[HN Gopher] FTC Fines Twitter $150M for Using 2FA Phone Numbers ... ___________________________________________________________________ FTC Fines Twitter $150M for Using 2FA Phone Numbers for Ad Targeting Author : averysmallbird Score : 438 points Date : 2022-05-25 21:32 UTC (1 hours ago) (HTM) web link (www.ftc.gov) (TXT) w3m dump (www.ftc.gov) | [deleted] | octagons wrote: | I don't have the most optimistic outlook for this having any | impact, but I really hope this sets a precedent for limiting the | use of dark patterns with which companies try to tie your | identity to a phone number. I think the total sum for this fine | is rather myopic: it ignores the long tail of possible future | data leaks and the impact it might have on the people behind the | affected accounts. | | I created my current Twitter account a few years ago and it | remained dormant for a while. It was flagged as "in violation of | our policies" despite having not made any tweets or using a | handle or nickname that would cause offense to anyone. In order | to resolve this, I had to enter my phone number to "secure" my | account. I don't know what process triggered this review, but | I'll be damned if it didn't smell like an easy way to associate | an existing marketing profile with my Twitter account. Of course, | it's vitally important to profile a service I used to keep up | with industry news and post about Goban puzzles. | | I've also run into similar patterns on Discord and similar | platforms; "Oops! Something suspicious is happening with the | account [you literally just created]. Please add a phone number | to your profile to proceed." | | Although I follow a reasonable set of practices around | identity/password management, I usually architect my risk profile | with a "I don't care if I lose this account" approach. If that | statement isn't true, then I will happily apply all of the | security measures available. However, it seems like the idea of | creating "I don't care" accounts is becoming increasingly | difficult as we continue to invest in user marketing analytics | and lower the barrier of entry to these types of technologies | that do not have the consumer's best interests in mind. | pixl97 wrote: | >I created my current Twitter account a few years ago and it | remained dormant for a while. It was flagged as "in violation | of our policies | | Same here, linked it to PSN to get images off my PS4 and it was | flagged before I could do anything. | | Never did add my number and shortly after that they had a leak | where any hacker could figure your number out. | dbg31415 wrote: | I hate all the different ways companies target people. | | I recently booked flight on American Airlines for my 80+ year-old | father. I requested the golf cart to take him between gates. | | Immediately I got a call from "American Airlines Health Alert." | | They made it sound like there was an issue with the booking... | "An important health alert related to your flight." And there was | a "Press 1, if you're over 50" option. | | Anyway long story short it was some shady marketing company | selling me a panic button in case of falls. | | The lady was like"these are very expensive devices"... "we'll | give you the device... but you pay a small fee for monitoring | every month." | | Clearly she'd given the pitch 1,000 times. Didn't give me any | time to talk. Finally, I was like, "Hey is there a problem with | my Dad's flight, or are you just trying to sell me something?" | And she hung up on me. | | Fuck American Airlines. Fuck all the airlines really, but it | should be illegal to target the elderly just because they asked | for help with connection flights. | mrkramer wrote: | I remember I got scared this might happen when Epic introduced | 2FA for claiming free games[0]. FTC check Epic Games too. | | [0] https://www.pcgamer.com/uk/for-a-while-epic-games-store- | will... | jazzythom wrote: | linuxhansl wrote: | Some weeks ago I wanted to deactivate my Twitter account. I | hadn't used it for a while, and it claimed that my account was | locked. Nothing was sent from it in many months, so it wasn't | clear why/how it would be locked now. | | For some reason you cannot deactivate your account when it is | locked. | | So I contacted Twitter demanding that as EU citizen (which is | true) I hereby demand all data about me that Twitter or its | subsidiaries might have, including account data, to be deleted | under the GDPR... Or alternatively unlock my account so that I | would be able to deactivate it. | | They were actually pretty responsible. My account was unlocked 30 | minutes later and I was able to deactivate it. | heavyset_go wrote: | Guarantee they're doing the same thing with phone numbers used to | verify