Location Data Privacy in Apps

The New York Times released a report (with some fancy graphics) detailing location data use by apps for advertising, outside the main purpose of the app. Only 10 apps were covered in depth, but the findings reveal how some advertising companies aggregate location data from apps.

At least 75 companies receive anonymous, precise location data from apps whose users enable location services to get local news and weather or other information, The Times found. Several of those businesses claim to track up to 200 million mobile devices in the United States — about half those in use last year. The database reviewed by The Times — a sample of information gathered in 2017 and held by one company — reveals people’s travels in startling detail, accurate to within a few yards and in some cases updated more than 14,000 times a day.

[Learn how to stop apps from tracking your location.]

An app may tell users that granting access to their location will help them get traffic information, but not mention that the data will be shared and sold. That disclosure is often buried in a vague privacy policy.

via NY Times

Remember, even with location services disabled, apps and websites and still track your approximate location.

The Times app did not request precise location data and did not send it. It sent location data to several companies based on an IP address that placed the device elsewhere within the city.

via NY Times

IP based location tracking came up during the Facebook Congressional hearings and is a way Google can personalize search results when logged out or in private browsing windows. And don’t forget Google’s “Location History” and “Web and App Activity both cover location services.

The most unnerving finding of the report is how apps hide code that exports your location to advertisers behind opaque privacy policies.

Frequently, location data companies make packages of code that collect phones’ whereabouts. Developers who add this code to their apps can get paid for location-targeted ads, or earn money for providing the location data, or get free mapping or other services for their apps.

via NY Times

If we can’t communicate use of location with transparency, what will happen when biometric and facial recognition technologies are embedded in every camera and device:

“people deserve to know when [facial recognition] technology is being used, so they can ask questions and exercise some choice in the matter if they wish. Indeed, we believe this type of transparency is vital for building public knowledge and confidence in this technology. New legislation can provide for this in a straightforward approach:

  • Ensuring notice. The law should require that entities that use facial recognition to identify consumers place conspicuous notice that clearly conveys that these services are being used.
    Clarifying consent.The law should specify that consumers consent to the use of facial recognition services when they enter premises or proceed to use online services that have this type of clear notice.”
  • via Facial recognition: It’s time for action
  • What the Marriott Breach Says About Security

    Your personal data is already stolen. Here’s what you need to be doing:

    via Krebs on Security


    How Criminals Steal $37 Billion a Year

    It is increasingly difficult to trust someone calling from a phone call you don’t recognize. Not only are scammers calling from numbers that seem to be in your area, but they are also impersonating family members in distress.

    The dirty little secret about elder exploitation is that almost 60 percent of cases involve a perpetrator who is a family member, according to a 2014 study by Lachs and others, an especially fraught situation where victims are often unwilling, or unable, to seek justice. Such manipulation sometimes involves force or the threat of force

    via Bloomberg

    This trick has been around for a while, but there are new defenses available to guard against the scam.

    On Feb. 5, the Financial Industry Regulatory Authority, an industry body, put into effect “the first uniform, national standards to protect senior investors.” It now requires members to try to obtain a trusted contact’s information so they can discuss account activity. It also permits firms to place temporary holds on disbursements if exploitation is suspected.


    Interesting idea; a two person authentication for account transactions, but it still may be easy to beat the system.

    Loewy, who left her job as a prosecutor in 2014 to join EverSafe, a startup that makes software to monitor suspicious account activity, is underwhelmed by the industry projects.

    “They may say they’re focused on it, but they aren’t really doing much more than training employees,” she says. “Exploiters know what they’re doing. They take amounts under $10,000 that they know won’t get picked up by fraud and risk folks at banks. And they steal across institutions over time.”


    And remember, if you get a text from a short-code number with 5 or 6 digits, you can verify the identity of the sender with the Short Code Directory.

    Nobody is immune to ads

    In his post Nobody is immune to ads, Georges Abi-Heila explores the psychology of how humans react to the barrage of brands and ads we see every day.

    There’s no scientific consensus on the number of ads we’re exposed to daily, as estimates vary from a few hundreds to thousands. Why is it so hard to get a reasonable figure? Because it depends on a variety of factors that greatly affect the final result (sorted by level of importance):

    What is considered an ad?
    Including brand labels and logos can increase 10x the final result.
    Think about every time you pass by a brand name in a supermarket, the label on everything you wear, the condiments in your fridge, the cars on the highway…
    Where does the subject live?
    The denser your living environment, the more ads you’re exposed to as companies fiercely compete for your attention (and, ultimately, your wallet). Visual pollution is one of the drawbacks of living in big city…
    What is the subject’s job?
    During work hours, a hotel receptionist sees a lot less ads than a truck driver which is less exposed than a social media manager.

