Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Twitter Security IT

How To Hack Twitter's Two-Factor Authentication 58

Posted by timothy from the there-can-be-only-one-or-two-or-whatever dept.
An anonymous reader writes with this excerpt from PC Mag's SecurityWatch: "We've pointed out some problems with Twitter's new two-factor authentication. For example, since just one phone number can be associated with an account, Twitter's two-factor authentication won't work for organizations like the Associated Press, The Onion, or The Guardian. They were hacked; they could still be hacked again in the same way. However, security experts indicate that the problem is worse than that, a lot worse."
This discussion has been archived. No new comments can be posted.

How To Hack Twitter's Two-Factor Authentication More

How To Hack Twitter's Two-Factor Authentication

Comments Filter:

  • Re:Thank you (Score:5, Informative)

    by Anonymous Coward on Friday May 24, 2013 @10:59PM (#43818957)
    http://www.huffingtonpost.com/2013/04/23/twitter-flash-crash_n_3141311.html [huffingtonpost.com]

    The U.S. stock market crashed momentarily on Tuesday afternoon after the Associated Press' Twitter account was hacked and a hoax tweet was sent out that suggested explosions at the White House had injured President Barack Obama. The Dow Jones Industrial Average dropped about 150 points in a matter of seconds

  • TOTP would solve the parallel access problem (Score:5, Informative)

    by kju ( 327 ) on Saturday May 25, 2013 @12:17AM (#43819241)

    Instead of using some custom two-factor authentication which is bound to a specific phone, they should use TOTP (http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm). Then the same shared secret could be configured into several token generators (e.g. Google Authenticator on Android).

    TOTP seems to become the standard for two-factor authentication, given that both Facebook and Google use this (Facebook provides its own limited code generator with their App) and also quite a few other significant services (e.g. Dropbox, Amazon AWS).

    Google also provides a pam module for TOTP which allows one to setup TOTP for own services. I tried that yesterday: Installed the PAM module and added a key into Google Authenticator. Result: TOTP secured SSH login (by using normal account password with the token appended). TOTP support can also be added to non-PAM capable applications, for example a TOTP extension for Mediawiki exists. I tried that one as well and it is working great.

    Google Authenticator App allows one to configure more than one account, so you can secure different services with TOTP and still have one central token generator App.

Slashdot Top Deals

The key elements in human thinking are not numbers but labels of fuzzy sets. -- L. Zadeh

Close