The only thing 2FA has been good for in my experience has been giving me a lot more junk calls. It should be outlawed in social media, and they should be required to build proper user support instead. Accounts are still being compromised regularly even with 2FA, it's tedious to use, and it only adds to PII overreach, as phones are becoming more involved in everyone's privacy and payment management.
This is a perfect example of casual protection and "failure downplaying" that social platforms conduct on serious volumes of personal data, and how it has become too common place as they warehouse private data that they really don't need.
A customer required me to use Skype for a meeting just the other day, It let me authenticate and verify an email account, but before I could even use it, it locked up and asked me for my phone number. This over reach is out of control.
Are you writing off 2fa as a whole, or just sms? Aside from full database breach, why would requiring me to use a security key, or authenticator app be a bad idea? Physical theft is a lot harder (even just due to physical distance from a hacker) than stealing my password, which can happen at any distance
As a whole for social media at least.
For items that are of national security and high sensitivity in the business world, personal devices are regularly being used in many cases (Non Gov Furnished Equipment) as well, and that thoroughly defeats the purpose too.
The people that seek that level and volume of data are not usually simple amateurs that stumble upon script tools, they are usually engineers, info warriors, and even massive operations themselves with funding, skill, and human resources to get what they want. The best ways to secure data is at the system level and by not collecting data that is not needed for direct relevance to system function to begin with.
Personal phone numbers have no relevance to apps like Twitter or Facebook beyond facilitating their personal information and ID lust.
Token based 2fa does not leak any information to the service and it has a benefit of preventing other types of attacks on the functions that the system is supposed to do. There is literally no reason to be against TOTP or WebAuthN
I don’t agree. At worst it just introduces a “hey i lost my phone” customer support backdoor that may be weaker than what was there before.
It’s not any worse than the “hey I forgot my password” support backdoor.
If you have a support backdoor, it doesn’t matter what technology you use. That’s not a technology problem.
That’s a security flaw. Backup codes are the fix if you get locked out. Sure, the attacker could find the backup codes, but that can be a challenging task.
And at best? And what about on average?
How could you ever guarantee that when registration for many services are conducted on such a wide variety of Internet-based web forms that are integrated into web sites?
That's not logical.
I've even seen sites where registration is done on sites with expired certs. Not everyone registers directly within the service itself, and there are plenty of cases where config and security are not implemented and managed properly.
You can guarantee that TOTP and WebAuthn do not share personal information because their implementation does not involve the use of any personal information.
>I've even seen sites where registration is done on sites with expired certs. Not everyone registers directly within the service itself, and there are plenty of cases where config and security are not implemented and managed properly.
I might be missing something, but what does that have to do with the efficacy of token-based 2FA?
Web forms allow social media sites to capture bare phone numbers and store them in other places than just for authentication services. The places they store these numbers are often exposed to the public and to partners for a fee, along with personal data, which regularly is connected to other personal data on each account user. 2FA does not keep your account secure, and is just a bogus ploy to get your phone number, by social and other platforms) if most of your personally identifiable information on a site stores can be scraped ALONG WITH YOUR PHONE NUMBER, as it was, from a social media site (Which is exactly what happened in the original article cited).
You are missing the point of the GP’s comment. Token based 2fa does not involve phone numbers.
Most people who talk about 2fa being good are talking about TOTP or security keys. Phone number based 2fa is awful for a variety of reasons.
Ever heard of YubiKey, Google Authenticator or Authy?
At the risk of sounding rude, I don’t think you understand how modern 2FA works. No phone number is involved.
Your parent comment is based on misinformation and is the top comment; please consider editing or deleting it.
You have not properly read my other comments within this post. That is arrogantly presumptive, and over valuing the ideal that downvotes should suppress freedom of opinion.
I have, actually - they don’t make any sense. What about TOTP are you opposed to? That’s modern 2FA, not something related to phones.
>personal devices are regularly being used in many cases (Non Gov Furnished Equipment) as well, and that thoroughly defeats the purpose too.
U2F and WebAuthN protect against phishing. This protection applies regardless of whether you use a personal device or not.
Even more relevant, one of the main benefits of 2FA is securing people who reuse passwords. Similarly, that gained protection is not lost by using a personal device.
