Twitter says a certain someone tried to discover the phone numbers used by potentially millions of twits Twitter has admitted a flaw in its backend systems was exploited to discover the cellphone numbers of potentially millions of twits en masse, which could lead to their de-anonymization. In an advisory on Monday, the social network noted it had “became aware that someone was using a large network of fake accounts to exploit our …
If Twitter have the phone numbers for large numbers of twits, many of which are also trolls, posting threats and the like, why are we not hearing about more trollish twits being cuffed for making death threats and online abuse?
Yes, if they dont have their phone number linked, then naturally this wouldnt work, but I'd be willing to bet the vast majority of trollish twits are not that clever (otherwise they wouldnt be trolls, would they now?). So how come its always just assumed people are anonymous and you either get off twitter or put up with it?
Speaking of being in the news, here's one way to deal with trolls and get in the news. : https://www.bbc.co.uk/news/uk-england-leeds-51379041.
Comedy gold, for those of us lucky (unlucky?) enough to have the wonderful Ms Brabin as our MP.
Quite a contrast to her prior ten years of association (IDK the details) with the BBC's vile Eastenders.
"why are we not hearing about more trollish twits being cuffed for making death threats and online abuse?"
I can only presume that it would result in the Plod, TLAs having to admit that they have access to this information which would create a potential media nightmare for them. It's better for them to lurk in the background and wait for bigger fish...
"clever" is a very vague word. I would argue, that some (many?) world-known figure trolls that appear on twitter, are "clever", as otherwise, they wouldn't have become world-known. Even if you define "clever" as "intelligent", the same argument applies. You need some (special traits of) intelligence to have got to reach the very top, in politics or business, say. Even if you were to claim that getting to those tops requires a long and sustained path of backstabbing and bribery (combined with lack of empathy), this still requires certain, above the average, level of cleverness / intelligence to perfect the art of backstabbing and bribery, lack of morals itself is not enough, methinks.
Unfortunately, it means you place even more personal information into the hands of someone you don't know.
Twitter failed to do due diligence on security. Of course, security is hard, but that is my entire point. I don't trust any web site with anything more than I have to. I'd rather have my account hacked than have some miscreant get my phone number.
"A 2FA app installed on a phone is secure."
Possibly. If it's well written. More likely it's just vulnerable to a different set of vectors. It's closed source so we have no clue about the internals or the protocol. Worst case, we could attempt to read the code via spectre, rowhammer or some other side channel.
I reckon the independent token generators are probably the best. My bank even issued one and I was using it to log in. But they kept nagging me to set up a phone; and doing 2FA authentication via SMS means I can do mobile banking in an emergency - which wouldn't be the case if I was without my card and my token-generating card reader.(And, okay, I admit, some laziness came into play: insert card into reader, enter pin, select function, enter challenge and type response into website. All to protect my negative money.)
Which is why MFA should be the preffered way of reffering additional verifications, 2FA is the bare minimum
Every protection has a weakness which can be exploited, it just becomes orders of magnitude more complicated to subvert each factor especially if they have short validity periods <= 60 seconds. The trick is for the factors to overlap that way there is no one way in, and the more factors you have the smaller the intersection is on this imaginary venn diagram, so while not impossible to subvert it gets damn expensive in expertise and effort to make it not worth persuing and instead going after a less secure targets.
On there own each factor is weak
Username Password,
SMS,
Biometrics,
Auth App,
Code Generator
But using 2 or more gives you good to best effort (Infinite Improbability Drive needed for everything to align) level security, just as always its the balance of conveinence vs security.
Also if your phone is set to lock after a min i would argue that the act of unlocking it grants you an additional factor to use so user creds +auth app is actually a 2(+1)FA
Variety of devices and channels are more important than the brute factor count. Username+Password, SMS, biometrics and auth app can all be run through one device and, if that device is compromised, then it's game over - even if you use every last factor. But if I'm logging in from a laptop or a desktop, and the 2FA comes in via my phone, then you have to compromise my mobile phone as well as my computer. That's squared the difficulty.
