Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Twitter Security IT

How To Hack Twitter's Two-Factor Authentication 58

Posted by timothy from the there-can-be-only-one-or-two-or-whatever dept.
An anonymous reader writes with this excerpt from PC Mag's SecurityWatch: "We've pointed out some problems with Twitter's new two-factor authentication. For example, since just one phone number can be associated with an account, Twitter's two-factor authentication won't work for organizations like the Associated Press, The Onion, or The Guardian. They were hacked; they could still be hacked again in the same way. However, security experts indicate that the problem is worse than that, a lot worse."
This discussion has been archived. No new comments can be posted.

How To Hack Twitter's Two-Factor Authentication More

How To Hack Twitter's Two-Factor Authentication

Comments Filter:

  • worse problem? (Score:5, Insightful)

    by mcmonkey ( 96054 ) on Friday May 24, 2013 @09:10PM (#43818433) Homepage

    the problem is worse than that, a lot worse

    Problem? Worse? This is twitter we're talking about right?

    If sending an unencrypted email is like sending a postcard (kids, ask your parents) in pencil, twitter is like a sign you stick in your lawn.

    Anyone can drive by and stick a sign in your lawn, make it look like you support any cause, or take any sign you've put out.

    Now if people put undue weight to those signs, it they swing the markets, then the issue--the problem--is people who don't know the difference between reliable and unreliable sources.

    The problem isn't twitter, it's employees in the media and so-called journalists who'd rather sit on their bum checking their cell phone than go out and do their job.

  • Re:Thank you (Score:5, Insightful)

    by Zerth ( 26112 ) on Friday May 24, 2013 @09:49PM (#43818667)

    As long as stock market bots and day traders use twitter activity to guide their behavior, I care.

  • This cant be stopped. (Score:5, Insightful)

    by 140Mandak262Jamuna ( 970587 ) on Friday May 24, 2013 @09:55PM (#43818695) Journal
    The fundamental problem here is that the user logs into a fake twitter site and gives the login credentials. Then gives the second factor authentication too. This scenario can not be protected against no matter how many factors you use. In fact if I keep logging into a fake google site and keep entering all the credentials how can google stop it?

  • A similar solution works very well, no GPS (Score:4, Insightful)

    by raymorris ( 2726007 ) on Friday May 24, 2013 @10:35PM (#43818871) Journal
    I'm not familiar with Toopher specifically, but the general idea works quite well. We've been doing it for fifteen years.
    I always post on Slashdot using a small Android phone in Bryan, TX, and my ISP is Suddenlink. I've posted on Slashdot hundreds, if not thousands of times. 20 minutes after I make this post from here in Bryan, if someone claiming to me tries to log in using an iphone in Canada, that's guaranteed to be bogus. That's a simple, obvious, and common example.

    Now take that same general idea and apply fifteen years of R&D and real world experience. You can catch most unauthorized login attempts. If you do any late night surfing, on sites like GirlsGoneWild.com, you may have noticed half of those sites say "protected by Strongbox". They do that because it works.

Slashdot Top Deals

"I've seen it. It's rubbish." -- Marvin the Paranoid Android

Close