> "We used a rep that literally done all the work for us"
This is why the privacy and security guarantees of almost all companies, credit bureaus, banks, the IRS, the department of motor vehicles, etc., are worthless. Every customer service rep that works at any of those places -- all 500 or 5000 or 50,000 of them -- can pull up info on anyone at any time. The only thing that prevents that is rules. There are no technical countermeasures.
I'd like to see a system where it is physically impossible for a customer service rep to discover any info about me until I authenticate and authorize it. Or to at least offer me the option to lock my account such that I need to authenticate and authorize before any access is given to the customer service rep.
Does anyone know of customer service panels at big companies or government departments where this is the case? I.e., it is literally impossible for a rep to browse random customer information even if they are willing to break the rules? If it's been done somewhere, it would be interesting to hear how it was implemented.
The problem is that customers don't remember basically anything. I don't know my telephone banking password for any bank. When I call, I get asked to tell them what my last transaction was, or my mother's maiden name and DOB (public info), or what town I last used my card. I've been wrong about the recent usage questions more often than I've been right, and they say "close enough".
The technological measures have to account for human behaviour. Otherwise you just end up with almost everyone not being able to access almost everything almost all of the time. People are forgetful, irrational, stubborn and stupid. So are institutions. Put them together and you have a social engineering dream world (literally our current world).
Whenever I call into E*Trade, first they send me a text with a code. They can't see the code, they just get a box and have to enter in the code I give them and it tells them if they are right.
Then after that I have to read off my 2FA code. In other words, they have to log in with the same 2FA that I do.
So a random customer service rep couldn't access my account without my phone in their hand, even if they managed to clone my SIM to get past the text message check.
I'm really surprised that this is the top comment right now because even the most basic back of the envelope check shows that it is wrong.
Think about your own life: how often do you lose money because an insider hacked your credit accounts and bank accounts? How often do you get pulled over and your car taken away because someone changed the title/tags in DMV records? How often is your identity stolen by an employee at the IRS?
These bad things all happen to some people, of course, but the VAST majority of the time, they do not.
It is obvious that there are effective countermeasures to prevent and mitigate insider threats. Insider threat is not a new concept, and there are well-proven tactics for addressing it.
> Does anyone know of customer service panels at big companies or government departments where this is the case? I.e., it is literally impossible for a rep to browse random customer information even if they are willing to break the rules?
Yes - no names for obvious reasons but where I work (trust me you've heard of them/probably use them and they are a huge tech company) it is very hard to get access to anything even slightly customer related. You need to go through multiple levels of review and approval (often your manager, their manager, and then directors/VPs) with genuine business justifications that actually looked at (no "asdf" here) to get access, and then it is usually only permitted for a window of months at most before it is auto-revoked. Then once you have access, every actual time you look at the data you need to provide justification (e.g. a ticket number that is actually checked to make sure it is open, not reused over and over, and not just 1234567890 etc and so on), and every single action you do with the data is tracked and audited so there is a complete 100% paper trail of who looked at what, when they did it, and why they were doing it, with traceability through to the tickets/bugs/etc for why there were even doing this in the first place. Abnormal things (e.g. systematic/repeated/etc) raises flags that do terrible things to your career. Each system/data source needs its own independent approval process.
There is no "god mode".
It is not uncommon for people to wait weeks for approvals to go through to access their own data to validate a bug fix etc. I think these safeguards are worthwhile - many would see them as a hindrance.
At past places, I implemented a call-centre UI once. We made it so that the service rep would initially not see anything about the customer, so the "Please can you confirm 3rd letter of your memorable word" or whatever meant that the service rep literally had a text box to type that letter in which had to match before they could proceed - they didn't see the whole world on screen and wait to see if the user got it right. I am not sure how common this is - when I do this from the customer side these days often the answer is immediately acknowledged by the rep without any kind of delay or typing noises so I am guessing they have my entire record on their screen and are just waiting for me to say the right things before continuing the call :(
This is why IMO Google has almost no customer service. Their weakest attack vector would be people. Imagine paying your infosec employees hundreds of thousands a year to protect your clients data. Next to them (in terms of data access) is your customer service team at $30,000 per head. Which team is easier to crack?
