia seems to have a really good chance to compete with PS and Xbox and get them a holding in gaming)
And Facebook keeps pushing out pathetic moves like this and all their acquisitions that were supposed to help them get into new markets and sectors (Oculus, Parse, etc) seem like failures.
Acquisition of Instagram bought them another 10-15 years and they should be just very lucky to keep making the right call and buy the next Instagram)
Google continues to make the majority of their money from advertising. And since those early days they have not released a single product which has helped to diversify their revenue stream. But they've had plenty of failures along the way.
Facebook is far more interesting in terms of diversification. Payments via Messenger/WhatsApp is going to be great for them and is already doing well. Spilling over into web services e.g. Dating is equally looking promising. And they've done okay in the enterprise space with Workspace.
Fact is that it's far harder to switch social graphs than it is to switch search engines.
The only big companies that seem to be able to diversify their income somewhat are Microsoft and Amazon.
Microsoft makes its money from various products and services, and Amazon now makes a lot of money from AWS let alone its online shopping.
Compared to those two Google and Facebook are one hit wonders.
Amazon loses money on their online shopping. It is their consumer-facing offering so it grows their brand, while they make their money via services like AWS.
All of these types of "hey, give us your password to this other system" are just training users to get phished.
IMO the worst offender in this is Plaid, which has created a service where millions of people are giving their banking credentials so some random startup can mine your transaction data. And people think FB has privacy implications...
Swedish payment processor Klarna does something similar to this as well. If bying something through the platform by direct bank transfer you are asked to sign to your bank to accept the payment using BankID [0], which is normal.
What is not normal is that they grab your personal identification number and send a login request using BankID before you open your app. When authenticating the login you authorize one of Klarnas third parties to log into your bank account as you, allowing them to pull records of all your financial transactions, account statements etc. Most users just authenticate the login without reading where the request is coming from on the login prompt.
I don't understand how that can be legal, but they are relying on recent court cases where scammers would call old people asking them to log on to check their retirement accounts. The scammers would then send a login request before the user sent theirs, log on to the accounts and change what funds received the victims pension payments. The scammers were ruled in the wrong, but the logins themselves were ruled to be an ok way of doing business.
POLi in Australia also asks for your bank username and password, logs into your bank's online portal, and performs a bank transfer on your behalf; which is of course in violation of the bank's policies.
It's truly insane, if I see any company accepting payment via POLi it's instant verification the company in question is clueless and that I should avoid using their services whenever possible, because they have zero idea about security.
According to POLi[1][2], the list includes:
Qantas, Jetstar, Virgin Australia, Microsoft (?), Sportsbet, Emirates, BetEasy, CoinSpot, Australia Post, TigerAir, Facebook (?)
The list goes on. It's pure madness.
I really wish there was more awareness of this, I can't believe these massive companies can't comprehend how they're being implicated when they encourage users to hand over their banking password to a third party.
> if I see any company accepting payment via POLi it's instant verification the company in question is clueless and that I should avoid using their services whenever possible, because they have zero idea about security.
They just don't care; if something happens, people (including the press) won't really blame Microsoft or Qantas, so they don't have an incentive to vet those payment systems.
Thanks for this comment. I had no idea - other than regularly seeing POLi as an option (that my bank didn't support) when visiting some of the websites you mentioned.
I will certainly steer clear of this process in the future.
Which is amusing / horrifying because Australia already has good ways to transfer money between bank accounts. BSB/Acct# for normal transfers and BPay for bills.
Klarna tried to ask for people's bank access codes in Finland until Finland's Financial Supervisory Authority ruled it illegal. Seems like a shady business to me.
>The scammers were ruled in the wrong, but the logins themselves were ruled to be an ok way of doing business.
This seems like something that the Riksdagen should step-in on. BankId was meant as validating a legal entity (I am who I say I am) and a third-party presenting that they are they are that legal entity (in this case, the person in question) would certainly seem to circumvent the intention behind that.
I tried to find more information about this statement:
"When authenticating the login you authorize one of Klarnas third parties to log into your bank account as you, allowing them to pull records of all your financial transactions, account statements etc.“
Do you have any source to verify this claim? That they can and do pull down this information. I would like to know if they really have all that information or not, if so it's a surprise to me, did not know that.
I don't know if they do have it, but it is absolutely possible after the login. I saw it reported in an IT-security facebook group and made my own purchase from a site that use them (gottebiten.se), paying directly from bank account. The login was indeed done by a Klarna 3rd party using my ID number, and not from my device.
You have to confirm once more for the payment to be sent.