accounts, as well. I'm not talking about the blue check | mark verification, but the verification they impose upon new | accounts to prove that you're "real" and not a bot. | brailsafe wrote: | I appreciate the security of 2FA, but I don't like the liability | and and I don't like being required to have my phone at all | times. Jus one of my gripes with the world | sedatk wrote: | I propose multiple YubiKeys for this. Unlike TOTP, it's not | susceptible to phishing, and you can keep Nano keys inserted in | your USB ports that you regularly use. You don't need your | phone or anything most of the time. | lucb1e wrote: | > [Twitter] agreed to an order that became final in 2011 that | would impose substantial financial penalties if it further | misrepresented "the extent to which [Twitter] maintains and | protects the security, privacy, confidentiality, or integrity of | any nonpublic consumer information." | | They violated that order and that's what the fine is for. | | I was wondering what kind of authority the FTC has to impose | fines based on what as a European I'd consider a GDPR violation | (in the USA, this california privacy act thing sounds like it | would be the nearest thing, but that's not federal so that | couldn't be it). But what was this order about? Clicking the | reference in the article: | | > The FTC's complaint against Twitter charges that serious lapses | in the company's data security allowed hackers to obtain | unauthorized administrative control of Twitter, including access | to non-public user information, tweets that consumers had | designated private, and the ability to send out phony tweets from | any account including those belonging to then-President-elect | Barack Obama and Fox News, among others. | | > Under the terms of the settlement, Twitter will be barred for | 20 years from misleading consumers about the extent to which it | protects the security, privacy, and confidentiality of nonpublic | consumer information | | So this wasn't about privacy initially, the FTC's attention came | from allowing some public figures' accounts to be hacked, after | which it imposed some broad set of requirements, which are broad | enough to now include this privacy issue. Not a bad outcome, but | interesting turn of events to get the FTC to act as data | protection authority. | staunch wrote: | At first I thought the fine sounded excessive but after thinking | about it, it seems far too low. I'd like to know the the people | that were specifically responsible for this scam. | | Did Jack Dorsey implement and endorse this scam? | autoexec wrote: | There are a lot of details I don't see about this, even in the | order itself. How did the FTC know twitter was abusing this | data? Was there a whistleblower who notified them, or did they | break down the doors and start scanning twitter's internal | documents? Were they authorized to dig into twitters internal | processes as part of the initial security investigation? | MiddleEndian wrote: | Good, but it should be 10x that amount. | lelandfe wrote: | The FTC really ought to take a leaf out of GDPR's book, and | start fining truly punitive amounts: | https://www.tessian.com/blog/biggest-gdpr-fines-2020/#:~:tex... | | $150M for a repeat offense affecting millions of users is | paltry. | transcriptase wrote: | Just don't take the leaf titled "rarely if ever enforce | anything". | xbar wrote: | Clownish. If I were the CEO, some folks would have already been | fired. | rsstack wrote: | Several people _were_ fired recently. We don't know why, so | maybe. But probably not. | neighbour wrote: | Personally I think the CEO would have known about this | happening and turned a blind eye until it became an issue. I | have nothing to back this up though. Just a pessimistic take on | corporate culture. | annoyingnoob wrote: | Would you fire yourself? | mrkramer wrote: | That's called resignation. Yea you would do it if you respect | your company and your users. Call in someone more mature. | zaroth wrote: | Clearly anyone with the ethical chops to consider resigning | over this would be a net-loss to Twitter if in fact they | resigned. Is this some sort of named paradox? | bogwog wrote: | > would be a net-loss to Twitter | | Would it? It seems to me like unethical behavior is | always more profitable. | [deleted] | gareth_untether wrote: | I really can't believe companies are still doing this with | people's data. Insane that this is still a thing companies abuse. | oblio wrote: | We need to turn data into a liability. | | There's a reason many places work on a "need to know" basis. | ProAm wrote: | data is a liability regardless | techsupporter wrote: | This is an interesting part to me: "[T]he new order[0] adds more | provisions