System rules can, and often are configured to prevent password reuse well before 2FA. They have also enforced password complexity for ages now before 2FA... 2FA was invented and foisted on everyone without real necessity and demand involved. Tying vital security to random, and often personal, mobile devices that aren't properly secured and registered is reckless. Text messages also aren't properly secure, neither is Wi-Fi and Bluetooth in many cases... It's not logically sound to say 2FA creates additional security in any other sense but within the technical complexity added to authentication.
None of what you mentioned is advanced security if user phone numbers are stored and accessible along with their personal data.
Social engineering alone from being able to call and text users and socially engineer access to their accounts through scams with the sheer amount of personal data that social sites and apps greedily and unnecessarily collect on them.
Social media surveillance is a gold mine of data for a social engineer these days, specifically BECAUSE of how invasive it is. 2FA does not protect it, it only creates a secure log in, it does not secure data beyond verifying a user has the phone tied to the account. A mobile device is not a footprint nor proof of ID, it can be physically lost or stolen, or even cloned, which has happened often.
>System rules can, and often are configured to prevent password reuse
How? And even if it's not verbatim password reuse, people often choose extremely similar passwords such that given one password, the other one can be guessed in a few guesses.
Password complexity requirements don't stop password reuse.
>Tying vital security to random, and often personal, mobile devices that aren't properly secured and registered is reckless.
I agree that SMS is the worst form of 2FA. There are others though.
>It's not logically sound to say 2FA creates additional security in any other sense but within the technical complexity added to authentication.
You're conflating SMS 2FA with all forms of 2FA. There are other forms. The biggest threat that people face today is phishing. That's stopped by U2F/WebAuthN. One of the next biggest threats is credential stuffing. That's stopped by all forms of 2FA, regardless of how weak SMS is.
>Social engineering alone from being able to call and text users and socially engineer access to their accounts through scams with the sheer amount of personal data that social sites and apps greedily and unnecessarily collect on them.
U2F and WebAuthN protect against these types of phishing attacks.
>A mobile device is not a footprint nor proof of ID, it can be physically lost or stolen, or even cloned, which has happened often.
So use a different type of 2FA than SMS.
> System rules can, and often are configured to prevent password reuse well before 2FA.
That does not at all help people who reuse passwords from one site on another.
I assume he mostly means SMS. And I fully agree, ever since I've got my security key I've stopped using SMS (though I never really had problems with people trying to social engineer my telecom provider). It's way more secure and it's somewhat permanent compared to a phone number, especially if left at home(since realistically unless you're commuting a lot you don't need it). The biggest perceived risk imo is when travelling(especially since changing countries will most likely trip any account session). Even authenticator apps are better than 2FA through SMS.
You lose access to the security key or the key stops working.
Buy two keys. Your phone is probably a key already, so just one additional key.
Give copies of the keys to all your co-workers, and leave one under the doormat too for a good time... Hah!
All the added complexity of implementing minimum character limits on passwords and requiring them to be changed every 3 months literally drove people to write passwords on post its and put them on PC monitors back in 2019... Some things never change...
Maybe we should add second and third passwords, and then keep goin until admins lose root access and just use Sudo.... LOL!
A YubiKey under the doormat protects against one of primary intended scenario: preventing phishing. It's unlikely that a phisher on the other side of the world has access to your doormat. Moreover:
- Modern FIDO2 keys allow you to set a password (I think sites have to implement the newer FIDO2/Webauthn standards rather than U2F to use this functionality). So then when someone takes it from under your doormat, it is worthless.
- Passkeys are coming. E.g. on Apple platforms they will be secured between devices using end-to-end encryption (through iCloud keychain) and they use biometric authentication to unlock (Face ID or Touch ID). This will make non-password authentication a lot more convenient.
I know, I've used them multiple times.
The thing is, no one can explain to me how it's better than just requiring 2+ passwords on each user account. You can't authenticate if you lose the Yubi when tech support is not available without circumventing the very process it was based upon... Nothing is failproof. Of course each specific use case is different.
If Facebook demanded I use a dongle or even biometrics, that would very well be the exact point I quit it though.
>The thing is, no one can explain to me how it's better than just requiring 2+ passwords on each user account.