We use OpsGenie at work. I've used their support a couple of times. Every time they needed to look at our company's account settings I've had to approve it (using some sort of OpsGenie internal tool).
I was pleasantly surprised.
It's impossible to tell as a customer how hard it is to access my data without that internal authorization system, but it at least looks better than nothing.
> I'd like to see a system where it is physically impossible for a customer service rep to discover any info about me until I authenticate and authorize it.
Isn't this the objective of Tim Berners-Lee Solid Project and their Personal Online Data storage (PODs) in the spec?
If you have a system where customer service reps are strictly unable to access your data without some kind of cryptographic authentication, that defeats the purpose of customer service for 80% of customers (who suck at using computers and mostly just lose their passwords). If you’re in the other 20%, you might as well use some kind of decentralized cryptographic system with no customer service anyway. This is one of the chief complaints I see against Bitcoin on here - “what if I lose my password?” - the implicit dual to that being that someone else can access your account without your password, and you hope they’re not a bad actor.
I have worked on controls in this area for a few US health insurance companies.
From what I have seen, it is common to have additional restrictions on accessing high profile individuals and specific groups data. There is also a ton of auditing around this stuff.
It is more primitive than what you described, but things are heading in that direction. It is a somewhat harder problem space because many parties need access to a customer's records in that domain.
Ultimately, the only reason things are even this far along in health insurance is the regulatory environment. It'd be nice to have stronger privacy laws that compel companies to build good controls.
How does a single rep coordinate the mass amount of posts across verified (and non verified?) accounts? That is an insane amount of access for 'a rep'. They can just copy and paste the same message across that level of accounts?
When I worked at Apple Retail, there was an internal iCloud dashboard you could log into and see _metadata_ about customer accounts. You couldn’t see anything juicy, for Find My iPhone/Friends it was just the name of people would could see your location, not locations themselves. Number of documents, not access to actual documents.
But nothing was visible to you until you verified the customer through security questions, last four digits, etc.
I don’t know the details but whenever I call Hover for support, they have to email me a code that I have to read to them to unlock access to my account. If you have 2FA enabled you need to give them that code too. I’m not sure if they are just verifying but it sounds like they actually can’t do anything without the codes.
> Every customer service rep that works at any of those places -- all 500 or 5000 or 50,000 of them -- can pull up info on anyone at any time. The only thing that prevents that is rules. There are no technical countermeasures.
Yup. Doubly so for sysadmins, many of which have abhorrent data security practices.
My personal solution is to use cover names, disposable phone numbers, and unique email addresses (the +
trick is insufficient) for most services. My assumption is that the data is eventually either going to leak, or be used to threaten or harm me in some
way.
If none of the PII overlaps with me, it becomes a lot harder for such an event to affect me.
The only downside is that sometimes you get companies (Airbnb, Instacart, some
others) that have CSRs that demand a government photo ID to do certain tasks. Of course I don’t have any documents for these cover names, so usually the workaround is to just abandon that account, make another, and re-place the order or transaction in a way that doesn’t flag it for
manual review/intervention.
Great idea! User accounts are locked by default, and can only be accessed if unlocked, for a limited time period, by the user themselves. For extra security, though more friction, the unlock process generates a time limited access token, provided by the user to the rep, reducing the access surface to just the rep that possesses the token.
Supposedly my credit card company works this way (Chase), though you have to opt in to it when you sign up for two factor authentication. Sprint has the same thing, where they can’t get to anything on my account without passing two measures.
