Infosecurity Group Websites

Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more
Latest
News

Twitter’s New 2FA Policy Tackles SIM Swap Risk

Twitter has finally remediated a two-factor authentication (2FA) security gap which could allow SIM swap attackers to unlock users’ accounts.

Until now, the firm has mandated that all users wanting to use strong authentication on their accounts must first enable SMS-based 2FA. It was impossible to switch off this function, even if they subsequently chose to authenticate via one-time password (OTP) apps or other methods.

That has finally changed now, with the social media firm allowing users to enroll in 2FA without a phone number. This means they can use any 2FA system that supports the FIDO2 WebAuthn protocol, without worrying that it could be circumvented by SIM swap techniques.

These have become increasingly common of late: hackers socially engineer a mobile phone carrier employee into believing they are a legitimate customer who wants their number ported to a new SIM.

By doing so, they get control of the number and can then try to force their way into any online accounts that might be protected by SMS-based 2FA.

This kind of activity has been particularly focused on stealing funds from victims’ digital wallets. Earlier this month, two men were charged with a major operation in which they allegedly stole over half a million dollars in cryptocurrency in this way.

In Many, nine men were charged with a similar conspiracy which is said to have netted them around $2.4m.

There are even greater stakes to play for in an impending courtroom battle between AT&T and entrepreneur Michael Terpin, in which the latter is suing the carrier for $224m after an employee mistake allowed cryptocurrency thieves to steal $24m of his personal funds from a digital wallet.

Back in August, hackers used a SIM swap attack to access the Twitter account of company CEO Jack Dorsey, in an incident which may have contributed to the change in official policy.

Related to This Story

What’s Hot on Infosecurity Magazine?

1
News

French Hotel Giant Leaks 1TB+ of Client Data

2
News

Over One Billion Consumers Exposed in Data Leak

3
News

Church's Chicken Warns of Possible Data Breach

4
News

Web Skimmers Use Phishing Tactics to Steal Data

5
News

Target Sues Insurer Over Data Breach Costs

6
News

US Jails NeverQuest Malware Creator for 4 Years

1
Opinion

#HowTo Ensure Hybrid Cloud Security with Secure Endpoints

2
News

#CyberThreat19: How to Make a Start Using Attack Frameworks

3
News

Web Skimmers Use Phishing Tactics to Steal Data

4
News

#CyberThreat19: Make Browser Encryption "Boring" to Improve Awareness

5
News

Twitter’s New 2FA Policy Tackles SIM Swap Risk

6
News

Over One Billion Consumers Exposed in Data Leak

1
Webinar

The Persistence of Ransomware, New Variants & Better Tactics to Defend & Defeat

2
Webinar

Zero Trust in Practice: Why Identity Drives Next-Gen Access

3
Webinar

Make Privileged Access Admin Work and Block Lateral Movement by Attackers

4
Webinar

2019 Cybersecurity Headlines in Review

5
Webinar

Mastering the Security Art of Identity, Access & Authentication

6
Webinar

2019 Privacy, Compliance and Risk Management Strategies for Infosec Professionals

1
Opinion

The Catch 22 Scenario for GDPR

2
Interview

Life Of: A Wi-Fi Security Researcher

3
News

Boom in Lookalike Retail Domains

4
Next-Gen

Are Communication and Presentation Skills Taught or Encouraged to an Acceptable Level?

5
News

Capture the Flag Competition Aims to Trace Missing Persons

6
News

UK Government Brexit App Riddled with Security Issues