    Want to see an interesting example? Have an iPhone? Ignore for a moment all the brands you see from the icons on your home screen, this one is more subtle. What does it say in the top left corner? 

    The Verge iPhone 8 Review

    So every time you pick up your phone you are served an ad for your cell carrier. Why does it exist? Do you frequently forget you are on the AT&T network?

    It is worth noting, the notched iPhones no longer show the carrier name, so his redditor has the right idea.

    The Verge iPhone X Review

    Is it a big change? No. But one less ad in the thousands you see in a day.

    As a bonus, check out the streets of Sao Paulo. The city has a law that prohibits outdoor advertising. The story is covered in a post by 99% Invisible.

    21 Lessons for the 21st Century

    Yuval Noah Harari on the Talks at Google podcast (and in video form)

    He’s marketing his new book extremely well and a New York Times interview on the subject garnered attention:

    It made him sad, he told me, to see people build things that destroy their own societies, but he works every day to maintain an academic distance and remind himself that humans are just animals. “Part of it is really coming from seeing humans as apes, that this is how they behave,” he said, adding, “They’re chimpanzees. They’re sapiens. This is what they do.”

    . . .

    “It’s just a rule of thumb in history that if you are so much coddled by the elites it must mean that you don’t want to frighten them,” Mr. Harari said. “They can absorb you. You can become the intellectual entertainment.”

    . . .

    He told the audience that free will is an illusion, and that human rights are just a story we tell ourselves. Political parties, he said, might not make sense anymore. He went on to argue that the liberal world order has relied on fictions like “the customer is always right” and “follow your heart,” and that these ideas no longer work in the age of artificial intelligence, when hearts can be manipulated at scale

    Not the most heartening view of the future.

    21 Lessons is also recommended by Bill Gates as one of 5 books he loved in 2018 (to further corroborate Harari’s points)

    The trick for putting an end to our anxieties, he suggests, is not to stop worrying. It’s to know which things to worry about, and how much to worry about them. As he writes in his introduction: “What are today’s greatest challenges and most important changes? What should we pay attention to? What should we teach our kids?”

    Or maybe we should be a bit more like Newt Scamander

    My philosophy is that worrying means you suffer twice.


    The Exponent podcast is back! And there’s a lot of news regarding pressure to change existing App Store pricing models.

    it seems incredibly worrisome to me anytime any company predicates its growth story on rent-seeking: it’s not that the growth isn’t real, but rather that the pursuit is corrosive on whatever it was that made the company great in the first place. That is a particularly large concern for Apple: the company has always succeeded by being the best; how does the company maintain that edge when its executives are more concerned with harvesting profits from other companies’ innovations?

    via Stratechery and Exponent

    Plus, after shipping Fortnite outside of the Google Play Store, Epic Games is moving in on Steam with a new game store and taking a smaller cut of sales.

    Developers receive 88% of revenue. There are no tiers or thresholds. Epic takes 12%. And if you’re using Unreal Engine, Epic will cover the 5% engine royalty for sales on the Epic Games store, out of Epic’s 12%.

    via Unreal Engine Blog

    The case for slowing everything down a bit

    Ezra Klein on increased digital friction:

    I believe that one reason podcasts have exploded is that they carry so much friction: They’re long and messy, they often take weeks or months to produce, they’re hard to clip and share and skim — and as a result, they’re calmer, more human, more judicious, less crazy-making.

    Klein and Jaron Lanier discuss just that, in a podcast.

    Writing . . . is full of friction. It’s hard and slow, and the words on the page fall short of the music and clarity I imagined they’d have. But it is, in the end, rewarding. It’s where I have at least a chance to create something worth creating. The work is worth it.

    via Vox

    Is this a legit Fortnite V-Buck site? Probably not.

    Fortnite has caused quite the security kerfuffle. Between releasing the Android app outside the Google Play Store, and an insane desire for V-Bucks, scams are running rampant.

    Wired put out this article yesterday entitled Fortnite scams are even worse than you thought, and it made me sad that people are being tricked (that’s for tomorrow 🎃).

    I made a simple browser extension as a helpful reminder of legitimate V-Buck sites. It will give you a green thumbs up on real V-Bucks websites, and a red thumbs down for sites where you can’t safely purchase V-Bucks. Check it out on GitHub.

