SoylentNews is people
SoylentNews
from the when-two-factor-authentication-may-not-be-such-a-good-idea dept.
In an advisory on Monday, the social network noted it had “became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers” on December 24.
That is the same day that security researcher Ibrahim Balic revealed he had managed to match 17 million phone numbers to Twitter accounts by uploading a list of two billion automatically generated phone numbers to Twitter's contact upload feature, and match them to usernames.
The feature is supposed to be used by tweeters seeking their friends on Twitters, by uploading their phone's address book. But Twitter seemingly did not fully limit requests to its API, deciding that preventing sequential numbers from being uploaded was sufficiently secure.
It wasn’t, and Twitter now says that, as well as Balic's probing, it “observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia," adding that “it is possible that some of these IP addresses may have ties to state-sponsored actors.”
Being able to connect a specific phone number to a Twitter account is potentially enormously valuable to a hacker, fraudster, or spy: not only can you link the identity attached to that number to the identity attached to the username, and potentially fully de-anonymizing someone, you now know which high-value numbers to hijack, via SIM swap attacks, for example, to gain control of accounts secured by SMS or voice-call two-factor authentication.
(Score: 4, Interesting) by Runaway1956 on Thursday February 06 2020, @06:52AM (14 children)
As is often the case, there is a simple solution. Don't store phone numbers. Better yet, don't ask for phone numbers. They aren't essential to what Twitter is, or what Twitter does. My phone number is none of Twitter's business. I'll not input my phone number into any social media. I don't even give my phone number to people who ask for it. Pizza place, auto parts store, Farmer's coop, none of them need my phone number to make a sale.
Data that you don't collect can't be compromised. It's really that simple.
Abortion is the number one killed of children in the United States.
(Score: 2) by coolgopher on Thursday February 06 2020, @07:38AM
But but... SMS 2-factor authentication security [theverge.com]!!!11!eleven
(Score: 4, Informative) by RedIsNotGreen on Thursday February 06 2020, @08:05AM (11 children)
Based on what I read on the orange, you cannot create a new Twitter account without verifying your phone.
It is not required for registration, but new accounts become locked after creation, and Twitter demands a verifiable phone number to unlock.
(Score: 3, Interesting) by Runaway1956 on Thursday February 06 2020, @08:13AM (8 children)
So, just before you throw away a throwaway, you register your account. (Have to be reasonably sure that the throwaway wasn't used for something that can get you thrown in the penitentiary for life, of course.) Create account, answer text or whatever Twitter does, then toss the phone into a nice concrete pour, sans battery. You're good to go.
But, I think it's wrong for Twitter to be doing that crap, and I think it's dumb for people to play along with those asinine rules.
Abortion is the number one killed of children in the United States.
(Score: 1, Funny) by Anonymous Coward on Thursday February 06 2020, @09:32AM (1 child)
Wow! Opsec advice from the guy on the game forums, owns a Silverwing, and a Trailblazer? Who lives in ***** Arkansaws and works at the ******* plant in ******? The Predator drones have a permanent fix on you Runaway, even without your phone number. So why worry? When the Boogallo hits, you will not even know that it has started. The first casualties in war are always the most innocent, or, the most surprised.
(Score: 3, Funny) by Runaway1956 on Thursday February 06 2020, @03:16PM
I've told you before - I control the predators. I picked them up cheap at the Army Navy Surplus. Of course, they didn't have warheads. Not when I bought them, anyway. I had to make those.
Abortion is the number one killed of children in the United States.
(Score: 2, Informative) by Anonymous Coward on Thursday February 06 2020, @10:31AM (2 children)
And unless you're using that throwaway for one thing only, it is still highly likely that they've triangulated your approximate location (from tracing back where that sim/phone was sold at) and connected it up with whatever you used it for before you threw it away. They'd love to have the coordinated tracking on your phone, of course, but it's not necessary to their overall plan.
Did you use a VPN? No? Then they likely already got everything they could possibly want from you except what you end up doing with Twitter.
Finally, they are getting better at uncovering tactics like this, you know. They have your location from your IP and they will associate that physical location with every phone that walks in your door that has the Twitter app installed. Again, they don't have to have your phone number to get enough of what they want.
(Score: 0) by Anonymous Coward on Thursday February 06 2020, @06:42PM
All good advice, but it is still another barrier to privacy invasion. The government assholes probably would because that is their job. Twitter and some asshole that buys a bunch of customer data from them will not bother trying to make sure every phone number is tied to a physical address.
What we should be doing is educating the masses on TOR and other decentralized network protocols / services and deny traffic to sites that block such traffic. Also we need data privacy laws, give the public a big old hammer to swing down on any company abusing its customer data.
(Score: 1) by Ethanol-fueled on Friday February 07 2020, @01:10AM
Do you all live under a rock? There are services online similar to 10-minute mail that will act as dummy phone numbers and send you the message contents. People who want to find ways around this can do so without even having their own phone, burner or otherwise.
p.s. Twitter's API is shit and their API documentation is double-shit.
(Score: 1, Informative) by Anonymous Coward on Thursday February 06 2020, @01:49PM (2 children)
how is this offtopic? call it rambling paranoid whatever, but perfectly on topic and direct answer to GP.
(Score: 2) by DeathMonkey on Thursday February 06 2020, @06:36PM
I love how someone spent a mod point marking this Informative and not to fix the moderation on the actual post itself.
I guess bitching is better than fixing for some folks here....
(Score: 2) by exaeta on Thursday February 06 2020, @11:21PM
The Government is a Bird
(Score: 2) by SomeGuy on Thursday February 06 2020, @11:58AM (1 child)
Well, one more reason not to use Twatter, as if anyone needed more. Any shit-headed Nazi that requires retarded "texting" means I could not sign up or use their service even if I wanted to. That won't work on my nice, robust, well tested, crystal clear, never needs replacing or upgrading, POTS phone.
(Score: 2) by dry on Friday February 07 2020, @06:57AM
I get the occasional text message on my POTS phone, uses text to speech.
(Score: 0) by Anonymous Coward on Thursday February 06 2020, @01:53PM
I gave my phone number to the bike shop when I left my bike there for fixing.
they sent me an SMS when it was ready for pick-up.
to me that's worth the subsequent loss of privacy.