to protect consumers in the future: ... Twitter must | provide multi-factor authentication options that don't require | people to provide a phone number." | | I would like to see this be a more broad-based rule. No, I am not | moved by "SMS is easy" or "getting a number that can receive SMS | is harder for scammers to do in bulk." If you must, give users | the choice but not the _obligation_ to hand over a mobile number. | | 0 - https://www.ftc.gov/legal-library/browse/cases- | proceedings/2... | gabereiser wrote: | To further expand on this. 2FA should not rely on SMS at all. | It should be an option but not the default one. An | Authenticator app should be the default. I know we assume | everyone has a cell phone but that's not the case. | ChrisMarshallNY wrote: | I just ordered something online, last night, and it had two | required fields: | | 1) Mobile Phone (landline is not required) | | 2) The phone number/address needs to be the same as for the | card. | | I don't use a mobile phone for the card. I use my landline, | so I entered that. | fron wrote: | WebAuthn should be the default | autoexec wrote: | Authenticator apps aren't much better. Look at their privacy | policies. Installing Microsoft Authenticator means giving | them your location data 24/7 and allows the to collect even | more data on you than giving Twitter your phone number did. | Do you really think they aren't going to use that data for | anything else? I don't believe that anymore than I believed | Twitter. | | Personally, I'd rather deal with the hassle of carrying | around multiple hardware tokens than give companies a | continuous stream of data about my personal life to use | against me. | koolba wrote: | Why does an Authenticator app even have location access? | Geoblocking? | vel0city wrote: | Exactly, IIRC you can do policies related to locations. | It's an optional feature, you don't need to enable it and | the app will overall work just fine. | __turbobrew__ wrote: | FreeOTP works just fine for me | C4K3 wrote: | You don't have to use microsoft authenticator. TOTP is a | big step up from SMS and most/good apps won't violate your | privacy. | viraptor wrote: | I believe GP meant authenticator app like authy, duo, or | any other TOTP. You're not giving anyone your location by | using that. | hoppyhoppy2 wrote: | There are free, open-source, and privacy-respecting options | for TOTP 2FA that don't require a mobile phone plan. | | You can use something like KeepassXC (desktop) or something | like KeepassDX or Aegis (on F-Droid on Android) for your | OTP authentication app to manage 2FA for Google, Amazon, | eBay, Dropbox, etc. and there are other options as well. | bogwog wrote: | Afaik, TOTP is standardized, so you should be able to use | any authenticator app for 2FA. Idk about Microsoft, but I | haven't encountered any service that doesn't allow you to | bring your own TOTP app. | yurishimo wrote: | I have. I worked for an enterprise that used OneLogin | could only use the OneLogin Protect app for 2FA. I | thought 1Password was broken but I tried a different app | with my phone camera and it said the QR code was invalid. | andrewmackrodt wrote: | Are you using Microsoft Authenticator in a corporate | environment/profile? I just checked my personal install | (Android) and it does not require any permissions (location | is denied). | WillPostForFood wrote: | So don't use Microsoft Authenticator. There are many | options without the privacy problems with the MS App | (which, IMO are overblown, but whatever). Go run your own | if you want to be absolutely private. I'm happy with | 1Password for managing it. | | http://www.nongnu.org/oath-toolkit/oathtool.1.html | gigel82 wrote: | I was overseas and my provider (Cricket) doesn't have roaming | so I usually pick up a cheap prepaid SIM locally. | | I didn't enable 2FA on Uber but it insisted on sending me a | code via SMS (of course, to my inaccessible US number). That | was incredibly stupid and shortsighted. Meanwhile, all services | that were set up for Authenticator MFA worked just fine over | the European carrier's LTE. | li2uR3ce wrote: | Also SMS not nearly reliable enough. You should have | alternatives for that reason alone. My cell carrier was | blocking many SMS verification messages for a good two months. | It caused me all kinds of problems when my credit union merged | with another and I had to change account numbers all over the | place. Many had the option of using an email address, but there | were quite a few that it was SMS or play find the human on the | 800 number. | prirun wrote: | Unrelated to Twitter, but your post reminded me that consumer | should also have an independent "account number" for lack of | a better word that