I just paid using their direct payment method two times the last week or so. Will be more on the lookout in the future and try to keep an eye on these things.
Where it says you can email this address "dataskydd@klarna.se" if you either want them to delete your data (except data they are required to store as a bank) or if you want a print out of your personal information they store.
Ive been asking them singe GDPR took effect to provide me with all details they have about me, and to delete my account.
Not even a response.
They claim "financial institutions" are exempt due to money laundering laws.
That I understand, financial transactions they can keep, but I know a friend works there, they dont only keep financial transactions, they keep data of every website/shop I visited where they have an "integration with".
Have you sent a complaint to the regulator? At least the Portuguese data protection commission is quite responsive, a clear email containing all the information I could gather was enough to trigger investigations, which resulted in warnings and even a couple of fines.
Wait, what? I use Klarna quite regularily and I assumed they were redirecting to my bank's website (in an iframe) where I would enter my credentials. I mean, the web form is even branded with my bank's logo and color scheme.
If it's really the case that I was just giving my credentials to Klarna who then logged into my bank account on my behalf, I have been phished, there's no sugar coating this.
BankID generally have quite strict rules about how you use their authentication, or so I've hear from their customers. If it is as deceptive as you say, I really don't understand how/why BankID is allowing it.
It's not really BankIDs fault. It was discussed when it was discovered that Allra had misused BankID in this way. The BankID will say who/where is trying to log on, and the hijackers trust that users don't read the BankID login screen.
It's a great service and I can't believe shady things like this is allowed.
The way I saw this done is through an iframe, I suppose it's something similar to 3DS/VbV (while ridiculously misguided, this iframe thing was done correctly)
This is going to contain errors, one would have to be a professional to get this right, but the gist is that formally, no, but in practice it kind of does.
If the decision was made by one of the higher courts, a precedent will be created, which while not formally binding is essentially treated as such. In general the precedents can't create new law, only interpret. However this turns out to sometimes be a difference without significance, as effectively new law is created due to how heavy lower courts are leaning on some such cases.
One I have some knowledge of regards agency of company representatives where the interpretation made it essentially legal for a company to use third party sellers to act as representatives for the company write and sign contracts, which then the original party could renege on at any time, with no penalties by simply stating that their agent had overstepped their bounds. This was a case of a house builder backing out because the agent had given a price that the house builder deemed a little too low. This is described in the relevant literature as a clear precedent for all manners of company agency, while if you read the actual judgement it was clearly marginal. But it has effectively created new law. You now have to make sure to write contracts with an employee of whomever you are dealing with if you are to be able to trust in your contract.
All courts also have a right to judicial review, thus in theory a single local court can nullify any law if it doesn't follow the constituting laws, either completely, or for a specific case. If this happens, then that case becomes a precedent. This is however somewhat rare as far as I understand it, as it's somewhat of a joke that the best way to loose a case is to refer to the constituting laws, as they are essentially completely ignored.
Yeah, I'm amazed it works at all.
At least on the surface it seems our judicial system really has some deep flaws that nobody has really dared to address.
To little real oversight, no binding checks on the constitutionality of new laws - although the advisory committee tends to be respected, and no formal way afaik to revoke precedents that turn out to have bad consequences.
It seems to work a lot based on some form of "gentlemen's agreement", and tradition. By now I guess we all know how quickly those can crumble.
During demonetisation in India (2016), Mobile wallet startups threw the privacy out of window.
Paytm (India's largest e-Wallet), asked customers to enter their credit card details on their app on merchant's smartphone. I reported the security risk to them with a POC to their bounty hunting[1], they asked me to wait, removed the feature & the CEO told media that I was lying, there was never a security risk.
Mobiwik, read customer's SMS of bank transactions to inform its users which ATMs had cash.
Mint legitmatized that authorization flow years before Plaid came around and the banks decided that was the best way to move forward instead of adopting something like an oauth2 flow.
I remember when Mint first came around, and a coworker was telling me about how cool it was. I started completing the the signup process, but I stopped cold once I realized they needed to be provided account credentials from my bank. Never completed it, and never went back to it. I never thought it would last as long as it had. I guess I gave the public too much credit.
Counterpoint: Many people of the "general public" are at least vaguely aware of the fact that they're making risky decisions, but proceed regardless in order to reap the short-term rewards that you mention, calculating that the benefits are worth the hypothetical costs, and many of them will live and die having been right about making that tradeoff.
Counterpoint to your counterpoint: Living in flyover country surrounded by people with at best a high school education has taught me MANY things about how the public consumes tech.
