STOP: Twitter two-factor verification can be hacked in less than 140 characters
Fans of social media were reassured this week as Twitter finally rolled out two-step verification, ostensibly making the service more secure for its millions of customers. This is a feature that other major companies like Microsoft, Google, and Facebook have already implemented and, on the surface, seemed a victory.
Not so fast. Security researchers at F-Secure are taking a closer look and deem the implementation “not great”. The problem, according to Sean Sullivan, is that “an attacker could use SMS spoofing to disable 2FA if he knows the target’s phone number”.
“The STOP command removes the phone number from the account — and that in turn disables Twitter’s 2FA”, says Sullivan, who did extensive testing on this.
Michael Sauers is the Technology Manager for Do Space in Omaha, NE. After earning his MLS in 1995 from the University at Albany's School of Information Science and Policy Michael spent his first 20 years as a librarian training other librarians in technology along with time as a public library trustee, a bookstore manager for a library friends group, a reference librarian, a technology consultant, and a bookseller. He has written dozens of articles for various journals and magazines and has published 14 books ranging from library technology, blogging, Web design, and an index to a popular horror magazine. In his spare time, he blogs at TravelinLibrarian.info, runs The Collector's Guide to Dean Koontz website at CollectingKoontz.com, takes many, many photos, and typically reads more than 100 books a year.
View all posts by Michael Sauers