belongs to the user, like a telephone | number. Electronic payments would come out of this personal | account number and be forwarded to whatever institution(s) | the person wants. Then changing banks would be as easy as | changing phone carriers. | latchkey wrote: | They already provide these options today. | falcolas wrote: | It's a precedent. This isn't just about Twitter; there are | many who do not offer such options. | zaroth wrote: | I don't think it has any applicability to anyone beyond | Twitter. | | Maybe it's a precedent that the FTC will tell you to add | non-SMS 2-factor if you are misusing the SMS factor for | advertising, but that's a pretty limited precedent! | karatinversion wrote: | For context, Twitter'S revenue in 2021 was $5 billion, on which | they made a loss of $220 million. | tpmx wrote: | Which is bizarre, in itself. | JohnJamesRambo wrote: | What a great buy... | | I saw a tweet the other day that said they can't think of a | worse purchase since Bank of America bought Countrywide for $40 | billion. | | TWTR has traded flat since its inception in one of the greatest | bull markets of all time. | missedthecue wrote: | HP bought Autonomy which turned out to be a total fraud. | sitkack wrote: | When I think twitter, I think of a service that costs 5.2B to | run. | l33t2328 wrote: | There are some tongue in cheek answers but actually how does | it cost that much to run? | | That's a ton of money for a website that is very text heavy | with short/low quality videos and a largely fixed feature | set. | viraptor wrote: | People. Salaries are expensive, especially SV salaries. | Then you need well paid management for the extra heads, and | group manager for them. IIRC (feel free to correct me, I'm | not going to dig it out again) they spent >$1B on R&D | itself... which is pretty much just couple hundred of | engineers who, (judging from the service changes recently) | mostly did nothing. | tpmx wrote: | I can't even fathom how it's possible to use $5B/yr to run | Twitter. | | So, I co-architected the Opera Mini infrastructure. It peaked | at a similar number of users (250-300M active users). Sure, | Twitter is _much_ more DB-intensive, but transcoding web | pages is pretty CPU intensive too, and typically we | transcoded every single web page for them. | | Twitter is spending $5B/300M =~ $17/user per year | | I believe that from public sources, it's now possible to | deduce that we spent less than a 1/100th of that per | user/year. | | Since we didn't have crazy money, we optimized things at | _every_ step. | nikanj wrote: | People forget the key word "premature" in the infamous | Donald Knuth quote, and think all optimization is evil | pessimizer wrote: | It's always premature to optimize until your company is | failing, because if you aren't failing yet it means it's | worked so far. You should always wait until your company | is falling apart to do a full rewrite of your core | product. | rmbyrro wrote: | Exactly. When the business is failing is when there's | lots of time and resources available to make your core | product more efficient. | StillBored wrote: | Is not doing stupid s%$t an optimization? (lol) | | I'm reminded of the reddit articles a few years back when | they were talking about moving to AWS and having to batch | database requests to maintain their database perf. | Apparently, at the time they were literally sending | tens/hundreds of thousands of database queries for each | page load request for a logged in user because each | comment was collecting all its up/down votes and adding | them up rather than just having a per comment karma | attached to the comment. | | This is what happens when you hire a whole bunch of | recent grads that frankly have no idea how to write code, | and think they are the smartest people on the planet when | it comes to distributed systems. | hguant wrote: | AWS instances don't pay for themselves | | /s...mostly | LegitShady wrote: | According to their financial disclosures for 2021: On | income of ~$5.08B, they spent | | - $1.8B as "cost of revenue" (costs incurred to run their | business), | | - $1.25B on "research and development", | | - $1.2B on "Sales and Marketing", and | | - ~$1.3B together on "general and administrative" | (overhead) and "litigation settlement". | | Then there are a bunch of small monies related to interest | expense and income, etc etc. | | They're spending huge amounts of money and could be | profitable if they really wanted. I can't imagine what | Twitter is doing with 1.25B in research. Elon could make | Twitter profitable simply by cutting their research | department. | williamsmj wrote: | "Research and development" is engineering. | tlrobinson wrote: | > I can't imagine what