They have no idea what is possible with technology. They literally do not and cannot comprehend what can be done with their information online. To the folks I interact with, it's almost magical how it works.
They trust, as another comment points out here, that someone is taking care of whatever trail they leave (if they even understand that's a thing). They trust that tech companies are acting in their best interests.
Maybe that's just anecdotal data from my experience, but it's my experience.
I use mint even now. I'm generally technically paranoid, and have just concluded mint is not actually that risky.
Here's why:
1. Most banking companies seem to have a much better security landscape than other places, including tracking where you're logging in from. Even with a password it won't be easy for a hacker to do stuff with my accounts. Almost any change or transaction triggers an email and sms alert too.
2. The main bank I have my money in, doesn't let you do transactions larger than 2000 in a day online, and even that is insured against fraud.
3. For credit card accounts, I have noticed that you actually can't do much with just an online account, except to pay the bill.
4. Mint is owned by Intuit and they know my tax details, most of which are far more important and guard-worthy anyways.
5. Also till now I've been a fairly poor guy with not much in my bank accounts. So I didn't worry too much about losing my cash since I didn't have much. If you have a lot of it, perhaps you need to be careful with such services.
Mints privacy policy includes this language "we may prepare and share information about our customers with third parties, such as advertisers or partners, for research, academic, marketing and/or promotional purposes." - where any usage of "may" can be substituted with "will".
They say they will anonymize data, but advertisers have no interest in data if they can't action on it -- i.e. use the data they buy for targeted advertising.
To some of us (me) the service Mint provides is well worth letting some marketer know I spent $50 at Walmart yesterday, that's not sensitive information to me, and if it were I'd be paying in cash.
I even gave the transaction history of all my credit cards directly to Drop (https://www.earnwithdrop.com) in exchange for a few dollars, that's how little it means to me. (So far around $30)
I've been using mint for years,it's been very useful for me. Adopting other mechanism like oauth will be slow they wouldn't be able to support that many financial institution.
That's the problem now though. We've made it so apps have to be approved by gatekeepers, and are highly discouraged by the gatekeepers from sharing state with other apps on the same device.
Then the recommendation if that's a problem for you is to use the web. But sometimes the web doesn't work, as is the case here, because it requires the user to trust third party code in real time and give sensitive data to third party servers they don't control.
So we have everything pushing the user to put their most sensitive information into some third party service that should be an app, but isn't, because cloud.
I'm not talking about sharing state with your webserver, I'm talking about two apps on your phone sharing state directly with each other without ever leaving the device or becoming accessible to a third party.
Desktop operating systems have a slew of ways to facilitate this, and the mobile gatekeepers keep eroding them. They're also terrible at dependency management (a completely solved problem in real package managers), which discourages creating apps that depend on other apps.
There are still ways to do any given thing, but if you make it harder then you make it rarer.
> My understanding is the app permission model never asks for network access, so all "apps" are effectively web clients with a fancy UI.
At least for Android, not exactly: they still have to require network access (android.permission.INTERNET), and you can check if they have done that in the Play Store (description → Read More → App permissions). What changed is that the Store won't explicitly ask you to confirm you're OK with it when installing.
In any case, typical native applications didn't have to ask for network access either, that didn't make them all effectively web clients. Many of the mobile apps I have installed don't rely on a central service.
Monzo in the UK recently added a beta ("labs") feature in their app to check your Barclaycard balance from within the app. Sounded ideal as the Monzo app is the best banking app I've ever used. I figured they'd be using Open Banking (the new OAuth style authentication system rolling out across banks here).
I went to turn it on only to find that they use a third party who ask for all of your Barclaycard credentials (including your full "secret word", which you normally only enter a few characters from at login time). I've no idea why they'd go this route, but exactly as you say - it just trains users to get phished.
It also wasn't clear what this third party would do with the transaction information they scrape from your account. Overall a terrible idea.
Degiro, an investment platform, do the same for your initial £100 deposit: you enter your bank's auth info and they do the wire transfer for you. It uses a 3rd party system called "SOFORT". Thereby training the public that passwords to a bank account should be given to random third parties, undoing years of pain staking training efforts.
If they asked for your PIN code, people would clearly balk. But somehow, passwords to a bank account are fair game. It's exasperating.
> Thereby training the public that passwords to a bank account should be given to random third parties, undoing years of pain staking training efforts.
Accounts details are relatively fine to enter on other sites, just entering 2FA tokens should be limited for transactions that you really want to confirm.
1. You train end users that entering banking credentials on 3rd party sites is Okay. This makes educating against phishing an impossible task.
