
"Not enabled 2FA" ???? FFS ?
*If* 2FA was enabled, how was it defeated ?
If not, just why ?
Netflix's US Twitter account was briefly hijacked on Wednesday. The feed was taken over by a hacking group, OurMine, who used the hijack to promote its website and invite Netflix to get in touch. The social media team running the Netflix US Twitter account, which has 2.5 million followers, got off easily. Previous account …
The "2FA" of most sites like Twitter is only superficial. Under the covers, clients get a single token that's effectively a single authentication factor until it expires. Since people hate logging in over and over, tokens rarely expire. Often these attacks are based on stealing the token somehow.
Twitter's second factor is SMS. They can't send messages to my current carrier, so I had to disable it when I switched there. Twitter don't offer any kind of contact venue to notify them of those issues either, and they don't seem interested in offering anything actually working.
So, much like LinkedIn then ?
They appear to struggle with (presumably) non-US MVNOs ... and have done since I logged a support call 7 months ago.
I have since concluded that they don't give a shiny shit about user security. They are free to correct that impression but have chosen not to.
Here's something to think about if you use your cell phone number as a form of 2FA. In some scenarios using SMS for 2FA actually helps make your account easier to hijack. It depends on how password reset is implemented by a particular account provider. If they set it up such that if you forget your password, you can get a code sent via SMS to use to reset your password...well...
If someone can find out a cell number is attached to a particular account, some trivial social engineering can get that cell phone number ported to a different service/burner cell phone. Issue password reset requests to account(s), get reset code SMSes on burner phone, take over account.
Yes it can be done. And your right relatively trivially. But it does takes effort from the attacker. And lets face it, most script kiddies are unwilling to take that effort or accept the risk associated with doing something which ups your crime from simply "unathourised access of an electrical device" to "fraud" (completely with a long stay in the chokey if your caught).
Whilst SMS based 2FA is not going to stop a Nation state or a dedicated hacker, those parties are unlikely to be interested in taking over your twitter account. So SMS 2FA is good enough for some Tasks...