I can’t verify this 100% unfortunately but they are notable because of how rare it is
When I moved from the UK to the US, I left some money in my UK bank account for a bit... A few years later I called up customer service with "Hi can you please transfer all funds to this new account at another bank in another country, and close my UK account? I don't remember any passwords, don't have the 2fa fob you gave me, don't have the phone number you have on file and don't live at the address on file." They asked me when I opened the account, which branch it was at, and who my employer was, and that was all it took. The phone call was under an hour, most of which was spent on hold. All of the required "security" information could be figured out from my public LinkedIn. Scary stuff.
* > Every customer service rep that works at any of those places can pull up info on anyone at any time. *
This is simply not true. For example with banks, high-profile accounts can't be accessed by regular tellers. If someone attempts to, it is logged and someone is notified that Teller X tried to access the account.
Now that Twitter is being used for high-profile official communications, they need to re-design their employee control panels to limit, alert, and control what an employee can do with an account.
The fact that important credentials on so many high-profile verified accounts could be changed without notifying employees or locking the affected accounts until the actions are verified is unacceptable.
This was a big problem in the early days of online banking (early ‘00s). A fair number bank fraud losses were due to rogue internal employees at call centers creating or changing then selling off online banking passwords. Ran into this when I was with a startup that launched bank to bank email money transfers in Canada around 2001. Banks cleaned up their security pretty quickly though, adding deyailed audit trails for one, and variety of other security controls around their own employee access (like double sign-offs). There is a general principle that banks have understood for as long as there have been banks... not all threat actors are outside threat actors.
> Does anyone know of customer service panels at big companies or government departments where this is the case?
E-government services in Estonia have nice features, aimed at giving more control to the owner of the data [1]. Among other: "It allows the Citizen to query who has accessed his/her records. [...] In Estonia, this feature has led to some very public cases of government officials being caught accessing private data of Citizens - without any legitimate and authorized reason for such access."
there are countermeasures. any competent org (agree with you -- probably not the majority of them) have auditing, so accesses are logged. back in the 90s we had this at my university ... it's an age-old practice. you as user would never know it.
i would bet that most of the places you are thinking about (banks, credit card, and so on) where you get on the phone with a rep, with a phone entry system ahead of the agent, the agent can only access that specific data during the call, the access is logged, and any other access (some other account) is flagged for review. by calling in you are granting access. most users simply don't care about privacy and extra hurdles are just asking for complaints. limiting access to specific accounts during live calls is a fair compromise and a tight control.
xero (they suck, so this is not an endorsement) requires you to give the rep access explicitly, as an option, when requesting tech support. of course i have zero doubt that senior reps can get access anyway (which would be audited), so the explicit control is more about signalling comfort to you about their security measures.
after google had the SRE stalker incident they implemented very tight access controls to user data.
i walked into a verizon store the other day to buy a hotspot. the rep could not get access to any info whatsoever (even billing status) until i acknowledged a message on my phone. it's clear they only had access to my specific data (ie, they don't get to enter any phone number and get access) for that specific interaction.
This is something I argue with coworkers et al to no end: differential privileges are targets for privilege escalation!
From their perspective, they want the ability to ban/kick/etc as special powers; but from my perspective that feature is an exploitation target that's vulnerable to any unknown bugs, and probably in twitter's case, social exploitation.
I would _much rather_ see all users be equally powerful and find some means by which the services can be designed such that everyone can be comfortable and safe.
AT&T claims my security PIN will prevent agents and in store associates from accessing my account. The store rep said there’s no way for him to help me doing anything until we called a special hotline to give my PIN and approval.
Doesn’t mean there isn’t a way around it for some reps with special access. If you don’t have a PIN someone can go and open up multiple new accounts separate from your primary account in your name with different addresses. AT&T won’t even bother to tell you.
I'm fairly sure most banks operate this way. For example, I think they can't even see your account balance until they have entered phone #, mother's maiden name, etc.
The problem is that it is all too common for these tools to not be sufficiently prioritized in these organizations. They are usually slapped together without security or much else in mind. They are barely maintained. Security concerns as they surface are addressed by tacking on auditing and authorization instead of more secure architectures.
