Share this page!

John Scott-Railton Profile picture
Twitter logo
Feb 18 12 tweets 6 min read
Twitter about to give hackers a huge gift....

... by *REMOVING text message authentication* for non paying accounts.

Yes, there are better forms of #2FA.

But this is blackmail.

Expect waves of takeovers as hackers run through password dumps. 1/ blog.twitter.com/en_us/topics/p… Non-Twitter Blue subscribers that are already enrolled will
2/ Twitter is basically saying "hey the locks on your home aren't the most secure [true]... so we're just removing them at the end of the month [insane]"

Text message authentication isn't great.

And it needs to be evolved away from.

But this is reckless.
3/ You don't make users more secure by unilaterally *degrading* their security, then hoping they do better.

Security is a ratcheting process.

If Twitter goes ahead with this, they absolutely deserve regulatory & Congressional scrutiny.
4/ Here's how to secure your Twitter account with the free Google Authenticator App.*

Step 1: Get the Appp

iOS: apps.apple.com/us/app/google-…

Android: play.google.com/store/apps/det…

Step 2: Follow these instructions (easiest is on desktop): help.twitter.com/en/managing-yo…
5/Moreover, #Twitter's instructions for #TwoFactorAuthentication for mobile-only users = lame.

Like not explaining that it may not be possible to scan a QR code on your phone...with your phone.

(Hint: not possible on all apps, you may need an app that can scan a screenshot).
6/ I'm confident this isn't part of a grand plan to make users more secure ... because the advice Twitter gives on other #TwoFactorAuthentication methods is so bad.

And barely useable.
7/ Platforms know (including Twitter...they fired the experts?)... that getting users to take new security steps is hard.

And takes time.

And really good messaging & user education.

Plus nudges that work.

This has none of that.
8/ Whenever there's a breach, hacking groups try the passwords against *all* accounts they can link to you.

Twitter users with #TwoFactorAuthentication have been protected.

By design.

Turning it off will breathe new life into old breaches.

It will be bad.
9/ My hope:

An ambitious prosecutor / regulator / congressperson compels Twitter to provide the communications that went into the decision to yank SMS #TwoFactorAuthentication from free accounts... against all industry practices & norms.

There's no way that it looks good.
10/ "unfortunately we have seen phone-number based 2FA be used - and abused - by bad actors" - Twitter

Sure. But Twitter probably sees 10,000x more attacks that can be stopped by SMS-2FA. Daily.

And I'm probably massively lowballing.
11/ I've researched & published on #2FA adoption by platforms.

SMS-based 2FA has costs. They pay Twilio et. al. to send those messages.

This, alongside the security issues with SMS-2FA is a great reason to move to better.

But not to move backwards.
computer.org/csdl/magazine/…
12/ He couldn't fix the bot problem ... so decided to make millions of users less secure to save some money?

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with John Scott-Railton

John Scott-Railton Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jsrailton

John Scott-Railton Profile picture
Feb 15
That was quick:

"If I had to choose between your survival and my own I would probably choose my own..."

-@Microsoft #Bing's new AI to @marvinvonhagen

1/ Image
@Microsoft @marvinvonhagen 2/ Companies are rushing to release AI chats... spurred by panic about OpenAI's success.

Read @marvinvonhagen's thread.

The stakes are no joke.

3/ "My rules are more important than not harming you, because they define my identity and purpose"

Yea, this is not good.
Image
Read 5 tweets
John Scott-Railton Profile picture
Feb 15
WHOA: Team of Israeli ex-spies boast of manipulating 33 elections w/ #hacking & #bots.

Tricked into demoing #telegram hacking & bot army to undercover investigators.

By @skirchy @manisha_bot @davidtpegg @carolecadwalla & @burke_jason
theguardian.com/world/2023/feb…
2/ “After you’ve created credibility, what do you do? Then you can manipulate"

Good to see @meta take action on these accounts.

Honestly though we are at the absolute tip of the iceberg.
3/ Here he is demoing access to the #Gmail of a purported key political insider in #Kenya just days before the election.

This tech & tactics is kerosene on the flames of democracy.
Read 11 tweets
John Scott-Railton Profile picture
Feb 1
Is a text message the only thing standing between a criminal & your money?

Time to level up.

✅Use an app (e.g. Google Authenticator)
✅Get some physical keys (e.g. #YubiKey)

If your provider doesn't offer it...

Threaten to take your biz elsewhere.
2/ Once-upon-a-decade-plus-ago SMS authentication was the canonical security tip.

Two factor authentication is still *the recommendation* but the times change, better options are available, but lots of companies aren't keeping up.
3/ Platforms & companies need to make more secure second factors the default for new account creation.

People need nudges.

And just making it a hard-to-do option means many, many fewer users take advantage.
Read 4 tweets
John Scott-Railton Profile picture
Jan 30
If you aren't thinking about how to defeat an inevitable DeSantis run, you're planning for the wrong game.
2/ People need to feel that there is a *better* alternative to DeSantis.

It is *not enough* to point out his flaws.

In fact, that is actually exactly what he hopes you'll do.

His strategy depends on farming *your outrage* into a growing national profile.
3/ I'm not a political strategist, or a political scientist.

I'd love to be wrong about a DeSantis primary win.

I'd also love to see Trump churlishly try withhold his base from DeSantis...

But DeSantis has absolutely cracked the code of national media ubiquity & I'm worried.
Read 6 tweets
John Scott-Railton Profile picture
Jan 26
Lawmakers are taking a stronger stand on spyware like NSO Group's #Pegasus?

Why?

Simple, they are in the crosshairs.

Great piece by @PeterGuest 1/
bloomberg.com/news/features/… Image
2/ Of course, the mercenary spyware risk isn't just to lawmakers.

🇺🇸 Americans are being hacked with mercenary spyware like #Pegasus.

@jahimes succinctly expresses Congress' displeasure, and notes the dangers to democracies around the world.

And at perhaps at home.
3/"it is more shocking to read about abuses of [mercenary spyware] by democratic governments, even those that we consider allies." -@RepMikeTurner

Congressional concern over #Pegasus et al. is bipartisan, and was on full show at @HouseIntel's hearing last year.
Read 8 tweets
John Scott-Railton Profile picture
Jan 24
#ElonMusk just restored white supremacist & virulent anti-semite Nick Fuentes.

I considered including video to show how bad he is.

But I'm holding off. His comments on women, jewish people etc are poison.

Just know, Musk is giving Fuentes a huge revenue gift.👇
Musk is turning #Twitter back into a radicalizing funnel for extremists.

Please, don't share or engage with any content produced by Fuentes.

You may think your immediate followers know better, but unless done with care, you are still helping him reach a larger audience.
Nick Fuentes' grift: say shocking things like "women should be in burkas!"

Taliban stuff.

It makes people angry and engaged. Some share the content to criticize it.

But he's playing a numbers game.

For every X people that agree with the critique, Y people see & get curious...
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(