Really? It seems pretty straightforward. In one case I have a physical object that must be physically stolen from me to access my account. In the other case, if I make 2 poor passwords, my account can be accessed from anywhere in the world, no physical access required. The pool of people who can realistically compromise my account drops exponentially.
>You can't authenticate if you lose the Yubi when tech support is not available without circumventing the very process it was based upon.
Perfect is the enemy of good. Some people sometimes losing their Yubi and having to authenticate in a different way one time is not a good reason to argue for not having them at all.
U2F ("Yubi") doesn't have a "password" that's exposed to the user (you), so the attacker would have to steal it in order to get its password. Meanwhile, two passwords are basically the same as having one long password, and if the attacker gets that, then they're in.
(Yes, if the attacker can factor very large prime numbers, then they can get the "Yubi password", but if they can do that, there's a lot of bitcoin they could steal.)
U2F also signs the auth with the site's domain name, so even if the user tries to log into faceb00k.com (zeros), U2F won't let the attacker reuse the credentials on facebook.com.
This does require that you actually lose access without the second factor. In higher security environments this is enforced - if you lose the U2F device, then you can't log in. Obviously if the site lets you log in without the device then having the device doesn't actually matter.
Lost device flow is a weakness, but typically they're more involved and require the attacker to have more details about the user than a simple phish attack would have access to.
> The thing is, no one can explain to me how it's better than just requiring 2+ passwords
I'm sure many people can explain this. It's not hard. FIDO2 tokens are not phishable, the domain name is part of the challenge.
> All the added complexity of implementing minimum character limits on passwords and requiring them to be changed every 3 months literally drove people to write passwords on post its and put them on PC monitors back in 2019... Some things never change...
This does seem a bit silly, but is also the "logical" thing for many people, who won't be able to remember all of their different passwords and don't know of any better solution - thus the less tech savvy will store their passwords in a text file, a spreadsheet, or a post it note on their computer.
Personally, I don't know any of my passwords anymore. Everything is randomly generated by KeePass with the password databases being distributed across my devices or SD cards/HDDs for backups (encrypted). Once you stop thinking of passwords as something that you should "know", but rather something that you "have", then it becomes way easier. Far too many people have the wrong mindset and attempt to use the same password for multiple sites - they're one breach away from having a really bad time.
And yet, somehow we don't really talk about that and don't educate people. I don't believe that in school or university, across more than a decade of education a password manager of any sort was ever mentioned, be it a web based one or a file based one. Not even proper encryption (outside of SSL/TLS, but for websites), no mentions of PGP/GPG either. And that's after getting a Master's Degree in Software Engineering. Of course, I talked with peers and other people, including professors about these topics, but they were never officially covered in any of the courses.
That makes me think that outside of ads on YouTube for popular SaaS offerings in the space, it's a pretty dire situation for the average person.
> Give copies of the keys to all your co-workers, and leave one under the doormat too for a good time... Hah!
Straw man, not going to address this.
> write passwords on post its and put them on PC monitors back in 2019
This is fine
> requiring them to be changed every 3 months
NIST recommends against this
I don't really get your post.
> I don't really get your post.
That's because we are going down a rabbit hole far away from the original premise... We are talking mostly about social media here (as cited above) using 2FA... 2FA in more high value settings is a separate discussion.
In Private settings, 2FA can still be compromised by data scraped from social media, that catalogues data even on people who do not create social media profiles.
I am not arguing against the technical merits of how 2FA operates, but even with a Yubi Key, a user with system access can be compromised if they are physically extorted or abducted along with their key. The real world is a factor in security, it is not overcome by encryption.
I have listed several aspects of flaws to the security model in other posts here. Arguing about the technical bones of 2FA is a distraction/sidebar from those other valid points.
You shouldn't be using sms as 2fa anyways. It's barely better than no 2fa at all. Use an authenticator app.
The workflow of most big apps is pushing to get your phone number, validating it through SMS, and after that allowing you to use other 2FA. It's stupid from a security point of view.
SMS 2FA never should have been deployed. It's a disaster and we'll be cleaning up this mess for decades.
Even before all the robo-call Armageddon started, I was getting flooded with calls whenever I logged into Azure, which was the first time I was required to use 2FA. I would get calls from strange sources literally seconds after authenticating.
Even trusted companies really dont need that private data.
Secure email accounts better and use it. That way mis-use of it on government resources at least would carry harsher penalties.