2. Many banks require (a form of) 2FA to log in. Perhaps it’s a “2 letters from a secret code” system (see sibling post). You’re now educating users that entering 2FA on 3rd party sites is ok. This is the end of educating users about any security at all, really.
3. This 3rd party gets access to my full transaction history, everything I ever spent on anything, using this account. That is an unconscionable overreach in personal data access. “But we don’t use it / read it / store it / we only send it to trusted partners / .....” I’ve heard that song too many times.
If someone asked for email account passwords and 2FA login, people would scream bloody murder. What makes this different?
Note that none of this is about money. If someone defrauds me, the bank will refund me. It’s the least of my worries, really. Sure, rather not. But the bank can’t refund my privacy if someone exfiltrates purchase history. Based on any data leak ever, I think we all know what’s the most valuable thing in my bank account .. it’s not the money. It’s the data.
Plaid might be my least favorite company ever. It's such a privacy nightmare and they do not even tell you basic information about what you are sharing (or how to revoke sharing rights) going through their typical flow on some random fintech app. If you look at their website, you could be giving away just the bank and routing number, or potentially your entire bank transaction history, balance, identity information, etc. and have no idea. It's terrible and could never recommend ever using an app that forced you through that flow.
Except that like all no-longer-a-startup companies who can make your life a living nightmare if they are not spot-on perfect with their security, Plaid have slapped a mandatory, binding arbitration clause in their user agreement.
Thus, if they do drop the ball in some catastrophic way, your ability to recover anything beyond a firm handshake and maybe an "oops, our bad" on the way to an "Our Incredible Journey" blog post is on the same level of probability as my winning a gold medal in curling at the Olympics: it statistically could happen, but very likely won't.
I alluded to this in my other comment, but I don't blame Plaid. Blame the banks - Plaid isn't doing this behind their banks, but with their blessings. Again, Mint was doing this for years.
When it comes to Credit Card Fraud, the banks are buying all sorts of AI based solutions - after all it's their money. When it comes to customer cash, then its the wild west. I recently found out that my Wells Fargo password isn't even case sensitive.
There is clearly a market need for easier information exchange. Authorizing ACH withdrawals shouldn't require me depositing 2 random values in your account. The Banks could have done the work here, but they didn't and then Plaid came along and did the work for them. I hope they take data security more seriously than Wells Fargo.
Plaid's value is providing the SDK that developers can plug into their app to connect user bank accounts with their app. They have purposefully decided not to show a very common step in the user-facing bank link/onboarding flow of displaying exactly what information you are providing the developer with (e.g. think about FB Connect, Twitter, and Google and how each requires developers to show exactly what permission is being asked of the user).
Plaid has several endpoints you can hit. It could be as little as the bank number/routing number (to pull/push funds), but it can be years of bank transaction history and/or all identifying information about you from your bank (e.g. names, emails, phone numbers, addresses) and/or your current bank balance as well. An app that doesn't even provide mint-like functionality (e.g. showing your spending habits) could be pulling years of bank transaction history and you would not even know. That's horrifying.
Again, Plaid can and should take responsibility for not showing a simple permissions page. There is no way this is just an "oversight" on their part. It's a deliberate decision because they know it would be a conversion killer if people actually consciously understood how much information they are granting to random apps.
Users are generally dumb. I don't disagree that users are granting permission to these apps, but I'm saying that Plaid is making it purposely opaque in a way that common auth flows like FB/Twitter/Google do not get do or get away with.
Not case sensitive, huh? How about not even distinguishing between letters and numbers?
When I called a prominent bank* recently, I was asked to enter my password via the phone. As in, the digit-equivalent of my password. At least I finally figured out why their password length is capped so low - user experience!
*I began this post with the bank name, and then wondered if given their approach to security, even that might be a bad idea.
> I hope they take data security more seriously than Wells Fargo.
But it doesn't really matter how seriously Plaid takes data security, as their whole business is around providing your account data (including your transaction data) to other companies. What matters is if the thousands of business customers of Plaid take data security seriously.
In Australia, there’s POLi Payments, now owned by Australia Post, which gets you to enter your bank username and password, then impersonates you (https://www.polipayments.com/Security is their statement about it, and a substantial fraction of the text on that page is just flat-out lies). Naturally, doing so is entirely against the ToS of all the banks (including you now being liable for literally anything), and a few banks have publicly said “don’t use that” or similar, but they evidently tacitly support it, because I don’t imagine it would be hard for them to block.
I was incredulous when I first tried to use POLi Payments and realised how it worked—I ran away screaming, naturally. That entire business should be shut down with prejudice.