    If all else fails, to stay safe, remember: ONLY BUY V-BUCKS IN THE GAME.


    Download the extension files by clicking “Clone or download > Download Zip” on Github
    Follow steps 1, 2, and 3 here to install the extension
    (Yes, enabling developer mode to sideload extensions is a similar security whole to what Epic is doing with Fortnite on Android. I’ll look into publishing the extension officially.)

    Test out the extension!

    V-Bucks for PlayStation:


    V-Bucks for Xbox:


    V-Bucks for PC/Switch/iOS/Android are only available in game, but here’s a link to Epic Games explaining that:


    Don’t buy V-Bucks on eBay:


    Video demo

    It’s all out the gifs

    Other Fortnite Links and Security Tips

    Here’s how to get Fortnite on Android:

    How to protect your Epic account:

    Epic on V-Buck Scams:

    And a reminder from Wired:


    I’ll wrap up by saying I don’t endorse actually purchasing these things, but for those of you who do buy, stay safe out there!

    Ninja and Kylie Jenner, Who Owns the Future

    Supertree Grove at Gardens by the Bay Singapore

    In his book, Who Owns the Future, Jaron Lanier discusses the idea of real-time income and wealth generation. He presents the topics through the lens of sharing songs in the music industry, but the principle applies to today’s sharing economy.

    Copying a musician’s music ruins economic dignity. It doesn’t necessarily deny the musician any form of income, but it does mean that the musician is restricted to a real-time economics life. That means one gets paid to perform, perhaps, but not paid for music one has recorded in the past. It is one thing to sing for your supper occasionally, but to have to do so for every meal forces you into a peasant’s dilemma.

    The peasant’s dilemma is that there’s no buffer. A musician who is sick or old, or who has a sick kid, cannot perform and cannot earn. A few musicians, a very tiny number indeed, will do well, but even the most successful real-time-only careers can fall apart suddenly because of a spate of bad luck. Real life cannot avoid those spates, so eventually almost everyone living a real-time economic life falls on hard times.

    Who Owns the Future, Jaron Lanier

    The hope is that creators can make a living from what they create and do so in a way that allows value from previous creations to drive development of the next. Without insurance, musicians may have to record new albums while on a concert tour instead of taking time away from concerts to create new songs. Yet the issues of real-time income are not scoped to the music industry, as they have found their way into many social media driven businesses.


    Twitch is a video game streaming platform that runs on virtual subscriptions, much like Netflix. However, instead of subscribing to Netflix to unlock all content on the service, Twitch subscriptions are to individual creator’s channels (like Ninja’s).

    Imagine paying $5 a month to watch Stranger Things and another $5 a month to watch Orange Is the New Black (plus additional $5 for every other show you want to watch). Would you pay for such a subscription? Sure you could subscribe for a weekend to binge watch an entire new season, but what is your incentive to stay subscribed to Stranger Things while the next season is in development? The show is “off the air” for over a year and you only get to watch re-runs in return for your subscription.

    Aggregate movie and music subscription services like Netflix and Spotify garner a recurring subscription fee because there is consistently new content, even if it’s not always from your favorite show or artist. You can watch the entire back catalog of hundreds of other shows, while you wait for the next Netflix original to season to be released.

    The economics work a little differently for singular channel subscriptions on Twitch, but the underlying struggle to maintain attention remains the same. There is no monthly subscription to Twitch.tv. Access to all Twitch content is free and ad supported, and viewers can subscribe to multiple streamers’ channels, each with a $5 subscription (or more depending on tier). Because all the content comes from a single source, creators must supply a near constant stream of gameplay to maintain relevancy and keep subscriber count high.


    Right now, Tyler Blevins (aka Ninja) is the most popular source of gameplay on Twitch and the biggest name in video gaming. He rose to super-stardom in less than a year with the popularity of Fortnite, but his way to the top was not immediate. He’s been at it non-stop for eight years, yet even after such a level of investment, his future success still hinges on him showing up to stream games every day.

    Blevins compares himself to the owner of a small business, and the only product is Ninja. He weighs every decision to leave his computer — to travel to a celebrity-heavy event like the Pro-Am in Los Angeles or even to visit family — against the financial repercussions

    There’s the constant threat of fading popularity. “The more breaks [streamers] take,” he says, “the less they stream, the less they’re relevant.”

