{"id":660162,"date":"2013-05-24T14:47:44","date_gmt":"2013-05-24T18:47:44","guid":{"rendered":"http:\/\/betanews.com\/?p=154438"},"modified":"2013-05-24T14:47:44","modified_gmt":"2013-05-24T18:47:44","slug":"stop-twitter-two-factor-verification-can-be-hacked-in-less-than-140-characters","status":"publish","type":"post","link":"https:\/\/mereja.media\/index\/660162","title":{"rendered":"STOP: Twitter two-factor verification can be hacked in less than 140 characters"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-medium wp-image-141443\" title=\"face palm head in hands embarassed\" src=\"http:\/\/betanews.com\/wp-content\/uploads\/2013\/04\/face-palm-head-in-hands-embarassed-200x300.jpg\" alt=\"\" width=\"200\" height=\"300\" \/>Fans of social media were reassured this week as Twitter finally <a href=\"http:\/\/betanews.com\/2013\/05\/22\/twitter-follows-the-flock-introduces-two-factor-authentication\/\" >rolled out<\/a> two-step verification, ostensibly making the service more secure for its millions of customers. This is a feature that other major companies like Microsoft, Google, and Facebook have already implemented and, on the surface, seemed a victory.<\/p>\n<p>Not so fast. Security researchers at F-Secure are taking a closer look and deem the implementation &#8220;not great&#8221;. The problem, <a href=\"http:\/\/www.f-secure.com\/weblog\/archives\/00002560.html\" >according<\/a> to Sean Sullivan, is that &#8220;an attacker could use\u00a0SMS spoofing\u00a0to disable 2FA if he knows the target&#8217;s phone number&#8221;.<\/p>\n<p>&#8220;The STOP command removes the phone number from the account &#8212; and that in turn disables Twitter&#8217;s 2FA&#8221;, says Sullivan, who did extensive testing on this.<\/p>\n<p>The problem is this: Twitter uses SMS\u00a0as a way to send and receive Tweets. The social network also makes use of SMS for its new authentication service. However, in a statement BetaNews\u00a0received from Mr. Sullivan, it is pointed out that &#8220;Microsoft uses SMS for 2FA, but Twitter is trying to have its cake and eat it too: social security.\u00a0Twitter added 2FA SMS, but *didn&#8217;t* adjust how it uses SMS for Tweeting&#8221;.<\/p>\n<p>Sullivan went on to also point out that &#8220;Facebook confirms with a code when you add a phone and it shifted focus from posting status messages via SMS a few years ago&#8221;. He wraps up his statement by explaining &#8220;Microsoft, Google, and Facebook all have account recovery processes. Twitter has just a password reset page. Nothing else. No security words. Nothing&#8221;.<\/p>\n<p>Twitter, in the course of its announcement, points out this feature is a means of paving the way for future security enhancements. Perhaps those will be better implemented than what has rolled out this week.<\/p>\n<p>Image Credit: <a href=\"http:\/\/www.shutterstock.com\/\" >Shutterstock<\/a> \/\u00a0<a id=\"portfolio_link\" href=\"http:\/\/www.shutterstock.com\/gallery-838690p1.html\">Denis Belyaevskiy<\/a><\/p>\n<div class=\"feedflare\">\n<a href=\"http:\/\/feeds.betanews.com\/~ff\/bn?a=Yw89Ra2i34U:Tj4ecjDghGo:qj6IDK7rITs\"><img decoding=\"async\" src=\"http:\/\/feeds.feedburner.com\/~ff\/bn?d=qj6IDK7rITs\" border=\"0\"><\/img><\/a> <a href=\"http:\/\/feeds.betanews.com\/~ff\/bn?a=Yw89Ra2i34U:Tj4ecjDghGo:yIl2AUoC8zA\"><img decoding=\"async\" src=\"http:\/\/feeds.feedburner.com\/~ff\/bn?d=yIl2AUoC8zA\" border=\"0\"><\/img><\/a>\n<\/div>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/feeds.feedburner.com\/~r\/bn\/~4\/Yw89Ra2i34U\" height=\"1\" width=\"1\"\/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Fans of social media were reassured this week as Twitter finally rolled out two-step verification, ostensibly making the service more secure for its millions of customers. This is a feature that other major companies like Microsoft, Google, and Facebook have already implemented and, on the surface, seemed a victory. Not so fast. Security researchers at [&hellip;]<\/p>\n","protected":false},"author":7430,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-660162","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/660162","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/users\/7430"}],"replies":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/comments?post=660162"}],"version-history":[{"count":0,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/660162\/revisions"}],"wp:attachment":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/media?parent=660162"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/categories?post=660162"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/tags?post=660162"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}