This is also why you want to have people in IT that can defer judgement if someone posts, does or says something that you do not like. Criminal behavior is another matter of course.
But you would need to educate people with access about the importance of impartial management of user data.
Banks had a culture enforcing neutrality and most importantly discretion. That is not true for modern payment processors like paypal or mastercard though.
You certainly don't want Twitter activists in such a role, regardless of political affiliation.
The Vice article (https://news.ycombinator.com/item?id=23853786) was recently updated with a note that the Twitter insider was paid to help take over the accounts, which raises further questions on the nature of "social engineering":
> we spoke to two hackers and we were able to independently verify they were in control of hijacked accounts today. One of them said they paid the Twitter employee to help them take over accounts; not sure on the specifics here at the moment
It is so important to critically examine and limit the blast radius of administrative actions. This is both from a vulnerability perspective as well as honest human mistakes.
For certain actions like taking over an account and impersonation there should be rate limits all around. Overriding them requires a break glass process where multiple people may have to approve (or even just acknowledge that it is happening).
Social engineering happens. It can happen to the best of us who hold the keys to the kingdom. The goal is that no one individual can completely break all the barriers. They need a bit of help, time, or both.
RE: social engineering, as long as a human is involved somewhere, the system can be compromised. IT security is a very depressing field because of this fact.
I also hope these incidents remind people of how little control you really have over your online identity. We're all just IDs in a database somewhere, waiting to be impersonated.
Decentralization is the only solution for this IMO.
If it’s really a social engineering attack then I think it happened because everyone is working remotely and it is easier to perform social engineering attacks. Maybe this incident will have impact on their long term remote work plans.
To me, this raises the likelihood that the attack was about something else. The BTC scam just doesn't seem anywhere near worth it compared to other things you could do - selling or using insider information, blackmail, shorting Tesla, taking out politicians, etc.
If the attack had been something like an exploit in the new API, I'd think, maybe some kid found it and was acting fast and reckless. If this was a sophisticated attack on multiple employees via social engineering, I have to think the attackers thought about it. And if they thought about it, they weren't just after 150k of BTC.
Anyone else unimpressed with Twitter's U2F/FIDO token support?
They support a total of 1 (one) U2F token on an account :( The only other company I know that does that is AWS and one U2F token. Every other site I use allows multiples, usually at least 5 or more.
I setup U2F on Twitter but then got rid of it after realizing they only allow one.
With the info we have it looks like hackers changed the email id of the accounts and then used forgot password to reset the password. What’s concerning is that they were able to do it for accounts with 2FA enabled. I think disabling 2FA should be extremely privileged actions and should not accessible to most employees.
According to some images, Twitter low level employees can see email address of all accounts (and I guess phone numbers). I know some celebrities have their real email address and phone numbers on those accounts. Isn't that something bad?
If this is the true story. Is it a standard practice on social networks to give to an administrator the right to post anything in your name without any distinguishable marker? There is a enormous trust issue here. I expect an administrator to be able to moderate a post or disable an account, not to impersonate it from a admin dashboard.
If the details about how these accounts were taken over are true, that an employee changed email addresses of these accounts to email accounts controlled by the attackers, this is going to turn out to be a massive breach.
I'm thinking specifically of direct messages that could have been scooped up before they went public and started tweeting on these accounts.
Wait a second...they were hacked in a way that makes it so we can't trust any tweets. Does it make sense, then, for them to use tweets to report their progress on addressing this?
[+] [-] cantrevealname|5 years ago|reply
This is why the privacy and security guarantees of almost all companies, credit bureaus, banks, the IRS, the department of motor vehicles, etc., are worthless. Every customer service rep that works at any of those places -- all 500 or 5000 or 50,000 of them -- can pull up info on anyone at any time. The only thing that prevents that is rules. There are no technical countermeasures.
I'd like to see a system where it is physically impossible for a customer service rep to discover any info about me until I authenticate and authorize it. Or to at least offer me the option to lock my account such that I need to authenticate and authorize before any access is given to the customer service rep.