Likewise, it's not enough for a hacker to man-in-the-middles the bank; they've got to intercept the SMS as well.
"It's closed source so we have no clue about the internals or the protocol."
Most 2FA uses TOTP (RFC 6238) and/or HOTP (RFC 4226), so we do indeed know the protocol.
The original versions of the Google Authenticator are open source (later versions are not), but if you prefer, there's many different programs, some of which are open source, that all support the same authentication protocols. Here's a (open source) Python version if you like (as an example).
If you don't trust anyone else, you could code your own implementation based on the RFCs, which would work with a Google/Microsoft/etc. account.
Is your phone made by RIM? If not, then not only is it not secure, it cannot be made secure.
And don't start with the histrionics of the LEAs about this technology or that. They are seeking to penetrate a phone after the fact and when the "owner" is not actively using the device.
> Being able to connect a specific phone number to a Twitter account is potentially enormously valuable to a hacker, fraudster, or spy
Given that it's Twitter, an irritant for authoritarian regimes, and looking at 2 of the 3 cited names, I would have thought it far more likely to be governments/regimes seeking to identify who's behind particular criticism and/or activism. So that they can quietly eliminate it.
Considering how often 2FA and SIMs are mentioned by commentards; not only in this thread but in many others; perhaps it’s time to look at tying a SIM to a particular device?
Public/Private key and something like the IMEI?
Just saying this in a lazy comment as I haven’t actually done any research.
Wouldn’t help with landlines.
perhaps it’s time to look at tying a SIM to a particular deviceThat would defeat the whole point of having SIMs.
A mobile number is temporarily assigned to a SIM, not a physical handset. That way, when I upgrade my handset, I can pop the SIM out of the old phone and into the new phone and the number follows the SIM to the new phone. A SIM is designed for portability between handsets. And if a SIM gets damaged or lost (say I drop your handset over the side of a boat while fishing), the number can be assigned to a new SIM, that can be placed in a new (or old/existing) handset, so I can keep my number
There is no problem with the SIM paradigm. The problem is with the paradigm of assuming a phone number, an entirely virtual construct, is a valid factor in a MFA system. It is not. It never has been.
The traditional security factors are:
1) What you know (e.g. password, PIN)
2) What you have (something in your physical possession, e.g. keycard, token generator, ID pass, badge)
3) What you are (biometrics - DNA, fingerprint, iris, face recognition)
Companies have been using phone numbers as a "What you have" factor. But a phone number is not a physical thing in your possession. A phone number is something that is virtually assigned to a SIM, and can be changed arbitrarily, remotely, without your knowledge or input. It is not an appropriate "What you have" factor. It never has been. It was a half-arsed, public-relations attempt at a 2nd factor. It is the TSA (security theatre, not actual security) of the multi-factor authentication world.
This is the problem with the big platforms' insatiable greed for personal information : that it not only destroys privacy, but as a consequence of that destroys security for the users. The companies are hardly unaware that "Easily find a friend" also means easily find anybody. Or everybody. Someone must have raised the possibility of this happening when the APIs were thought up, but I suspect that such concerns are a career killer within these companies who fundamentally rely on as much data and connections between it as possible to keep people coming back as often as possible.
It is getting just as bad in-person. It seems one can't buy anything these days without being asked to supply every last bit of personal information. I despair at seeing people hand it over without even asking why they need it, without even thinking abut it.
Me; I don't tell them anything despite how much they insist I must. I don't know whether I should laugh or cry when it gets to; do you want to sell me this 25p second-hand DVD or not?
Ibrahim Balic revealed he had managed to match 17 million phone numbers to Twitter accounts by uploading a list of two billion automatically generated phone numbers to Twitter's contact upload feature, and match them to usernames.
Why would they allow an end user to query two billion phone numbers? Rate limits and quotas are API security 101.
Oh. Security 101. Never mind; answered my own question.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