    Fortnite legend Ninja is living the stream via ESPN

    By default, Twitch creates a business model that plants its creators squarely in a real-time economics life. Ninja and the most popular streamers have some level of recurring revenue through a back catalog of highlights uploaded to YouTube, but staying current is of utmost importance. Attention is fickle and people will quickly find ways to spend their time elsewhere. Over the course of a weekend, Ninja lost thousands of subscribers (equating to nearly a quarter million dollars in lost revenue for the month).

    “I lost 15,000 subs yesterday,” he says. Even though he’s headlining today’s celebrity event, because he’s not livestreaming on Twitch, he’s losing subscribers — 40,000 of them, to be exact, by the end of the two days he’ll spend in LA

    Yet, his hard work is paying off as Ninja is currently bringing in close to $1 million a month from Twitch subscriptions, donations, YouTube revenue, and sponsorships (up from ~$80,000 in 2011), but others in the long tail of Twitch success are not in such a fortunate position. Streamers and YouTubers are working just as hard, just as often as Ninja and still not at the level of 2011 Ninja. And all Twitch stars are worrying about what comes next.

    Say this ends tomorrow, we don’t have enough for the rest of our lives. I tell Jess, “Honey, we’re not going to have that much quality time this year, or even next year. But if we do this right and I continue to grind for a couple more years, we can set ourselves up, and our family and our family’s family, for the rest of our lives.’

    Kylie Jenner

    Ninja isn’t the only one making waves for tremendous individual online success. Compare the story of the biggest new entrant in the world of sports and with the work of fashion mogul and world’s youngest billionaire: Kylie Jenner. Both have tremendous followings and leverage their social media influence to build greater notoriety. The difference is in the kind of work they do.

    Kylie Jenner is different than other pure social media stars who rely almost solely on ads and sponsorships, whereas her main source of income comes from her business that sells products (not just brand merchandise). She pieced together various technology services to generate supply, ship orders, and orchestrate the operation from her social media accounts. Instagram and Snapchat are tools in her business strategy rather than arbiters of wealth such as YouTube and Twitch on which so many (like Ninja) rely for their livelihood. And what’s the result? Jenner has transcended all other social media influencers. She is not just the most popular social media icon, but the most business savvy (by far). One can imagine she is the first of many to come.

    Forbes wrote an article detailing Jenner’s business success in August:

    Kylie Cosmetics launched two years ago with a $29 “lip kit” consisting of a matching set of lipstick and lip liner, and has sold more than $630 million worth of makeup since, including an estimated $330 million in 2017. Even using a conservative multiple, and applying our standard 20% discount, Forbes values her company, which has since added other cosmetics like eye shadow and concealer, at nearly $800 million. Jenner owns 100% of it.

    Her near-billion-dollar empire consists of just seven full-time and five part-time employees. Manufacturing and packaging? Outsourced to Seed Beauty, a private-label producer in nearby Oxnard, California. Sales and fulfillment? Outsourced to the online outlet Shopify. Finance and PR? Her shrewd mother, Kris, handles the actual business stuff, in exchange for the 10% management cut she takes from all her children. As ultralight startups go, Jenner’s operation is essentially air. And because of those minuscule overhead and marketing costs, the profits are outsize and go right into Jenner’s pocket.

    How 20-Year-Old Kylie Jenner Built A $900 Million Fortune In Less Than 3 Years via Forbes

    To compound her success, contrast Ninja’s schedule with Jenner’s. To maintain the Ninja audience, Tyler and his wife Jess keep a tight schedule of 12+ hour days.

    They typically spend half an hour together in the morning, then he streams, usually for about six hours while she takes business calls. They take a break around 4 p.m. before he gets back on the stream around 8 p.m. for another six hours. He goes offline one day a week, which they call a “date day,” though recently they’ve been skipping it because he’s been so busy.

    And Kylie Jenner?

    Basically, all Jenner does to make all that money is leverage her social media following. Almost hourly, she takes to Instagram and Snapchat, pouting for selfies with captions about which Kylie Cosmetics shades she’s wearing, takes videos of forthcoming products and announces new launches. It sounds inane until you realize that she has over 110 million followers on Instagram and millions more on Snapchat

    Which job would you rather have? For Jenner, certainly there is more work involved than just posting photos, but the idea remains the same. Her business will continue to operate even when she is not online. Instagram posts can continue to bolster sales, but there is less of a risk of loosing 20-40% of your customers in a weekend.

