Twitter Breach

  • Thread starter
  • Moderator
  • #1

MagicalAzareal

Magical Developer
Joined
Apr 25, 2019
Messages
737
It looks like they used SMS 2FA (which is hideously insecure) instead of real 2FA (e.g. with an authentication app) or a hardware 2FA device. With SMS 2FA, anyone can phone up the phone company, pretend to be you and get your SIM transferred to another device.
 
  • Thread starter
  • Moderator
  • #3

MagicalAzareal

Magical Developer
Joined
Apr 25, 2019
Messages
737
This seems like the real problem to me, not SMS 2FA itself.
There is no good reason to ever use SMS 2FA. It is not secure. It is not 2FA. People have been advising against it for many, many years and yet some companies / people go ahead and use it anyway.
For a large company like Twitter, it is just plain laziness and it is 100% on them. SMS 2FA doesn't even offer any advantage over an app.

Once you have an authentication app, you can use it anywhere and it doesn't rely on a mobile network as it is based on the current time and a secret key you load on the device for that site (which you may scan onto it with a QR code).

I would imagine the reason Twitter does something insecure like SMS 2FA is for marketing purposes although it is surprising employees would be caught too and it would be someone with full access to all DMs.
 
Last edited:

Jeremy8

Participant
Joined
Mar 7, 2007
Messages
95
There is no good reason to ever use SMS 2FA. It is not secure. It is not 2FA. People have been advising against it for many, many years and yet some companies / people go ahead and use it anyway.
For a large company like Twitter, it is just plain laziness and it is 100% on them. SMS 2FA doesn't even offer any advantage over an app.

Once you have an authentication app, you can use it anywhere and it doesn't rely on a mobile network as it is based on the current time and a secret key you load on the device for that site (which you may scan onto it with a QR code).

I would imagine the reason Twitter does something insecure like SMS 2FA is for marketing purposes although it is surprising employees would be caught too and it would be someone with full access to all DMs.
Just playing devil's advocate here, but a lot of companies probably use text messages because it's a lot easier for the average person to understand. People who are bad with technology will have a hard time understanding authentication apps, even though it seems pretty simple to people like us. A lot of people also don't understand security and wouldn't understand why they have to download an extra app on their phone just to login. A lot of companies, including banks, using SMS 2FA. I suppose the point you're making is that it makes you less secure, not more secure, but there are a lot more companies than Twitter using it.
 
  • Thread starter
  • Moderator
  • #5

MagicalAzareal

Magical Developer
Joined
Apr 25, 2019
Messages
737
Just playing devil's advocate here, but a lot of companies probably use text messages because it's a lot easier for the average person to understand. People who are bad with technology will have a hard time understanding authentication apps, even though it seems pretty simple to people like us. A lot of people also don't understand security and wouldn't understand why they have to download an extra app on their phone just to login. A lot of companies, including banks, using SMS 2FA. I suppose the point you're making is that it makes you less secure, not more secure, but there are a lot more companies than Twitter using it.
https://www.itnews.com.au/news/telcos-declare-sms-unsafe-for-bank-transactions-322194 Phone companies don't want you using it for anything secure either and they have been warning against it for a decade.

Also, if a bank employee makes an oops and accidentally lets someone drain 200 bank accounts, would you play the "devil's advocate" there? This isn't grandma getting phished, this is someone getting access to theoretically any private message stored on Twitter. Please take these problems seriously.
 
Last edited:

Jeremy8

Participant
Joined
Mar 7, 2007
Messages
95
https://www.itnews.com.au/news/telcos-declare-sms-unsafe-for-bank-transactions-322194 Phone companies don't want you using it for anything secure either and they have been warning against it for a decade.

Also, if a bank employee makes an oops and accidentally lets someone drain 200 bank accounts, would you play the "devil's advocate" there? This isn't grandma getting phished, this is someone getting access to theoretically any private message stored on Twitter. Please take these problems seriously.
Devil's advocate means you offer an explanation for an opposing view. In this case, we are talking about why hundreds of companies might be using text message authentication even if it's less secure than using authenticator apps.
 
  • Thread starter
  • Moderator
  • #7

MagicalAzareal

Magical Developer
Joined
Apr 25, 2019
Messages
737
Speaking of the general case of grandma, if companies would stop putting up SMS 2FA options, like many banks have by now, people will start using the more secure options instead. Multiple options confuses people and pretending SMS 2FA "might" be secure more so.