Does anyone know of customer service panels at big companies or government departments where this is the case? I.e., it is literally impossible for a rep to browse random customer information even if they are willing to break the rules? If it's been done somewhere, it would be interesting to hear how it was implemented.
[+] [-] Blahah|5 years ago|reply
The technological measures have to account for human behaviour. Otherwise you just end up with almost everyone not being able to access almost everything almost all of the time. People are forgetful, irrational, stubborn and stupid. So are institutions. Put them together and you have a social engineering dream world (literally our current world).
[+] [-] jedberg|5 years ago|reply
Then after that I have to read off my 2FA code. In other words, they have to log in with the same 2FA that I do.
So a random customer service rep couldn't access my account without my phone in their hand, even if they managed to clone my SIM to get past the text message check.
[+] [-] snowwrestler|5 years ago|reply
Think about your own life: how often do you lose money because an insider hacked your credit accounts and bank accounts? How often do you get pulled over and your car taken away because someone changed the title/tags in DMV records? How often is your identity stolen by an employee at the IRS?
These bad things all happen to some people, of course, but the VAST majority of the time, they do not.
It is obvious that there are effective countermeasures to prevent and mitigate insider threats. Insider threat is not a new concept, and there are well-proven tactics for addressing it.
[+] [-] mattlondon|5 years ago|reply
Yes - no names for obvious reasons but where I work (trust me you've heard of them/probably use them and they are a huge tech company) it is very hard to get access to anything even slightly customer related. You need to go through multiple levels of review and approval (often your manager, their manager, and then directors/VPs) with genuine business justifications that actually looked at (no "asdf" here) to get access, and then it is usually only permitted for a window of months at most before it is auto-revoked. Then once you have access, every actual time you look at the data you need to provide justification (e.g. a ticket number that is actually checked to make sure it is open, not reused over and over, and not just 1234567890 etc and so on), and every single action you do with the data is tracked and audited so there is a complete 100% paper trail of who looked at what, when they did it, and why they were doing it, with traceability through to the tickets/bugs/etc for why there were even doing this in the first place. Abnormal things (e.g. systematic/repeated/etc) raises flags that do terrible things to your career. Each system/data source needs its own independent approval process.
There is no "god mode".
It is not uncommon for people to wait weeks for approvals to go through to access their own data to validate a bug fix etc. I think these safeguards are worthwhile - many would see them as a hindrance.
At past places, I implemented a call-centre UI once. We made it so that the service rep would initially not see anything about the customer, so the "Please can you confirm 3rd letter of your memorable word" or whatever meant that the service rep literally had a text box to type that letter in which had to match before they could proceed - they didn't see the whole world on screen and wait to see if the user got it right. I am not sure how common this is - when I do this from the customer side these days often the answer is immediately acknowledged by the rep without any kind of delay or typing noises so I am guessing they have my entire record on their screen and are just waiting for me to say the right things before continuing the call :(
[+] [-] eezurr|5 years ago|reply
[+] [-] peledyu|5 years ago|reply
[+] [-] rapnie|5 years ago|reply
Isn't this the objective of Tim Berners-Lee Solid Project and their Personal Online Data storage (PODs) in the spec?
https://solidproject.org
[+] [-] centimeter|5 years ago|reply
[+] [-] time0ut|5 years ago|reply
From what I have seen, it is common to have additional restrictions on accessing high profile individuals and specific groups data. There is also a ton of auditing around this stuff.
It is more primitive than what you described, but things are heading in that direction. It is a somewhat harder problem space because many parties need access to a customer's records in that domain.
Ultimately, the only reason things are even this far along in health insurance is the regulatory environment. It'd be nice to have stronger privacy laws that compel companies to build good controls.