    Yet, like Ninja, Jenner is not immune to the risks of fleeting interest.

    It seems far-fetched to think the brand, whose customers are mostly women ages 18 to 34, will last that long, much less independently. Especially with a business tied to the fickle world of personal fame. Stars fall out of public favor or lose interest.

    “All of them could change their minds,” Shannon Coyne, an equity research analyst at BMO Capital Markets, says of the influx of celebrity makeup entrepreneurs. “Kylie seems to want to create this beauty empire, but anything can happen, and she’s so young.”

    When you can make such quick cash, who needs a big exit? Kylie Cosmetics has already generated an estimated $230 million in net profit.

    In either case, both Ninja and Kylie Jenner are doing well for themselves, but it is worth considering the leverage applied to scaling a business. While the next big thing in gaming or fashion may dwarf the current leaders in popularity, maybe future business minds should focus less on “the grind” and more on creating things that last.

    Additional reading

    Antifragile by Nassim Taleb

    Perennial Seller by Ryan Holiday

    (Somewhat) Unrelated reading

    Crazy Rich Asians by Kevin Kwan

    Sunday Reading: Thoughts on The Tech Industry’s War on Kids

    Person sitting at a table reading a book with a bowl of cereal and cup of tea

    Reflecting on The Tech Industry’s War on Kids: How psychology is being used as a weapon against children

    Richard Freed is a child psychologist who focuses on helping families work through “extreme overuse of phones, video games, and social media.”

    Preteen and teen girls refuse to get off their phones, even though it’s remarkably clear that the devices are making them miserable. I also see far too many boys whose gaming obsessions lead them to forgo interest in school, extracurricular activities, and anything else productive. Some of these boys, as they reach their later teens, use their large bodies to terrorize parents who attempt to set gaming limits. A common thread running through many of these cases is parent guilt, as so many are certain they did something to put their kids on a destructive path.

    Kids might be struggling with technology, but adults may also act like children if older folks had to go a day without technology. Maybe we should all take a digital detox.


    BJ Fogg directs the Stanford Persuasive Technology Lab. There is tons of research and design practices used by today’s most popular apps, websites, and games, but we can still use this newfound power for good. Although, whether good or bad, the techniques are still shaping human behavior without consent.

    Fogg’s website also has lately undergone a substantial makeover, as he now seems to go out of his way to suggest his work has benevolent aims, commenting, “I teach good people how behavior works so they can create products & services that benefit everyday people around the world.” Likewise, the Stanford Persuasive Technology Lab website optimistically claims, “Persuasive technologies can bring about positive changes in many domains, including health, business, safety, and education. We also believe that new advances in technology can help promote world peace in 30 years.”

    Why don’t we make it easy for kids and adults to spend their time doing the things society deems productive. Part of the challenge is exposing kids to new opportunities and experiences to help them understand their real world potential, even at their age.

    While persuasion techniques work well on adults, they are particularly effective at influencing the still-maturing child and teen brain. “Video games, better than anything else in our culture, deliver rewards to people, especially teenage boys,” says Fogg. “Teenage boys are wired to seek competency. To master our world and get better at stuff. Video games, in dishing out rewards, can convey to people that their competency is growing, you can get better at something second by second.” And it’s persuasive design that’s helped convince this generation of boys they are gaining “competency” by spending countless hours on game sites, when the sad reality is they are locked away in their rooms gaming, ignoring school, and not developing the real-world competencies that colleges and employers demand.

    Motivation/inspiration, Ability/capability, Trigger/feedback

    According to B.J. Fogg, the “Fogg Behavior Model” is a well-tested method to change behavior and, in its simplified form, involves three primary factors: motivation, ability, and triggers. Describing how his formula is effective at getting people to use a social network, the psychologist says in an academic paper that a key motivator is users’ desire for “social acceptance,” although he says an even more powerful motivator is the desire “to avoid being socially rejected.” Regarding ability, Fogg suggests that digital products should be made so that users don’t have to “think hard.” Hence, social networks are designed for ease of use. Finally, Fogg says that potential users need to be triggered to use a site. This is accomplished by a myriad of digital tricks, including the sending of incessant notifications urging users to view friends’ pictures, telling them they are missing out while not on the social network, or suggesting that they check — yet again — to see if anyone liked their post or photo.

