Reply to post: Re: If you MUST use SM

Twitter: No, really, we're very sorry we sold your security info for a boatload of cash

Ben Tasker Silver badge

Re: If you MUST use SM

> Use a unique PAYG unregisterd SIM (not possible in all countries) if you think you MUST give them a phone number. Better to regard the account as disposable and ignore 2FA.

It's not quite as simple as being about what _you_ think, unfortunately.

Twitter recently gave me a 12hr naughty-stepping, and to reinstate my account a requirement was that I provide a mobile number (I objected on GDPR grounds and they rejected the appeal). I didn't fancy throwing my account away over it, so yeah, I bought a PAYG SIM for the princely sum of 99p.

They also require you to provide a mobile number to enable 2FA, even if you'll be using TOTP/U2F instead of SMS 2FA.

In both these cases you can delete the number straight after, but they've had it, and it's down to trust (hah) whether it's actually gone.

As a side note, I discovered this morning that when they required me to provide that number, they silently disabled my 2FA. So the account's been sat protected only by a strong password for more than a month, without my knowledge.

Twitter are _really_ shit at this security thing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2019