[+] [-] salemh|5 years ago|reply
[+] [-] madeofpalk|5 years ago|reply
When I worked at Apple Retail, there was an internal iCloud dashboard you could log into and see _metadata_ about customer accounts. You couldn’t see anything juicy, for Find My iPhone/Friends it was just the name of people would could see your location, not locations themselves. Number of documents, not access to actual documents.
But nothing was visible to you until you verified the customer through security questions, last four digits, etc.
[+] [-] stanmancan|5 years ago|reply
[+] [-] sneak|5 years ago|reply
Yup. Doubly so for sysadmins, many of which have abhorrent data security practices.
My personal solution is to use cover names, disposable phone numbers, and unique email addresses (the + trick is insufficient) for most services. My assumption is that the data is eventually either going to leak, or be used to threaten or harm me in some way.
If none of the PII overlaps with me, it becomes a lot harder for such an event to affect me.
The only downside is that sometimes you get companies (Airbnb, Instacart, some others) that have CSRs that demand a government photo ID to do certain tasks. Of course I don’t have any documents for these cover names, so usually the workaround is to just abandon that account, make another, and re-place the order or transaction in a way that doesn’t flag it for manual review/intervention.
Works pretty well for me most of the time.
[+] [-] alquemist|5 years ago|reply
[+] [-] no_wizard|5 years ago|reply
I can’t verify this 100% unfortunately but they are notable because of how rare it is
[+] [-] Sodman|5 years ago|reply
[+] [-] TheKarateKid|5 years ago|reply
This is simply not true. For example with banks, high-profile accounts can't be accessed by regular tellers. If someone attempts to, it is logged and someone is notified that Teller X tried to access the account.
Now that Twitter is being used for high-profile official communications, they need to re-design their employee control panels to limit, alert, and control what an employee can do with an account.
The fact that important credentials on so many high-profile verified accounts could be changed without notifying employees or locking the affected accounts until the actions are verified is unacceptable.
[+] [-] tpurves|5 years ago|reply
[+] [-] guyomes|5 years ago|reply
E-government services in Estonia have nice features, aimed at giving more control to the owner of the data [1]. Among other: "It allows the Citizen to query who has accessed his/her records. [...] In Estonia, this feature has led to some very public cases of government officials being caught accessing private data of Citizens - without any legitimate and authorized reason for such access."
[1]: https://doi.org/10.1007/s12553-017-0195-1
[+] [-] jiveturkey|5 years ago|reply
i would bet that most of the places you are thinking about (banks, credit card, and so on) where you get on the phone with a rep, with a phone entry system ahead of the agent, the agent can only access that specific data during the call, the access is logged, and any other access (some other account) is flagged for review. by calling in you are granting access. most users simply don't care about privacy and extra hurdles are just asking for complaints. limiting access to specific accounts during live calls is a fair compromise and a tight control.
xero (they suck, so this is not an endorsement) requires you to give the rep access explicitly, as an option, when requesting tech support. of course i have zero doubt that senior reps can get access anyway (which would be audited), so the explicit control is more about signalling comfort to you about their security measures.
after google had the SRE stalker incident they implemented very tight access controls to user data.
i walked into a verizon store the other day to buy a hotspot. the rep could not get access to any info whatsoever (even billing status) until i acknowledged a message on my phone. it's clear they only had access to my specific data (ie, they don't get to enter any phone number and get access) for that specific interaction.
[+] [-] dleslie|5 years ago|reply
From their perspective, they want the ability to ban/kick/etc as special powers; but from my perspective that feature is an exploitation target that's vulnerable to any unknown bugs, and probably in twitter's case, social exploitation.
I would _much rather_ see all users be equally powerful and find some means by which the services can be designed such that everyone can be comfortable and safe.
[+] [-] wil421|5 years ago|reply
Doesn’t mean there isn’t a way around it for some reps with special access. If you don’t have a PIN someone can go and open up multiple new accounts separate from your primary account in your name with different addresses. AT&T won’t even bother to tell you.
