Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Hack Twitter's Two-Factor Authentication

Posted by timothy on from the there-can-be-only-one-or-two-or-whatever dept.

An anonymous reader writes with this excerpt from PC Mag's SecurityWatch: "We've pointed out some problems with Twitter's new two-factor authentication. For example, since just one phone number can be associated with an account, Twitter's two-factor authentication won't work for organizations like the Associated Press, The Onion, or The Guardian. They were hacked; they could still be hacked again in the same way. However, security experts indicate that the problem is worse than that, a lot worse."

4 of 58 comments (clear)

  1. worse problem? by mcmonkey · · Score: 4, Insightful

    the problem is worse than that, a lot worse

    Problem? Worse? This is twitter we're talking about right?

    If sending an unencrypted email is like sending a postcard (kids, ask your parents) in pencil, twitter is like a sign you stick in your lawn.

    Anyone can drive by and stick a sign in your lawn, make it look like you support any cause, or take any sign you've put out.

    Now if people put undue weight to those signs, it they swing the markets, then the issue--the problem--is people who don't know the difference between reliable and unreliable sources.

    The problem isn't twitter, it's employees in the media and so-called journalists who'd rather sit on their bum checking their cell phone than go out and do their job.

  2. Re:Thank you by Zerth · · Score: 5, Insightful

    As long as stock market bots and day traders use twitter activity to guide their behavior, I care.

  3. This cant be stopped. by 140Mandak262Jamuna · · Score: 4, Insightful

    The fundamental problem here is that the user logs into a fake twitter site and gives the login credentials. Then gives the second factor authentication too. This scenario can not be protected against no matter how many factors you use. In fact if I keep logging into a fake google site and keep entering all the credentials how can google stop it?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  4. A similar solution works very well, no GPS by raymorris · · Score: 3, Insightful

    I'm not familiar with Toopher specifically, but the general idea works quite well. We've been doing it for fifteen years.
    I always post on Slashdot using a small Android phone in Bryan, TX, and my ISP is Suddenlink. I've posted on Slashdot hundreds, if not thousands of times. 20 minutes after I make this post from here in Bryan, if someone claiming to me tries to log in using an iphone in Canada, that's guaranteed to be bogus. That's a simple, obvious, and common example.

    Now take that same general idea and apply fifteen years of R&D and real world experience. You can catch most unauthorized login attempts. If you do any late night surfing, on sites like GirlsGoneWild.com, you may have noticed half of those sites say "protected by Strongbox". They do that because it works.