Yes. Mint also does this. From what I've heard, there are a lot of banks without APIs, so the next best approach is to login on behalf of users and scrape the data.
The data is encrypted with a key that you have not one that the server has which is much much better. If someone breaks in to the server they are not able to very quickly grab all the data. They have to be able to deploy some malware on the server and allow it to run for a while to collect passwords.
If the on-line component goes anywhere beyond the ability to sync an opaque binary blob that only your local machines can decrypt and reencrypt, there's a problem there.
The devices could exchange their keys through a secure connection - be it direct (Bluetooth, LAN) or routed by a third-party service. It could also be transferred physically (through removable storage, or through retyping a bunch of numbers shown on one device into another device).
They do this because banks refuse to implement a properly-secured read-only API for granting access to transaction data. (I think maybe Chase now finally has one)
Maybe if the banks realize their customers are handing over their credentials in large numbers, it will light a fire under them to build a real solution.
> Maybe if the banks realize their customers are handing over their credentials in large numbers
Or they might pop a bottle of Champaign over that, in jurisdictions where the bank is by default responsible for all the account abuse risk unless they can prove that the user has shared credentials.
Probably not, because liability for non-credit accounts is up to the customer, not the bank. If people give up access credentials then they only have themselves to blame.
I haven't heard any reports of Plaid doing bad stuff with user transaction data, so I suspect there's a bit of paranoia in the comments here.
On the other hand, there's an underlying (and valid) concern that handing over bank credentials to a third party is risky and, even assuming good faith from Plaid, they have to store passwords on their servers somehow (probably encrypted).
Since they make money from integrations with startups/big banks, there is definitely a conflict of interest between keeping user credentials safe and growing their revenue.
I think as a whole, relying on a modern company which specializes in authentication is better than trusting that thousands of app developers, some of which might big legacy banks with woefully understaffed IT departments, will keep your credentials safe. I'm aware that I'm more optimistic than most people in this thread (and on HN) though.
Here's a stackexchange question with some good discussion about Plaid security:
Arguably, giving up your email login is worse than giving up your banking login, since attackers could use your email to reset the password on other accounts, possibly including bank accounts.
For banking, a better system would allow you to generate some kind of token in your banking site which would allow the kinds of permissions you want to grant to a third party, and which you could unilaterally revoke at any time.
Yeah back when ING still had a retail presence in the US they were notorious for not working well with Mint… because they required a mint specific access key and not your master credentials.
Yeah, but the difference (at least I think so, as I'm not a mint user) is that Plaid is building an API for other startups to use. It's somewhat amazing to me how little is needed for folks to gleefully hand over their bank passwords to anyone who asks for it.
> a service where millions of people are giving their banking credentials so some random startup can mine your transaction data
Wow, that's insane. I didn't think I'd ever be happy that all banks here in Brazil require you to install an invasive piece of software to validate your computer before allowing you to use online banking, which as far as I can see makes that sort of business model non-viable here.
This is by far my biggest concern with the new PSD2 system that's about to be launched. Even though I can understand why it might help break up monopolies, I still worry that easier access to banking details is going to end disastrously for people's privacy.
Transfund does this now. I tried complaining to their support and they just don't get it. Account/routing number should be enough, they don't need access to my transactions, etc.
Add that on top of increasing fees and I'm seeking alternatives.
Hey, this is like 10 years ago, when both facebook and linkedin were pestering you to give them your e-mail password, so they could import all your contacts.
Not sure about them previously asking for email passwords, but there are many email APIs that can give permissions access to your contacts [0]. I don't doubt that in the older days of Facebook they were probably achieving this using some shadier methods.
But worse than this, just by installing the Facebook App it liberally takes contact details from your device [1].
I personally use mbasic.facebook.com as it can run without JS and only updates when you refresh the browser. facebook.com refuses to run without JS and causes my browser to use tonnes of resources when JS is enabled.
(P.S. Like many, I can't completely abandon Facebook just yet as lots of older friends and family are "unable" to migrate to other platforms.)
Even worse, wasn't it Facebook claiming to some of your friends that you used this feature even when you didn't?
It was basically Facebook ruining your reputation.
Doesn’t this ask the user to violate the terms of service of their own email platforms, assuming most email providers prohibit you from sharing passwords?
Some habits are hard to get over I guess. Remember when Mark Zuckerberg (allegedly) used FB data to hack into the email accounts of journalists reporting on him? [0]
I recently learned that when you connect your Paypal account to your checking account, there's two verification methods you can choose between: 1) the good old fashioned, we'll make two small deposits into your account, tell us what they are; and 2) just give us the login info for your bank's web site.
