SoylentNews is people
SoylentNews
from the when-two-factor-authentication-may-not-be-such-a-good-idea dept.
In an advisory on Monday, the social network noted it had “became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers” on December 24.
That is the same day that security researcher Ibrahim Balic revealed he had managed to match 17 million phone numbers to Twitter accounts by uploading a list of two billion automatically generated phone numbers to Twitter's contact upload feature, and match them to usernames.
The feature is supposed to be used by tweeters seeking their friends on Twitters, by uploading their phone's address book. But Twitter seemingly did not fully limit requests to its API, deciding that preventing sequential numbers from being uploaded was sufficiently secure.
It wasn’t, and Twitter now says that, as well as Balic's probing, it “observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia," adding that “it is possible that some of these IP addresses may have ties to state-sponsored actors.”
Being able to connect a specific phone number to a Twitter account is potentially enormously valuable to a hacker, fraudster, or spy: not only can you link the identity attached to that number to the identity attached to the username, and potentially fully de-anonymizing someone, you now know which high-value numbers to hijack, via SIM swap attacks, for example, to gain control of accounts secured by SMS or voice-call two-factor authentication.
(Score: 4, Interesting) by Runaway1956 on Thursday February 06 2020, @06:52AM (14 children)
As is often the case, there is a simple solution. Don't store phone numbers. Better yet, don't ask for phone numbers. They aren't essential to what Twitter is, or what Twitter does. My phone number is none of Twitter's business. I'll not input my phone number into any social media. I don't even give my phone number to people who ask for it. Pizza place, auto parts store, Farmer's coop, none of them need my phone number to make a sale.
Data that you don't collect can't be compromised. It's really that simple.
Abortion is the number one killed of children in the United States.
(Score: 2) by coolgopher on Thursday February 06 2020, @07:38AM
But but... SMS 2-factor authentication security [theverge.com]!!!11!eleven
(Score: 4, Informative) by RedIsNotGreen on Thursday February 06 2020, @08:05AM (11 children)
Based on what I read on the orange, you cannot create a new Twitter account without verifying your phone.
It is not required for registration, but new accounts become locked after creation, and Twitter demands a verifiable phone number to unlock.
(Score: 3, Interesting) by Runaway1956 on Thursday February 06 2020, @08:13AM (8 children)
So, just before you throw away a throwaway, you register your account. (Have to be reasonably sure that the throwaway wasn't used for something that can get you thrown in the penitentiary for life, of course.) Create account, answer text or whatever Twitter does, then toss the phone into a nice concrete pour, sans battery. You're good to go.
But, I think it's wrong for Twitter to be doing that crap, and I think it's dumb for people to play along with those asinine rules.
Abortion is the number one killed of children in the United States.
(Score: 1, Funny) by Anonymous Coward on Thursday February 06 2020, @09:32AM (1 child)
Wow! Opsec advice from the guy on the game forums, owns a Silverwing, and a Trailblazer? Who lives in ***** Arkansaws and works at the ******* plant in ******? The Predator drones have a permanent fix on you Runaway, even without your phone number. So why worry? When the Boogallo hits, you will not even know that it has started. The first casualties in war are always the most innocent, or, the most surprised.
(Score: 3, Funny) by Runaway1956 on Thursday February 06 2020, @03:16PM
I've told you before - I control the predators. I picked them up cheap at the Army Navy Surplus. Of course, they didn't have warheads. Not when I bought them, anyway. I had to make those.
Abortion is the number one killed of children in the United States.
(Score: 2, Informative) by Anonymous Coward on Thursday February 06 2020, @10:31AM (2 children)
And unless you're using that throwaway for one thing only, it is still highly likely that they've triangulated your approximate location (from tracing back where that sim/phone was sold at) and connected it up with whatever you used it for before you threw it away. They'd love to have the coordinated tracking on your phone, of course, but it's not necessary to their overall plan.
Did you use a VPN? No? Then they likely already got everything they could possibly want from you except what you end up doing with Twitter.
Finally, they are getting better at uncovering tactics like this, you know. They have your location from your IP and they will associate that physical location with every phone that walks in your door that has the Twitter app installed. Again, they don't have to have your phone number to get enough of what they want.
(Score: 0) by Anonymous Coward on Thursday February 06 2020, @06:42PM
All good advice, but it is still another barrier to privacy invasion. The government assholes probably would because that is their job. Twitter and some asshole that buys a bunch of customer data from them will not bother trying to make sure every phone number is tied to a physical address.