Twitter is doing with 1.25B in | research. | | ...and development. I assume "R&D" includes most of the | engineers? | | Still, it could be a lot more lean for sure. | StillBored wrote: | Well presumably that 1.25B is mostly engineering salaries | since its "research and development" (for tax purposes | where they probably get huge write offs). | | Anyway, they need that org to get their 1.8B in "cost of | revenue" down, which is presumably mostly the cost of | massive server farms to store what are mostly text | mesages. Although these days with all the machine | learning/etc to sell ads they probably "needs" all that | hardware to run their models and can't just optimize it | down to a higher perf system painting web pages. | AdvertisingMan wrote: | pessimizer wrote: | This is surprisingly reasonable. I would like to see a | decisionmaker do some time for fraud, though. They locked people | out of their accounts and demanded phone numbers for | "safeguarding," then used them for targeting in direct | contravention of a previously negotiated agreement with the FTC. | If that doesn't rise to criminality, the fraud statutes need to | be updated. | | edit: they should also be required to dump the phone numbers | (even to be recollected later, without the deception), but I | didn't see that in the article. Are they being allowed to keep | the proceeds of a crime? | blamestross wrote: | One fundimental purposes of a "company" is to be an abstraction | to ofuscate moral responsibility for individual's actions. | rmbyrro wrote: | It says they cannot use the data commercially, only for the | stated purposes (security, recovery). | | In practice, it'll be hard to enforce, though. | piva00 wrote: | Why not increase the punishment by having random audits like | the government do for drug checks? And make the company pay, | would be an even bigger deterrent if it's not just a fine... | itsoktocry wrote: | > _They locked people out of their accounts and demanded phone | numbers for "safeguarding," then used them for targeting in | direct contravention of a previously negotiated agreement with | the FTC. If that doesn't rise to criminality, the fraud | statutes need to be updated._ | | It's bad, I agree. | | But _jail_? That should be reserved for the most heinous crimes | and criminals. | stormbrew wrote: | I'm basically a prison abolitionist but i don't really see | corporate fines as any real kind of justice at all either, | for big or small things. This is just putting a price tag on | the behaviour. | colechristensen wrote: | First you have to establish who goes to jail, corporations are | able to avoid this by having vague structures of shifting blame | so a jury can't decide if any particular individual is actually | at fault. | | There probably should be laws establishing ultimately | responsible people with the unenviable duty of being | responsible for illegal things corporations do (sort of like an | engineer signing off on the design of a bridge), but doubtful | such a thing will happen. | | We're left then with personal responsibility being limited to | people stupid enough to leave pretty explicit records of | nefarious intent to commit crimes. | xanaxagoras wrote: | Pick a C-suite exec or VP at random then. "Nobody, it's too | hard to unravel the organizational structure" isn't really | cutting it. | verisimilidude wrote: | That sounds kinda like the Mafia or Yakuza. Take the fall, | do time, protect the organization, get respect, get | promoted. Many people would gladly do a few years in | minimum security prison in exchange for million dollar | salaries, etc. | | While I do think that would be better than nothing, it | could create its own set of bad incentives. | Beltalowda wrote: | I don't think it has to be that hard; you just need to | require that communication is preserved for companies over a | certain size, e.g. meeting minutes, emails, etc. This is | already the case for financial records and some employment | records, and the case with politics ("but her emails!") | | This way, a record can be subpoenaed if needed. | | Don't keep records or don't have records of this particular | decision? The person responsible for making sure the records | are kept for that department will be in trouble. | | There is some administrative "red tape" here, but it's not | that bad, and much of these records already exist (or | existed). | | The problem is the political will to enact such a law; I | agree that's not likely to happen. | colechristensen wrote: | "You have to keep a record of what happened during all | employee interactions so that we can prosecute you some | day" isn't exactly a likely-to-succeed plan. Already | prevalent are coaching employees not to leave records