TheNFAPost Podcast
4

Bengaluru, NFAPost: We all know that two-factor authentication has brought in a sea change in security and trust in all apps. Two-factor authentication is the only way how one should protect their most important accounts from being misused is also a myth.

But at the same time, it has brought the data misuse to a certain extend. Many people are too lazy to set it up, but it has to be done as it is many times better than just relying on a username and password. Even after that, it is not ultimate security as we all know that Twitter’s¬†recent big hack routed around¬†2FA protections.

In the early days of 2FA, one common way to implement it was to use text messaging as the second factor. That is, when one tried to login on a new machine (or after a certain interval of time), the service would have to text them a code that they would need to enter to prove that they were themselves.

SIM swapping

As things matured, people realised that this method was less secure. Over a period of time, many hacks involved people “SIM swapping” (using social engineering to have your phone number ported over to them), and then getting the 2FA code sent to the hacker.

Here we should realise the importance of authenticator apps. We have access to good 2FA authenticator app, like Google Authenticator or Twilio’s Authy or even better a physical key such as the Yubikey or Google’s Titan Key the vulnerability can be minimised to certain extend.

Here comes, are we at the receiving end of 2FA as the phone numbers given for that purposes are now used for notifications or marketing. Apps are using it a revenue stream and here comes the trust deficit. First of all, it undermines trust — which is the last thing one want to do when dealing with a security mechanism. People handed over these phone numbers/emails for a very specific and delineated reason: to better protect their account.

Violation of trust

It is a reality that sharing that phone number or email with the marketing team is a massive violation of trust. And it serves to undermine the entire concept of two-factor authentication, in that many users will become less willing to make use of 2FA, fearing how the numbers might be abused.

This violation of breach of trust has brought in regulatory bodies coming up with fine against leading apps. In a recent development, Facebook received the mammoth $5 billion fine from the FTC a year ago. It is a reality that the media focused almost entirely on the Cambridge Analytica situation as the reason for the fine, if one actually reads the FTC’s settlement documents, it was other things that really caused the FTC to move, including Facebook’s use of 2FA phone numbers for marketing. Facebook had to face stern results for that.

Two factor authentication

Now comes the turn of Twitter’s turn. Twitter has revealed that the FTC is preparing to fine the company $150 million to $250 million for this practice — noting that it violated the terms of an earlier consent decree with the FTC in 2011, where the company promised not to mislead users about how it handled personal information.

Yet, for years, Twitter used the phone numbers and emails provided for 2FA to help target ads (basically using the phone number/email as an identifier for targeting).

We have to take note of the fact that there is an explanation for this other than really bad handling of data at Twitter, and the company should be punished for it. As per tech analysts findings, Twitter is unfairly blamed for many things. But it is to be taken note that practice like this is both bad and dangerous. Having said that, large fines from regulatory bodies are the only way to convince companies to never do this kind of thing again is the only solution.

LEAVE A REPLY

Please enter your comment!
Please enter your name here