What we should be doing is educating the masses on TOR and other decentralized network protocols / services and deny traffic to sites that block such traffic. Also we need data privacy laws, give the public a big old hammer to swing down on any company abusing its customer data.
(Score: 1) by Ethanol-fueled on Friday February 07 2020, @01:10AM
Do you all live under a rock? There are services online similar to 10-minute mail that will act as dummy phone numbers and send you the message contents. People who want to find ways around this can do so without even having their own phone, burner or otherwise.
p.s. Twitter's API is shit and their API documentation is double-shit.
(Score: 1, Informative) by Anonymous Coward on Thursday February 06 2020, @01:49PM (2 children)
how is this offtopic? call it rambling paranoid whatever, but perfectly on topic and direct answer to GP.
(Score: 2) by DeathMonkey on Thursday February 06 2020, @06:36PM
I love how someone spent a mod point marking this Informative and not to fix the moderation on the actual post itself.
I guess bitching is better than fixing for some folks here....
(Score: 2) by exaeta on Thursday February 06 2020, @11:21PM
The Government is a Bird
(Score: 2) by SomeGuy on Thursday February 06 2020, @11:58AM (1 child)
Well, one more reason not to use Twatter, as if anyone needed more. Any shit-headed Nazi that requires retarded "texting" means I could not sign up or use their service even if I wanted to. That won't work on my nice, robust, well tested, crystal clear, never needs replacing or upgrading, POTS phone.
(Score: 2) by dry on Friday February 07 2020, @06:57AM
I get the occasional text message on my POTS phone, uses text to speech.
(Score: 0) by Anonymous Coward on Thursday February 06 2020, @01:53PM
I gave my phone number to the bike shop when I left my bike there for fixing.
they sent me an SMS when it was ready for pick-up.
to me that's worth the subsequent loss of privacy.
(Score: 2, Informative) by fustakrakich on Thursday February 06 2020, @07:26AM (2 children)
Only the Iranian one, right? All those other ones are "friends"! And please, show us the IPs weren't spoofed!
La politica e i criminali sono la stessa cosa..
(Score: 1) by Ethanol-fueled on Friday February 07 2020, @01:13AM (1 child)
Well at least somebody finally and publicly mentioned Israel. It's a baby step in the right direction considering that they are "those who shall not be named" and perhaps the biggest multi-pronged meddler in American politics and other affairs.
(Score: 1) by fustakrakich on Friday February 07 2020, @01:37AM
Israel, Saudi Arabia, republicans, democrats, they can all shoot up 5th Avenue, and no one will say shit.
All hail the Republic of Catatonia!
La politica e i criminali sono la stessa cosa..
(Score: 3, Funny) by aristarchus on Thursday February 06 2020, @07:43AM (5 children)
I will go first, after Runaway, of course, who has already spilled his personal data all across the intertubes (things I wish I did not know!):
So, my phone number is: 1-30-2273-123-4567
Feel free to call me and not be answered, since most of the calls I get are telemarketers, pollsters, perverts, and Republicans asking for money.
(Score: 0) by Anonymous Coward on Thursday February 06 2020, @08:37AM (4 children)
Don't you work at one of those 1-900 psychic hotlines?
(Score: 2, Insightful) by aristarchus on Thursday February 06 2020, @08:58AM (3 children)
Philosophy is to psychics, as astronomy is to astrology. A bit of education on your part would not be remiss, my dear and cromulent AC, if you consistently make such mistakes.
(Score: 1, Offtopic) by aristarchus on Thursday February 06 2020, @09:42AM (2 children)
Oh, and I realized that is my OLD phone number! Now it is: 1-30-2273-867-4309. Ask for "Jenny", it is a Tu-tone number.
(Score: 2) by VLM on Thursday February 06 2020, @12:51PM (1 child)
LOL Aristarchus/Jenny its obviously 867-5309 not 4309.
I thought you ancient Greek philosophers still used compuserv CB simulator or ICQ anyway.
(Score: 1, Touché) by Anonymous Coward on Thursday February 06 2020, @02:35PM
Those are the Geek philosophers
(Score: 3, Informative) by VLM on Thursday February 06 2020, @12:55PM (1 child)
Strange phrase for a "security researcher"
Obviously given that Iran and Israel are not the closest regional allies, he's using really weird phrasing to point out the traffic is spoofed / powned boxes across many countries, rather than some dude's personal cablemodem or AWS server complete with credit card billing info, LOL.
We should be more closely allied with Iran than with Israel anyway, but that's a separate more political discussion.
(Score: 0) by Anonymous Coward on Thursday February 06 2020, @02:37PM
It's the Russians again.