The CTO/CEO wanted to add a feature that lets users enter their bank password and through a service (Yodlee/TradeIt) lets the company read their stock portfolio and perform actions.
I told them that I don't think people would trust their bank info to some small fintech startup. Boy was I wrong and people with 4M dollar stock trading accounts would enter their credentials all the time for convenience of not having to copy the data over (since brokers didn't have an API with tokens).
Eventually the company grew and it's pretty reputable on its own but I remember this pretty vividly the surprise of people trusting all their money to us.
While sometimes user actually knowingly make those trade-offs, I suspect many think they do a quite different trade-off.
It's not really that people trust you that much, it is more that they in the moment you ask don't understand the consequences at all.
Unless you very explicitly tell the users about the risks, that they wold have zero recourse if something goes wrong, they will believe it is okay for them, that somehow everything is taken care of.
Very similar to the why people fall for con men. Nobody expects someone to have the audacity to lie so grandly, act so confidently, while in truth being completely 'naked'.
You tend to assume that the insanity must have a point, that the obvious loopholes must somehow be covered - taken care of - based on nothing but the fact that someone acted with confidence.
Actually, I was surprised to see yesterday that Google offered this as well, when I set my bank account as a payment method for my Google apps account.
After a bit of consideration I went ahead and did it—I consider Google trustworthy as far as security practices, and to be honest, I didn't expect it to work. Chase forces (!) two step authentication despite my very strong password, and I thought that would prevent Google from logging in.
To my surprise, the process appears to have worked fine—my bank account was verified. I also didn't get a "new sign in from" email from Chase. So I wonder if they actually logged in or did something else...
I believe most if not all legitimate companies that ask for your banking credentials (besides your bank, obviously) are just passing them straight to https://plaid.com/. It's still questionable whether you should trust Plaid with your banking credentials, but at least you probably don't need to trust that Paypal and Mint are both going to store your credentials securely.
> but at least you probably don't need to trust that Paypal and Mint are both going to store your credentials securely.
Sure you do. They have it in plaintext on their servers. It can end up in logs. It's also not just Plaid - Mint uses Intuit, Yodlee is an option. There's a whole lot of people you need to trust to use these services
For many banks, it also means you need to disable 2fa on your banking account, so using these services directly weakens your security.
I think there are many services for social media that ask for your account password so they can post in your name on Instagram or Twitter when you post a Youtube video or whatnot. Not to mention the shadier services that do the follow-unfollow dance.
Facebook has never faced significant financial consequences for its misdeeds. You can be assured it will continue to hold its users privacy and security as distant second place priorities to how much money it can make off them. If you want a company not to be evil you have to make being evil more expensive than being good. Nobody is willing to do that so the shit-show will continue for the foreseeable future.
The sad story of people is that they give their email password to everyone who are asking, I keep telling my friends that please don't tell me your password and just type it but they keep laughing at me i.e: stop it! you and your crazy tin hat. it's the sad reality really.
I noticed that when I was dating around it was extremely important that they could find my Facebook profile if I said I don't use Facebook much they would immediately respond with scepticism.
For that purpose alone I kept it.
And they have a point, it's easy to find out if someone is single or not via Facebook, and you are bound by your friends to be truthful.
I'm not single anymore, but I'm still curious, in those countries where everyone is not sleeping around with everyone what would replace Facebook?
> it's easy to find out if someone is single or not via Facebook
That was many, many years ago. Ever since, they've been tightening up privacy defaults, and now when checking out that person you met, the best you'll get is a profile picture and a list of mutual friends. Everything else tends to be locked down by default for non-friends, and Facebook keeps regularly reminding people posting widely that they could tighten their posting range.
Whether that's a good or bad evolution depends on one's use cases and the views on whether being able to do little background checks on other people is OK or not.
Verifying a user's email by collecting their password is ineffective for users with 2FA enabled and reckless/malicious for those (the majority) without it.
Accidentally log that data somewhere, and you've opened a way for attackers to take over your users bank accounts, social media, and pretty much every other online account, as they all rely on email verification.
If we had privacy laws with teeth, somebody at FB would be calculating how many millions in liability each piece of data collected represents. This one would be astronomical and an automatic "no" by those calculations.
If this is really for the purpose of email verification, I can't even begin to fathom what they were thinking. Asking for users' email credentials is terrible, but even requiring that they log in using OAuth is ridiculous!
Verifying email addresses is a solved problem that doesn't require _any_ of that... you just send a time-sensitive, signed link containing a unique identifier to that email address, and users click it to verify their address.