[+] [-] zug_zug|5 years ago|reply
[+] [-] babesh|5 years ago|reply
[+] [-] raxxorrax|5 years ago|reply
But you would need to educate people with access about the importance of impartial management of user data.
Banks had a culture enforcing neutrality and most importantly discretion. That is not true for modern payment processors like paypal or mastercard though.
You certainly don't want Twitter activists in such a role, regardless of political affiliation.
[+] [-] ATsch|5 years ago|reply
[+] [-] jasonv|5 years ago|reply
[+] [-] minimaxir|5 years ago|reply
> we spoke to two hackers and we were able to independently verify they were in control of hijacked accounts today. One of them said they paid the Twitter employee to help them take over accounts; not sure on the specifics here at the moment
https://twitter.com/jason_koebler/status/1283594885292077056
[+] [-] jtchang|5 years ago|reply
It is so important to critically examine and limit the blast radius of administrative actions. This is both from a vulnerability perspective as well as honest human mistakes.
For certain actions like taking over an account and impersonation there should be rate limits all around. Overriding them requires a break glass process where multiple people may have to approve (or even just acknowledge that it is happening).
Social engineering happens. It can happen to the best of us who hold the keys to the kingdom. The goal is that no one individual can completely break all the barriers. They need a bit of help, time, or both.
[+] [-] CamelCaseName|5 years ago|reply
It would have been fascinating to see which which account had the best conversion rate.
[+] [-] candiddevmike|5 years ago|reply
I also hope these incidents remind people of how little control you really have over your online identity. We're all just IDs in a database somewhere, waiting to be impersonated. Decentralization is the only solution for this IMO.
[+] [-] junar|5 years ago|reply
https://twitter.com/TwitterSupport/status/128359184496275046...
[+] [-] dsr12|5 years ago|reply
[+] [-] ALittleLight|5 years ago|reply
If the attack had been something like an exploit in the new API, I'd think, maybe some kid found it and was acting fast and reckless. If this was a sophisticated attack on multiple employees via social engineering, I have to think the attackers thought about it. And if they thought about it, they weren't just after 150k of BTC.
[+] [-] gruez|5 years ago|reply
Also, if you search for the source for one of the images (mentioned in the article), you can find this tweet: https://twitter.com/UnderTheBreach/status/128349929454113177... which says the recent hacks were done through that tool.
[+] [-] graton|5 years ago|reply
They support a total of 1 (one) U2F token on an account :( The only other company I know that does that is AWS and one U2F token. Every other site I use allows multiples, usually at least 5 or more.
I setup U2F on Twitter but then got rid of it after realizing they only allow one.
[+] [-] blibble|5 years ago|reply
as you've described: the U2F functionality is completely useless because if you lose/break your single U2F key then you're completely screwed
and they still have no support for ed25519 keys (which were added to OpenSSH in 2013), unlike every other cloud service
I have to have an RSA key just for AWS (particuraly annoying as I have all my other ssh keys stored in a hardware token)
if they didn't validate the damn key type then it would probably just work out of the box
[+] [-] ciarannolan|5 years ago|reply
[+] [-] renewiltord|5 years ago|reply
[+] [-] dsr12|5 years ago|reply
[+] [-] 101008|5 years ago|reply
[+] [-] jc_811|5 years ago|reply
“ Once we became aware of the incident, we immediately locked down the affected accounts and removed Tweets posted by the attackers.”
The accounts were posting for hours after it seemed Twitter became aware what was going on.
[+] [-] throwaway69123|5 years ago|reply
[+] [-] H8crilA|5 years ago|reply
[+] [-] y04nn|5 years ago|reply
[+] [-] catalogia|5 years ago|reply
This must be some new meaning of the word 'immediately' that I wasn't previously aware of. It took them quite a while to get these accounts locked.
[+] [-] mcphilip|5 years ago|reply
[+] [-] ciarannolan|5 years ago|reply
I'm thinking specifically of direct messages that could have been scooped up before they went public and started tweeting on these accounts.
[+] [-] tzs|5 years ago|reply