STOP: Twitter two-factor verification can be hacked in less than 140 characters
Fans of social media were reassured this week as Twitter finally rolled out two-step verification, ostensibly making the service more secure for its millions of customers. This is a feature that other major companies like Microsoft, Google, and Facebook have already implemented and, on the surface, seemed a victory.
Not so fast. Security researchers at F-Secure are taking a closer look and deem the implementation “not great”. The problem, according to Sean Sullivan, is that “an attacker could use SMS spoofing to disable 2FA if he knows the target’s phone number”.
“The STOP command removes the phone number from the account — and that in turn disables Twitter’s 2FA”, says Sullivan, who did extensive testing on this.
Michael Sauers is currently the Director of Technology for Do Space in Omaha, NE. Michael has been training librarians in technology for the past twenty years and has also been a public library trustee, a bookstore manager for a library friends group, a reference librarian, serials cataloger, technology consultant, and bookseller since earning his MLS in 1995 from the University at Albany’s School of Information Science and Policy. Michael has also written dozens of articles for various journals and magazines and his fourteenth book, Emerging Technologies: A Primer for Librarians (w/ Jennifer Koerber) was published in May 2015 and more books are on the way. In his spare time he blogs at travelinlibrarian.info, runs The Collector’s Guide to Dean Koontz Web site, takes many, many photos, and typically reads more than 100 books a year.
View all posts by Michael Sauers