I really can't understand why they would choose to go a different way -- and particularly _this_ one.
I am not sure if allowing users to use non-email addresses as a user-name helps solve that problem, though. I would be interested in reading research on the subject.
It’s interesting to note, that in order for a feature or capability to be implemented, it has to provide value to the end user. So at the planing phase of this feature, didn’t anyone in their right mind thought that this was a bad idea. Given the current situation that Facebook (Fakebook) is in with security missteps why even invest time and money just to hope that users (at least the ones that are concerned) won’t complain. Hope it’s not a strategy.
>Facebook is demanding some users fork over the password for their outside email account as the price of admission to the social network
What a dishonest article. Facebook is not demanding users to give them the password to their email to be able to use the network. Instead, it looks like they are giving the option of doing so to verify the email address, but you can still go the traditional route of verifying your email by clicking a link.
Interesting take. The article says what happens it doesn't hide the process. The user is presented with a dialog box asking for their external email password and the article states that the user by clicking the small "need help?" Link in the corner can ask for other traditional methods. Nothing dishonest in the article.
The question here rather than why are you asking for mail passwords is what is facebook doing with the passwords? All possible answers seem creepy as hell.
On a somewhat related note, I recently added an external bank account to my E-trade account. They gave me two options for verifying it. The first was to make a small deposit into the external account (which they said would take several days to complete). The second option was to provide my bank account's credentials and they could verify it immediately. I chose the first option.
Doesn’t a lot of the social networks do this? Linkedin used to ask for email password all the time at one point, don’t know if they still do. Mint and others want passwords to bank accounts. I know we are a bit more sensitive I e about privacy but the general population is still not. I can understand Facebook needs to be extra cautious now but I guess they don’t care.
I don't get the outrage. No comment mentions this, but most non-tech people already give Facebook their e-mail password. All Facebook needs to do is try to use it.
Lookup the password re-use rates among users of the Internet.
People may have weak and strong password for less and more important services. Guess how would they rate the Facebook...
How did they make it work? Even given the passwords, how would they check robustly without tripping the email "unusual connection from IP x.x.x.x". Even if they have a few IP to make the checks, the mail server may notice that one IP is connecting to thousands of accounts.
According to the article it was only offered to a subset of providers that don’t have OAuth APIs.
Presumably google and other high security email providers got the OAuth option and this more insecure option was offered to users with ESPs that don’t have the gmail security features you mentioned.
It is perhaps the way you've presented the argument that is generating downvotes, but I fail to see how this is outside the realm of Facebook's pursuits given past behaviour and current activity.
Or is it that people would support this use because of a 'noble intention?' (ends justify means)
Would Facebook then start making calls to the police for welfare checks when a user stops using Facebook without closing their account? Surely, something must have happened to the user if they stopped logging in frequently. After all, users don't just stop using the service.
The answer is simple. They don't care about moral side of their actions and government doesn't want to take any serious action about that. I would be surprised if they stopped doing so.
What am I missing here? I have to type my password when I log in to Facebook. They are probably storing a hash of each of the users passwords (after changes) and then comparing against index[0]?
So what are they doing with that? How can they verify it? Are they actually logging into your email account with that? Surely (BigCompany) measures would prevent that?
They send you a confirmation email, and then, instead of you logging into your emailaccount and clicking the verification link, they ask your emailacount password and log into your emailaccount for you and click the verification link for you.
Title seems misleading. Per the article it seems they demand email confirmation, but merely offer to access your email for you in order to accomplish that.
(This is not a defense of Facebook's actions here)
> Per the article it seems they demand email confirmation, but merely offer to access your email for you in order to accomplish that.
It's definitely a dark pattern though. And Facebook rarely seems content to only use data for the purpose they advertise when asking for it. For instance, there was an article recently that proved they were using phone numbers collected for 2FA to do ad-targeting as well.
I value privacy as well, but I use Twitter for public things. To me it's not much different than having a public blog that data companies could scrape and store.
Facebook and Instagram feel different to me just because people tend to use them in more personal ways. But, again, if you plan to make the data public anywhere it can always be gobbled up by spiders and three-letter agencies.
You mention both common sense and personal values. I think it’s much more likely that people have different personal values than you than that people have less common sense than you.
I don't think that's quite true. It is not a straight common sense equation, largely because 'it's free' and so people don't apply a complete value rationalisation to using those services or even understand the implications of the deal they're agreeing to.
If Facebook, Twitter, Instagram etc were to actually charge fees for the cost of running the services without the advertising/data harvesting cover, I wonder how 'valuable' the perception would remain...