of | certain legally contentious topics. | oceanplexian wrote: | I worked for a certain rainforest company and they | specifically coached us on not leaving records or | discussing certain subjects in any form of written | communication. | sodality2 wrote: | > isn't exactly a likely-to-succeed plan | | It doesn't have to gain popularity, be well-liked, or be | agreed with by the companies. If it is law, they must | follow it. | adamc wrote: | All decision-makers should go to jail in such cases. Then | they would work harder on making blame clear. | colechristensen wrote: | "All" is a vague term. | | So jail everyone at Twitter who isn't an individual | contributor and is even tangentially involved? | | This is how you escape consequences as an organization: | obfuscation. Make what you've done complex enough that it's | too difficult for a jury to decide who is responsible for | what, prosecutors won't be convinced they have a case and | will decline to pursue the matter. | RcouF1uZ4gsC wrote: | I think the CEO should personally be on the hook for | widespread organizational fraud, and in cases should be held | criminally responsible. | StillBored wrote: | Yah, some personal risk might justify some of the salary | package. Yah sure your going to make $50M a year, but you | might have to sit in jail for 20 years sounds fair. | dylan604 wrote: | Meh, that's why the CEO makes the big monies. "The buck stops | here" kind of thing. Charge the CEO. Make it the CEO's | problem to prove they were not responsible only by giving up | the person that was. I do believe sometimes CEOs are not | fully aware of what happens below them in the org tree, but | they are accountable for their people. If the CEO can't | handle that, then they shouldn't be accepting the roles. | Clearly, this has to be understood as part of the job | description | J-Kuhn wrote: | Here is a fictional timeline of events: | | * Problem: Spammers automate creation of accounts. | Solution: Reuse the MFA infrastructure as some kind of | "CAPTCHA". The phone number is not stored. | | * Problem: Spammers use a single phone number to unlock | 1000's of accounts. Solution: Store the phone number - so | those kinds of misuse can be detected. | | * Problem: Ads-Team wants to sell more targeted ads. | Solution: There is possibly a phone number stored in the | user profile, use that. | | Who is to blame here? The Ads team that didn't check if the | number can be used? | pornel wrote: | Yes! There are now privacy laws that explicitly require | you to check if user has given consent for such use of | the data. | lkschubert8 wrote: | How about the lowest common leader? | jeffparsons wrote: | Solution #2 modified to be safer: | | > Solution: Store A HASH OF the phone number - so those | kinds of misuse can be detected. | | If you don't need to store PII verbatim, don't store it | verbatim. | | > Who is to blame here? The Ads team that didn't check if | the number can be used? | | Yes. 100% yes. It's insane that we've normalized the idea | that if you can physically get your hands on some data | then that means you're allowed to do whatever you want | with it. Anyone even remotely responsible working in | advertising should be tracking provenance of the data | they're using. I've heard all sorts of excuses about why | this isn't practical, but with each year that passes I | find them less convincing, and I've finally reached the | point where I reject those excuses outright. If you don't | _know_ you're allowed to use some PII for marketing, then | you _can not_ use it for marketing. It's that simple. | pessimizer wrote: | Somehow they don't have to figure that out with felony | murder. Everyone who participates who is aware is liable to | the same punishment, then. Why not in crimes of bureaucracy? | Why make sure people who are just following orders are free | from punishment? | colechristensen wrote: | Because killing someone is usually pretty explicit in the | obviousness of a crime being committed. | | Filling out forms, designing product features, and | implementing them can have each individual contributor | mostly ignorant that anything could possibly be wrong with | the request and the few people who do have some idea only | have a small one which is plausibly deniable. The person | who does get caught in those circumstances is usually just | a scapegoat anyway. | pessimizer wrote: | That's why you investigate. But awareness should be | enough. And if we start to have trouble proving awareness | (maybe employees aren't aware of a settlement), just | require in settlements that employees _are_ informed. | | For felony murder, you don't have to know that the person | you're with is armed, intends to kill, or if you're | driving