We should have established an email service within the postal service for every citizen, that would also regulate misuse and spam better... I wrote about it long ago, it should have been in place by now instead of corp run services being used for PII things. Gmail, Google, and many other corp run services are being used for very critical and sensitive things (Not referring to contracted services) that never should be the case.
It's true the publicized SS7 attacks brought forwards the timeline with which SMS based auth should be deprecated, but "never should have been deployed" is a bit much. There simply wasn't the infrastructure to support anything else. Hardware RSA SecurID keys from the 90's wouldn't have scaled.
When Twitter implemented its SMS 2FA TOTP was already standard.
Yes, but those sweet phone numbers are a valuable targeting product.
Try using TOTP 2FA instead of SMS. No phone number needed and it's much easier to use. It doesn't depend on a device you can lose nor a channel that can get hacked.
That model is possibly better for securing (high value) private systems, but not for social media and non-contracted (public) services like Gmail.
As I've said in other places here, those other sites and public (corporate owned & improperly-regulated) services need to be properly governed and instructed to not store data they don't need at all, like phone numbers, passports, and driver's licenses. There should be harsher penalties imposed on companies for data compromises to discourage unnecessary personal data gathering.
What is the reasoning behind your first paragraph?
I agree wholeheartedly with the second paragraph, but it will sadly never happen.
I had to test some calendar links and decided to make a test account on Yahoo for work to share. I quit at this step.
We'll send you a code to verify this mobile number. Message and data rates may apply.
By clicking ‘Send code’, you agree to allow your mobile phone/email address to be used by us and our partners in order to deliver relevant content and ads across our products and websites. Visit our Privacy Policy
Luckily I found a defunct personal account which I hadn't used in over a decade. I assume they had an opt-out at a later step, but there's no way to claw back anything they shared before that point.
> A customer required me to use Skype for a meeting just the other day, It let me authenticate and verify an email account, but before I could even use it, it locked up and asked me for my phone number. This over reach is out of control.
I can't recommend Whereby enough.
You are absolute wrong. 2FA is very effective in protecting accounts against password steals.
I fail to understand how 2FA TOTP gives you junk calls?
SMS based 2FA is not effective but that's nothing new.
> I fail to understand how 2FA TOTP gives you junk calls?
Companies pushing to have your phone number for 2FA, even when better alternatives are available, is what gives you junk calls.
> At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.
They didn't notice that someone managed to scrape 5,485,636 accounts, after they were made aware of the issue?
Not sure if I’m reading this right but what makes the data set interesting is the attacker used a known email address list to get associated twitter ID.
The scraped public data is only interesting if the email address identifies the victim and the public content compromise the victim in some way.
As far as not noticing scraping of the accounts:
If all that is needed to scrape public twitter data is the twitter ID, the site is likely being scraped constantly.
Yes, it's safe to assume that public data is being scraped off Twitter constantly, especially with their history of nerfing the APIs they provide. And for most of the accounts affected by this breach the impact seems low.
But from an engineering standpoint, they failed to audit a somewhat obscure, (presumably) low-traffic endpoint that received an extraordinary amount of attention. It's kind of wild they're willing to admit such incompetence.
It’s a leak in the Twitter Android app signup flow: https://hackerone.com/reports/1439026 Not sure if iOS is also affected, thread doesn’t say, but the API doesn’t look Android-specific. Leak was there for more than half a year.
Unless you believe Twitter is dying and few people are signing up, I fail to see how you can characterize that as an obscure, low traffic endpoint.
Edit: On careful reading, it’s actually the onboarding flow, so even if you already have an account you should still hit it when starting to use the app for the first time.
Just like they did not notice bots had invaded the platform
The use of phone verification to login or sign up, is a solution looking for a problem and it solves nothing as it creates more problems.
Due to Twitter's poor security and use of SMS 2FA which has been proven for years to be insecure as I have repeatedly said [0], now the SS7 2FA hacks, SIM-swapping and SMS phishing scams are going to be much scarier.
Henceforth, one can expect a Pegasus-like zero day to be mass deployed on to Twitter users in that breach and remotely exploit their devices easily.
It's 2022, and we're still using SMS 2FA. Twitter should get a massive multi-million fine for this breach.