As much as I dislike what Instagram “is”, it is pretty much the best platform for (non-public) photo sharing. If there was something better, I’d use it, but there is not.
Maybe I'm jaded, but I only share photos of my life via text or even sd card. No one needs to see my life, besides it's kinda boring. Even if my boring life means I shouldn't be worried about it being exposed, I dont want that out there. I dont know maybe I'm just weird hahah.
I don't think there's anything weird about that at all.
But suppose you did want to publish your content. For instance I make videos about tech and programming that I enjoy sharing with others and getting feedback on, so I post them on YouTube. Some people like to do that with their selfies or political commentary. To me that's all fine as long as they understand that it's no longer private.
The bigger privacy violations, imo, are the hidden ones. The web trackers, IoT data collection, location services, conversation metadata, etc. These are situations where it's not "public" like YouTube or Twitter, but it sure isn't private either.
...Or they just use Instagram as a platform to promote their work. If your content gets shared it's basically advertising but you're assuming that they don't do business other than just posting on Instagram.
Why would an amateur photographer feel that they have to work towards getting their work in a gallery?
Does an amateur baker have to have a stall at the farmers' market, an amateur knitter have to have an Etsy store?
Nothing wrong with just taking photos for the love of it (literally the definition of amateur) and sharing them with your friends because you think they'll appreciate them. Not every hobby has to be taken up with so much effort it's like a second job.
>If you truly cared about your art and wanted it to be seen, you would devote yourself to that and work on getting into a gallery
You've not understood what the word amateur means, at all. It's like suggesting an amateur tennis player doesn't care if he isn't trying to play Wimbledon. Or an amateur runner doesn't care if he isn't top 5% of marathon.
Indeed, I specifically avoid "professional" engagements because I have no interest in being published in a gallery, or in dealing with the art world or with clients. I've been thinking about setting up a stall at the local farmers market with some artist friends but that is about it. Sadly, parent's attitude is quite common among some.
Instagram is used very commonly in the art world and all of the full-time artists I know are on it and use it to promote their work, photography or otherwise.
By best platform, do you mean actually the best in functionality, capability and experience as per your requirements, or that it's the easiest to start using with the largest exposure?
Many people feel compelled to remain on Facebook because they're afraid of missing out on events that get scheduled through Facebook. But here is what I discovered: people who like you will go out of their way to make sure you get the invitation, even if that means using something barbaric and old fashioned like a phone number or email address. FOMO is probably Facebook's most valuable asset, but it's largely unjustified.
I have also discovered this. Haven't logged on to Facebook since new year's eve, I was a very heavy user before that. 4 months in and I haven't missed out on anything IRL.
> people who like you will go out of their way to make sure you get the invitation
Yeah, but sometimes you want to get invited by people who don't actually like you enough (or even know you well enough) to remember you're not on Facebook.
I'm not on FB, but I know of multiple local groups discussing issues and organizing meetings on private FB groups, which would be hard to participate in without an account.
Network effects keep people in place. Switching social networks would need a bit of a movement, which OP maybe wanted to low-key initiate?
The next social network would also have to provide the simplicity, performance and features people expect, while showing real, understandable improvements in terms of privacy or the economic model (e.g. no risk being bought by Facebook like WhatsApp).
In general, 'new social networks' seem rarely discussed, here in HN or elsewhere; can you maybe name a few of the options you have in mind?
The passwords have to be forwarded over to the email provider, so they are flying around log files, unsafe in the database. There's actually a programmer somewhere who can read all of them and put them in a text file and take them home.
In theory, the password doesn't have to be stored at all. I bet it's kept in some sort of job queue, so it might be stored in disk (e.g. Redis AOF), but even that could be avoided.
Still, one has to wonder why do it at all, considering the simple alternative of sending a verification email, which was already implemented.
I had someone create a Facebook account with my email once. I let it persist for a year until I got tired of the friend request notices. Did a password reset and deleted the account.
I'm not sure how rigorous email verification workflows are in general. I had someone manage to transfer their Apple account to one of my emails a few years ago.
Facebook told Axios that "a very small group of people have the option of entering their email password to verify their account when they sign up for Facebook," but noted that people could choose instead to confirm their account with a code or link sent to their phone or email.
"That said, we understand the password verification option isn't the best way to go about this, so we are going to stop offering it,” the company said in a statement.
Those being asked for their e-mail passwords were users who listed an e-mail address that doesn't use the secure OAuth protocol, which allows users to verify their identity to a third party without sharing their passwords.