    It seems we should be able to reframe the three motivation, ability, and triggers behavioral factors into a more productive framing of inspiration, capability, and reinforcement. For example, a kid who enjoys watching YouTube creators may be inspired to make a channel of their own. YouTube, influencers, or another service, can help kids build their movie making capabilities. Feedback on work can help reinforce learning and growth. In the end, kids are still spending time where they want to, but the behavioral model focuses on a healthy balance of creation and consumption leading to development in modern day, “real world capabilities”.

    Mostly terrifying

    the startup Dopamine Labs boasts about its use of persuasive techniques to increase profits: “Connect your app to our Persuasive AI [Artificial Intelligence] and lift your engagement and revenue up to 30% by giving your users our perfect bursts of dopamine,” and “A burst of Dopamine doesn’t just feel good: it’s proven to re-wire user behavior and habits.”

    Ramsay Brown, the founder of Dopamine Labs, says in a KQED Science article, “We have now developed a rigorous technology of the human mind, and that is both exciting and terrifying. We have the ability to twiddle some knobs in a machine learning dashboard we build, and around the world hundreds of thousands of people are going to quietly change their behavior in ways that, unbeknownst to them, feel second-nature but are really by design.”

    Facebook Messenger Kids

    How has the consumer tech industry responded to these calls for change? By going even lower. Facebook recently launched Messenger Kids, a social media app that will reach kids as young as five years old. Suggestive that harmful persuasive design is now honing in on very young children is the declaration of Messenger Kids Art Director, Shiu Pei Luu, “We want to help foster communication [on Facebook] and make that the most exciting thing you want to be doing.”

    Facebook’s narrow-minded vision of childhood is reflective of how out of touch the social network and other consumer tech companies are with the needs of an increasingly troubled generation. The most “exciting thing” for young children should be spending time with family, playing outside, engaging in creative play, and other vital developmental experiences — not being drawn into the social media vortex on phones or tablets. Moreover, Facebook Messenger Kids is giving an early start to the wired life on social media that we know poses risks of depression and suicide-related behavior for older children.

    In response to the release of Facebook’s Messenger Kids, the Campaign for a Commercial-Free Childhood (CCFC) sent Facebook a letter signed by numerous health advocates calling on the company to pull the plug on the app. Facebook has yet to respond to the letter and instead continues to aggressively market Messenger Kids for young children.

    Conscious workflows vs impulsive habits

    President John F. Kennedy’s prescient guidance: He said that technology “has no conscience of its own. Whether it will become a force for good or ill depends on man.”

    From Cal Newport:

    Workflows are arguably more important than your high-level habits when it comes to impacting how effectively you produce valuable things (my preferred definition of “productivity”), but they’re a topic that’s often ignored.

    Indeed, for most people, the workflows that drive their professional life are processes that haphazardly arose without much intention or consideration.

    This fall, in other words, consider spending some serious time evaluating your workflows before turning your attention to the habits that help you deal with the obligations these flows generate.

    Technology gives us the tools to do more. It’s up to us to decide how we leverage our new powers.

    The best analogy I’ve ever heard is Scientific American, I think it was, did a study in the early 70s on the efficiency of locomotion, and what they did was for all different species of things in the planet, birds and cats and dogs and fish and goats and stuff, they measured how much energy does it take for a goat to get from here to there. Kilocalories per kilometer or something, I don’t know what they measured. And they ranked them, they published the list, and the Condor won. The Condor took the least amount of energy to get from here to there. Man was didn’t do so well, came in with a rather unimpressive showing about a third of the way down the list.

    But fortunately someone at Scientific American was insightful enough to test a man with a bicycle, and man with a bicycle won. Twice as good as the Condor, all the way off the list. And what it showed was that man is a toolmaker, has the ability to make a tool to amplify an inherent ability that he has. And that’s exactly what we’re doing here.

    Additional reading

    BJ Fogg commented on the article and provided a list of his works to raise awareness about the ethics of persuasive tech.

    A recent Atlantic article, “Have Smartphones Destroyed a Generation?,” by Dr. Jean Twenge

    Stratechery article on Tech’s Two Philosophies: Some problems are best solved by human ingenuity; others by collective action

    Short Codes (aka Messages & Two Factor Authentication from Random Five to Six Digit Numbers)

    There are some cool new security features in the latest versions of iOS and Android to help you keep your accounts secure. Android’s updated Messages app and iMessage in iOS 12 both bring simplified one-time passcodes and two factor authentication (2FA) management.

    iMessage – iOS 12

    iMessage Security code AutoFill
    Security code AutoFill. SMS one-time passcodes will appear automatically as AutoFill suggestions, so you never have to worry about memorizing them or typing them again.