The problem is capturing more data for ad targeting. Security is just a way of tricking users into sharing their phone number. It’s basically the ad industry equivalent of the “think of the children” argument governments make against secure encryption.
>The use of phone verification to login or sign up, is a solution looking for a problem and it solves nothing as it creates more problems
It increases the cost of attacking twitter. It does work eslse they would not annoy users by asking for it.
Until recently they were asking for it because they were using it for ad targeting. It was discussed here https://news.ycombinator.com/item?id=31510865
What should Twitter do to fix the problem?
Standard OTP 2FA compatible with Google Authenticator
Settings > Security and account access > Security > Two-factor authentication > Authentication app
How do you even mitigate sim swapping attacks? I’m getting super paranoid from all the recent news but it seems like you literally can’t do anything about it because the phone companies are so shitty lol
Don't give services your phone number. Refuse to use services that demand your phone number.
Twitter has been a gigantic PITA about this. Consequently, I have to use nitter for everything. To be fair, I think I come out ahead, actually.
Companies need to start being fined real money for losing PII (personally identifiable information). Once the idea of holding PII translates into "This might cost us $100 million" companies will stop keeping PII.
Use TOTP instead of SMS.
Passkey will be helpful in this regard.
My understanding of passkeys is simple but how is this different to any of the password managers right now? I use 1password which generates unique passwords and on all my devices already, and has done for over a decade at this point.
Answers to these questions can be found at https://support.apple.com/en-us/HT213305
Use a second SIM+number exclusively for all 2FA that is not publically known (ie, not shared with friends or family or used for chat apps). They can't really SIM swap you if they don't know your number.
That doesn't help if the attackers manage to social-engineer telcos using other public information such as your name.
Yes. It does make it much harder though. They'd have to try every telco. Bonus points for using an online/obscure telco or sms relay.
Still vulnerable to a breach that exposes user data at any one of the services you've signed up for, unless you use a separate SIM for each.
SIM Lock. My iPhone has a physical AT&T SIM that i lock. I don't want it to be an esim yet so I can swap it to a different phone which will prompt me for a PIN to unlock it.
Wrong type of sim swapping. What I suspect they are talking about is when someone uses social engineering to convince your phone provider to swap your account (and the phone number attached to it) to another sim. They then perform the SMS recovery/2fa method.
Often the first you know about it is when you realise that your phone have been disconnected from the network.
> How do you even mitigate sim swapping attacks?
Google Voice.
Which won't work for many regions, and Google Voice numbers are blocked from a LOT of services—including PayPal which, lol, requires you to be authenticated to talk with support about issues of authentication (needless to say, I've refused to use them ever since).
Looks like I got lucky too. I went to check my account and my number needed to be reactivated. I used a free service to "verify my number" (because I don't have a US number, and would prefer not to hand it to Google anyhow) to get back the number I had had. I wouldn't be shocked if this continued as people are "abusing" the service--which is nightmare because of how many services still require a phone number despite it being known as a security issue for SMS and when it requires a US number and you are an expat, you're pretty screwed.
Google Voice randomly (?) disappeared my GV number I'd used for this purpose for over a decade -- or perhaps someone swapped it out. It's not clear to me.
My GV account still contains VMs and missed calls up to a date, then nothing since. But the account remains active.
> Google Voice
Q: How do you avoid your personal data being hoovered up by advertisers?
A: Route all your personal communication through the largest advertising agency in the world.
Nuts to that.
Also, only available in the US.
That does not seem to be the threat model for 2FA though
Imagine the panic when you realize Google reclaimed your number for inactivity because you haven't been sending texts or making calls, only receiving them, and you missed the couple of emails notifying you about the change. Now your number is under some random person's control.
Until Google cancels you free Gmail account because you were doing academic research in Google Docs about a topic that is on a “bad words” list written by some activist employee somewhere.
No support to get your Voice number back
Don't use SMS 2FA
You are still fairly resistant to sim-swapping in this case because they also need your password. The real concern with sim-swapping is password resets via sms.
So, Twitter got hacked and was pulled in by the FCC and has had to submit periodic reports on how they're keeping data secure. And then they got hacked again, and now they got hacked again.
I hope we'll see some real damages for once.
Damages… from the FCC, right?