People install apps all the time for all sorts of frivolous reasons. It is a trivial cost to protect your bank account from being drained.
Devil's advocate means you offer an explanation for an opposing view. In this case, we are talking about why hundreds of companies might be using text message authentication even if it's less secure than using authenticator apps.
I find your invocation of the devil's advocate to be disingenuous and intended to cover up for Twitter's clear failings. It is one authenticator app for every site you might ever need to use. It is not complicated.

For someone with admin access to a large company with hundreds of millions of users, it would be hardware token + Possible manual confirmation that it is you when connecting + Manager oversight when touching sensitive accounts.

This is not a joke. In any other industry, you could be fined big and even go to prison for fooling around.
 

zappaDPJ

Administrator
Joined
Aug 26, 2010
Messages
7,370
You have to keep in mind that the majority of people are unlikely to question any form of security if it's being touted by a recognized name. In the last 48 hours alone I've used 2FA via SMS three times including once to make a payment to pay off a credit card provided by Amazon.

The fact is almost everyone uses it and while I'm aware that it's not particularly secure, I have no real choice but to accept it.
 

Nev_Dull

Anachronism
Joined
Apr 27, 2010
Messages
2,071
I agree, most users don't know much of anything about the security behind the apps or sites they are using, and really, they shouldn't have to. It is entirely up to the companies like Twitter to maintain proper security in their software, and that nearly always comes down to economics.

Maybe they shouldn't be using 2FA via SMS, but changing that is an expensive proposition. Until there is a major (or in this case, a very public) breach, most of these companies will continue to opt for "acceptable risk" over the cost of upgrading.

Side note:
This isn't grandma getting phished
In defence of Grandma, far more young adults are fooled by phishing scams than old people.
 

Paul M

Limeade Addict
Joined
Jun 26, 2006
Messages
3,933
anyone can phone up the phone company, pretend to be you and get your SIM transferred to another device.
You need a better phone company then.
You cartainly cant just ring mine and do that, first you would need to know my password.
Things like transferring your number to a new SIM also require further checks.
SMS messages are also sent to the old device 24 hours before any transfer is started.
 

Claverhouse

Aspirant
Joined
Aug 25, 2006
Messages
11
Some of us don't have Smartphones and don't need them.

Not that the history of Android and Apple apps makes one want ever more apps anyway...
 

ManagerJosh

Adherent
Joined
Oct 24, 2004
Messages
335
You need a better phone company then.
You cartainly cant just ring mine and do that, first you would need to know my password.
Things like transferring your number to a new SIM also require further checks.
SMS messages are also sent to the old device 24 hours before any transfer is started.
Most mobile phone companies have terrible security for consumers because they keep the bar low out of convenience for the lowest common denominator consumer.
 

feldon30

Adherent
Joined
Jun 7, 2013
Messages
440
You need a better phone company then.
You cartainly cant just ring mine and do that, first you would need to know my password.
Things like transferring your number to a new SIM also require further checks.
SMS messages are also sent to the old device 24 hours before any transfer is started.
AT&T is notorious for just handing over SIMs / accounts to people who have any social engineering skills whatsoever. This is a major, widespread problem which has led to millions of dollars in cryptocurrency and hundreds of valuable domains and Twitter accounts being stolen. AT&T is the worst, but I'm not sure there's a "best" in the USA.

https://www.google.com/search?q=sim swap fraud

Remember when Apple and Amazon were asking for different pieces of information for verification? So you could call one, give them one piece of information and then they'd give you another, then you'd call the other and give them the newfound piece of information and that was verification used to unlock information in the other. Back and forth until you had everything you needed to own the account. They fixed some of this but it's still way to easy to steal accounts, even if you add a passcode on your account AT&T will let you past it if you have enough other information.
 
Last edited:

enivid

Aspirant
Joined
Sep 11, 2011
Messages
22
AT&T is notorious for just handing over SIMs / accounts to people who have any social engineering skills whatsoever. This is a major, widespread problem which has led to millions of dollars in cryptocurrency and hundreds of valuable domains and Twitter accounts being stolen. AT&T is the worst, but I'm not sure there's a "best" in the USA.

https://www.google.com/search?q=sim swap fraud

Remember when Apple and Amazon were asking for different pieces of information for verification? So you could call one, give them one piece of information and then they'd give you another, then you'd call the other and give them the newfound piece of information and that was verification used to unlock information in the other. Back and forth until you had everything you needed to own the account. They fixed some of this but it's still way to easy to steal accounts, even if you add a passcode on your account AT&T will let you past it if you have enough other information.
Heh... Here you have to come to a mobile company's office in person with your ID and to file a written request to restore a SIM. Of course, you could probably bribe someone in the management to circumvent this, but I am not sure if that would work well.
 
Top