    Android Messages

    Copy one-time passwords with one tap
    Copy one-time passwords with one tap
    Now, when you receive a message with a one-time password or code from a secure site—such as your bank—you can save time by copying that password directly from the message with a tap.


    With both Apple and Google updating their messaging apps to ease use of text message (SMS) based two factor authentication, I’ve been thinking about why copying a verification code is the feature we need to bring more people to use 2FA. While cutting down steps required to use 2FA will make for a more streamlined experience, there seems to be an opportunity elsewhere to improve general usability of SMS based 2FA.

    Understand there has been plenty of discussion regarding the security risks of these features, but putting aside discussion of the entire 2FA ecosystem and the shortcomings of SMS based 2FA, let’s look at a quirk of how people experience 2FA on their phones.

    An example

    Android Messages two factor authentication shortcut

    Take the Capitol One notification from this article discussing the “copy 2FA code” feature in Android Messages. The message from number 227898 says “From Capitol One” and provides a code: 939966. There are two things we need to figure out here. One, that this is in fact the message from Capitol One, and two, this message contains the 2FA one-time passcode we need to complete the log on process.

    First off, while the message says it’s from Capitol One, we know from our phishing lessons that we shouldn’t use the content of a message to influence our trust decision making process. The timing of getting this message in relation to attempting to log in to a bank account would make it seem like the message is legitimately from Capitol One, but how can we be sure? What is that 227898 number? Can we look it up like a phone number to verify it is registered to Capitol One?

    The second bit of confusion is recognizing the 2FA verification code is 939966 not the big bold 227898 number at the top of the message. Usually the distinction between sender and message is clear with a regular 10 digit phone number or a message from someone in your contact list, but when you are sent a six digit code from a six digit number you need to do more mental processing choose the right number. Google has partially resolved the issue by giving an explicit action to copy the 2FA code, but it feels a little strange not being able to see the actual code in the message.

    An aside

    Slightly off topic, but while researching YubiKeys (after listening to Scott Hanselman’s podcast with Sarah Squire), I came across Two Factor Auth which maintains a list of sites that support, well, two factor auth. Exploring the various service, I noticed very few banks support usb hardware tokens. Wells Fargo seemed the only big bank with support. Clicking though the WF link from the Two Factor Auth chart, I ended up on the Advanced Access page trying figure out how WF does U2F. It turns out they use RSA SecurID (not usb U2F) which was uninteresting, but the footnote caught my attention:

    We always send our text messages from 93557. Incoming calls with an Advanced Access code will come from 1-800-956-4442. We recommend adding these numbers to your phone’s address book so you can easily identify our incoming text messages and calls.

    via Wells Fargo Advanced Access

    Is this really the case? Every Wells Fargo communication and two factor authentication message comes from 93557? What’s the significance of 93557? And does every company always use the same number?

    If so, this is a fantastic piece of advice buried in a random support page

    We recommend adding these numbers to your phone’s address book so you can easily identify our incoming text messages and calls.

    Why doesn’t every company and service mention this?

    An investigation

    To figure that out, I first needed to learn what that 5 digit non-phone number is really called. Naturally, I went online and searched “what is the number for two factor sms?”

    This article from The Verge was at the top: Facebook admits SMS notifications sent using two-factor number was caused by bug

    Not what I was looking for, but at least a clue.

    Facebook uses the automated number 362-65, or “FBOOK,” as its two-factor authentication number

    So these numbers have some T9 significance (remember landlines and flip phones?).

    I figured that if facebook’s number is known, maybe there are some resources that include more of these numbers, so I quickly searched 362-65 and got 297. 😑

    After getting rid of the minus sign, there was this Facebook Support link with people confused after receiving a random text seemingly from Facebook with a link to “fb.com”, a non-“facebook.com” website (here’s another example).

    They are right to be concerned.

    A little more searching, and boom: short codes

    Short Codes

    Is this a name people knew about? It’s the first time I came across the phrase “short code” even though I have been using the things for some time now.

    It turns out there is an official US Short Code registrar run by CTIA and icontectiv:

    Short Code Registry

    Short Codes offer marketers unique opportunities to engage their audiences via text messaging. Short Codes are five- or six-digit codes that may be personalized to spell out a company, organization or a related word. Many organizations may choose to use Short Codes to send premium messages, which may charge subscribers additional fees for informative or promotional services such as coupons or news updates.