Yes
Earlier, I removed my phone number from my Twitter for 2FA. This week, I got locked out, and had to verify my phone number. I immediately removed it after, and got locked out.
I really wish Twitter didn't have my phone number. I have a Yubikey and a TOTP 2FA app, I wonder why they needed it?
> I wonder why they needed it?
"Growth & engagement"
Every time a tech company asks you for a phone number it's never for security purposes, it's for data mining & ad-tracking purposes instead.
Twitter likes to pretend phone number is optional for an account, but it isn't. 100% of the time it will eventually lock you out and require a number.
It is a bit of consolation that most of the accounts were bots :)
The article claims for Twitter a "zero-day" without giving any details. Is this better or worse than "mistakes were made"?
It suggests it was this one: https://hackerone.com/reports/1439026
"Today, Twitter has confirmed that the vulnerability used by the threat actor in December is the same one reported to and fixed by them in January 2022 as part of their HackerOne bug bounty program."
Twitter requires a phone number to use it. You can make an account without one, but this account is very soon going to get locked until you submit and verify a phone number, even if you just follow a lot of people. On some level I understand this, even following people sends a notification, and some people do use this for spam. And yet I wonder whether instead twitter could just not show these notifications, until, based on the users activity, it's certain that it's a real human, and not a bot.
Twitter does not require a phone number to use it. I have numerous multi-year old accounts and never have used a phone number, nor needed one to sign up etc (email).
> "This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability."
They did not have the logs to actually prove whether it had been performed or not? Gee
Forgive my ignorance (and far be it from me to typically defend Twitter), but, sure?
Not every vulnerability is part of a system that is being logged. And by virtue of a zero-day exploit being an exploit that is unknown to the owner of the code, well, then yeah... of course not.
Access logs are a pretty typical thing, regardless of what system. Also a best practice. And also part of many compliance frameworks.
Oh great, so next recruiters will be sending DMs to my defunct twitter accounts to go with the emails to my defunct email addresses
5.4 million records exposed. In the write up they show an example, but they redacted it.
Dodged a bullet there.
I was expecting this to be a lot worse before I saw the example, since most of the data is already public. Even if you set your account as private, the name, ID, location, description, avatar etc. is still publicly visible.
The worst part is that you can find the email address and phone number, but in order to obtain that information, you already had to have one of those. So you can't just take a random account and find out their phone number if you have no idea what email/number it is already registered to.
Hence scraping
Wouldn't this be a good time to estimate the number of bots?
Roughly MAU minus 5.4M
they should stop forcing their users to add a phone number, this bug probably sent hundreds of people to jail in some countries
Pretty sure I don't have a phone number on my account.
Me neither, but I signed up back in the Dark Ages. Pretty sure that if you sign up today there's no way to avoid giving them a phone no. For me that would be reason enough to just say no, but most people give more fucks about these things than I do.
As far as I remember, I signed up without a phone number, and got immediately locked out. I could get access back by providing my number.
I wrote to support that I would rather not use Twitter than giving my number. They unlocked my account.
They’ve required a phone number every time I’ve tried to sign up. They don’t have it in the sign up flow - they wait until you try to sign in and won’t let you proceed without it.
I'm not sure if it's mandatory now either. The sign up button on the front page of Twitter.com says "Sign up with a phone number of email address". If you click on it, it defaults to a form with a name, phone number and date of birth, but there's a link titled "Use email instead" that changes it to name/email/date of birth.
It’s effectively mandatory. If you register an account without it, you will be banned within fifteen minutes, even if you do absolutely nothing, for “suspicious activity”. The only recourse? Handing over your phone number. Apparently that absolves you of any “suspicious activity”.
Give it a go in an incognito tab now, you’ll see. It’s intentionally deceptive, and they’ve shown time and time again they can’t be trusted with the data.
I just signed up recently with email (deleted the account after my work was done), it asks you phone number after 5 minutes of using it.
It blocks you from doing anything unless and until you give them your phone number.
And yet, Twitter still won't let us delete our own direct messages (for some semblence of safety). Frustrating.
I can see a 600M fine coming... or maybe 60B... and you know who will keep it.
40b fine and they will want to sell to musk at a lower price to get rid of it quickly lol
BTW, the person who discovered the issue on HackerOne got a 5k$ bounty
That's it?!