the getaway car you don't even have to know that | they _have killed anyone at all._ You 're participating | in something that you're expected to know is wrong, and | you're punished for anything that results from the entire | event. If this were like felony murder, the engineers | that implemented it (assuming awareness) would be as | liable for the $150 million as anyone else involved. | thaumasiotes wrote: | > Because killing someone is usually pretty explicit in | the obviousness of a crime being committed. | | > Filling out forms, designing product features, and | implementing them can have each individual contributor | mostly ignorant that anything could possibly be wrong | with the request | | That's got nothing to do with felony murder. Felony | murder occurs when you participate in a crime with | someone else and they accidentally kill someone while you | can't see them. | strangattractor wrote: | Hope they keep an eye on Truth Social that requires your | phone number even to use it. | [deleted] | wanderr wrote: | A fine is a cost. It's quite possible that Twitter made more than | $150m in doing this. | missedthecue wrote: | I don't think Twitter makes money at all. | zaroth wrote: | They make ~$5B a year. They just spend all of it and then | some. | [deleted] | nicce wrote: | The loss would have been bigger tho. | bpodgursky wrote: | I truly doubt this was a calculated tradeoff. | | It was almost certainly a fuckup where the phone # was | mistakenly stored in a shared schema, and someone on the ads | side saw it and decided to use it for targeting, knowing | nothing about 2FA or how it got there. This probably only | affects a tiny fraction of their users. | ziddoap wrote: | > _I truly doubt this was a calculated tradeoff._ | | Potentially, sure. | | > _It was almost certainly a fuckup where the phone # was | mistakenly stored in a shared schema, and someone on the ads | side saw it and decided to use it_ | | How is this an "almost certainly"? Do you have additional | information you'd care to share on why you think so? If this | were the case, it would point to _insanely_ sloppy policies, | procedures, and implementations. | | > _This probably only affects a tiny fraction of their | users._ | | Why? | bpodgursky wrote: | > This probably only affects a tiny fraction of their | users. | | Because most users provided their phone number when signing | up, not just when setting up 2FA. Twitter has always been | phone-centric (the first app was literally just sending SMS | messages). | ntoskrnl wrote: | Sigh. Yep. Don't ever give a company your phone number for 2FA. | It's insecure anyways due to SIM swapping. Stick to FIDO (e.g. | yubikey) or TOTP (e.g. google authenticator) | davesque wrote: | Yep, it's almost more accurate to describe using phone numbers | for 2FA as being _anti-_ secure, not just _in_ secure. That's | because it's effectively no better than having no 2FA and it's | possibly even _harder_ to detect when your account has been | compromised by a SIM swap. And many companies that use phone | numbers for 2FA also allow resetting one 's password via that | phone number. It's really just a tragedy that companies do | this, rather like when login screens prevent copy/paste. | | If you're ever prompted to add a phone number to your account | on some web service for "extra security", just click "remind me | later" or "skip" as many times as possible. | minsc_and_boo wrote: | Or just get a phone and service provider who doesn't allow SIM | swapping (e.g. Google Fi, etc.), since many more services only | do 2FA with SMS than allow hardware authentication. | skybrian wrote: | You probably want both, as well as printing out some backup | codes, to avoid the risk of getting locked out when something | breaks. | sedatk wrote: | Unlike FIDO/U2F, TOTP is susceptible to phishing. Getting | locked out a serious problem and should be addressed with | printed recovery codes probably. | RamRodification wrote: | Any clear reason to go for Google for TOTP? As opposed to Authy | or something else. | jeromegv wrote: | No, it's all the same. | ntoskrnl wrote: | Those were examples I thought people were likely to | recognize, not vendor recommendations. I edited for clarity. | encryptluks2 wrote: | You do realize that TOTP is a standard that doesn't require | you to use either, that you can use the same secrets for any | TOTP app, right? | regecks wrote: | There is a clear reason not to use Authy, which is that | making your data portable is extremely annoying. No export | function. I ended up writing a 3rd party Authy client just to | get my TOTP keys out. | | For iOS users, I cannot say enough good things about | https://apps.apple.com/us/app/otp-auth/id659877384. Author is | responsive, encrypted backups, portable data format. | nicce wrote: | Thanks. I have been looking replacement for Authy for quite | some time because of no export function. | Macha wrote: | For android users, Aegis provides much of these benefits | (as does andOTP). Both are open source, I like aegis a bit | better. | davis wrote: | There's actually a very good reason to not use Google | Authenticator actually. | | They don't offer any backups (at least on iOS) and as a | result, if you lose your phone, you are hosed. Google | Authenticator also doesn't use iCloud for backup for files | like other apps. I also just assume at this point no one owns | that app and that it'll never get backups because that's how | Google operates. | | I've seen multiple people lose their TOTP codes this way and | have been locked out of their accounts. Or even the more | simple case, they buy a new phone, restore from backup and | just assume everything is peachy then send their old phone | back and then don't realize it until they open the app for | the first time. | | Use something with cloud backups for your safety. | bogwog wrote: | I got scared as hell a few years ago when an update bricked | the app, so launching it caused it to immediately crash. | Fortunately, reinstalling the app fixed it without losing | any data. | | But since then I started actually backing up my recovery | codes, and whenever I create a new account somewhere, I set | up 2FA on three separate apps on my phone _just in case_. | nicce wrote: | Authy does not allow to make local backup (export) and it | is fully closed source, not really transparent. I wish | there were better alternatives. | PausGreat wrote: | Ravio OTP on iOS | SoftTalker wrote: | They offer one-time backup codes that can be used if a | device is lost. I'm not sure if this is Google or the site, | but for every login where I've set up Google Authenticator | I have copied the backup codes to my password manager for | that account. I'd agree that a lot of people might not do | that however. | Dylan16807 wrote: | Google the site has backup codes for logging in to | Google. Completely unrelated to the data in Google | Authenticator. | | Google Authenticator used to have no way to get the data | out, but does now have an export. It still has no normal | backups. | jve wrote: | Luckily services makes clear that you should print backup | codes in case you lose 2FA. | | As for Android Google authenticator - there is export | function, that generates QR code for all tokens. You can't | screenshot it, but can take a photo with different device | and print. | 8organicbits wrote: | I suppose you're talking about automatic backups, but at | least on Android you can manually "transfer accounts" to | export to another device over QR codes. | saurik wrote: | On iOS, I do see this feature, but it claims it will | _move_ the account, as opposed to "copy" it, and so, if | it is a backup mechanism, they are explicitly pretending | it isn't one. | MarioMan wrote: | Although it is primarily designed and labeled as an | export mechanism, I can verify that it does work as a | backup mechanism. I regularly use it to sync up new 2FA | accounts to a backup phone. Simply choose to keep the | accounts after exporting. | jazzythom wrote: | Actually its more secure to use NFC yubikey w/ their app than | google authenticator for TOTP bc the key is in the yubikey | enclave vs the phones | drivers99 wrote: | I just started using that and would recommend it. When you | set it up you add each key you own from the same QR code. | cheeze wrote: | The tradeoff is usability though. I can have a TOTP code | stored on two separate phones in two separate locations | versus needing a yubikey always present. | | To me, I'm too forgetful and dumb to not lose a yubikey, but | I manage to not lose my phone. | rvz wrote: | Exactly. I did tell them many times before [0], [1]. | | They just won't listen. So give them a fine instead, that will | make them listen. | | The second _' wake up call'_ after the last one I've seen | today: [2] | | [0] https://news.ycombinator.com/item?id=29264937 | | [1] https://news.ycombinator.com/item?id=30010434 | | [2] https://news.ycombinator.com/item?id=31510868 | iotku wrote: | Yeah I'm extra upset about this because I would have chosen | TOTP if I was given the option, but only sms authentication was | available for 2FA for the longest time (until it became such a | big issue with account takeovers including jack's I believe | that they had no choice but to change that) | pinewurst wrote: | Didn't Facebook do something similar without any apparent | comebacks? ___________________________________________________________________ (page generated 2022-05-25 23:00 UTC)