    The Short Code Registry maintains a single database of available, reserved and registered short codes. CTIA administers the Common Short Code program, and iconectiv became the official U.S. Short Code Registry service provider in January, 2016.

    For more information, please see the Short Code Registry’s Best Practices and the Short Code Monitoring Handbook.

    The iconectiv site routes to https://usshortcodes.com/ where you can learn all about registering, case studies, and best practices. But I still want to know how to verify the sender of that 2FA message.

    This is where US Short Code Directory comes in.

    The U.S. Short Code Directory and the team at Tatango has assumed responsibility for the indexing of these unique phone numbers, creating the industry’s only public address book.

    via https://usshortcodedirectory.com/about/

    What do you know, the first code in the directory: Facebook, 32665. But wait, that’s not what’s listed in the Verge article… That’s 32665 vs 36265. Not sure what the deal is there, but may be a typo by The Verge (3-F, 2-B, 6-O, 6-O, 5-K in T9).

    Just for a sanity check, does the Wells Fargo short code match their Advanced Access list? Yep! And so does the Capitol One code.

    Cool! We figured out a way to verify the sender of SMS based 2FA! Remember though, this does not only apply to 2FA, but also other SMS based communication from the company.

    Short Codes in the Wild

    Check out this recent Wells Fargo ad on YouTube.

    Wells Fargo account alert text message from YouTube ad

    At the 17 second mark the narrator mentions “alerting you to certain card activity we find suspicious“. How do they do this? By SMS of course. And what number is the alert from? 93733!? NOOOOO! That’s not 93557.  WF was so close. Missed an opportunity to tie everything back to that random support page. The ad has a caveat “Screen images simulated”, so ¯\_(ツ)_/¯. For what it’s worth the phone number to call is in fact for WF Customer Service.

    Questions, Concerns & Opportunities

    This feels like the tip of the short code iceberg and I still have a lot of questions. How long do short codes last? Do companies change numbers? Can short code be reused? Can I trust that the next time I receive a message from a short code number that it is from the same company as last time? Can messaging apps label the code like caller id?

    I don’t have all the answers, but there are definitely more things to be done to help fight the next generation of phishing. As more companies continue to recommend 2FA and send updates over SMS, we need tools in place to ensure we can trust the messages we receive.

    Wells Fargo’s advice to add their numbers to your address book is good, as long as the short code (and normal telephone) numbers do not change over time. While it may be uncommon, it is possible for companies switch numbers, and (possibly more common) previously used numbers can become available for a different company to re-register. In the former, people will see an unknown number seemingly masquerading as a service they do use, which should be a cause for suspicion (although benign). For the latter, people will assume trust in the content from number they recognize (creating a phishing opportunity). While instances of these issues may be unsubstantiated (there’s very little info on how short code numbers change hands and “Best Practices” are all about marketing), this is a reason to have service driven trust management keeping track of ownership and identity.

    There is an opportunity for services like US Short Code Directory and tatango to provide access to their index of short codes, so companies like Apple and Google can continue to improve their messaging services. If the Short Code Directory had a public API to query and verify short codes, messaging apps could implement a new style of caller id (essentially a DNS for SMS, but not this) to let you know the message from 227898 that says its “From Capitol One”, is legitimately from Capitol One.

    At the end of the day, it should be easier to stay safe online, even if improving short codes are just an obscure part of the solution. Now to see if I can get Wells Fargo and The Verge to fix their typos.

    Popular Company Short Codes

    Disclaimer, I have not received messages from all of these numbers, so I cannot verify their legitimacy nor comprehensiveness. Given the issues noted above, these numbers may change or companies may start using additional numbers for SMS communication (Google already has at least 5. They may consolidate or add another).

    Facebook: 32665 and 3266

    Twitter: 40404

    Google: 22000, 23333 and others

    Apple: 272273 and others

    Microsoft: 365365, 51789 and others

    Amazon: 262966, 58988 and others

    Capital One: 227898 and others

    Chase: 28107,  24273 and others

    Wells Fargo: 93557 and others

    Bank of America: 73981 and others

    American Express: 25684 and others

    Intuit: 75341 and others

    Discover: 347268 and others

    PayPal: 729725777539

    Venmo: 86753

    AT&T: 88170, 883773 and others

    Verizon: 27589 and others

    T-Mobile: 37981

    FedEx: 37473 and others

    USPS: 28777 and others

    Walmart: 40303 and others

    Twilio: 22395 and others

    Uber: 82722289203

    Additional Reading