I would like to see this be a more broad-based rule. No, I am not moved by "SMS is easy" or "getting a number that can receive SMS is harder for scammers to do in bulk." If you must, give users the choice but not the obligation to hand over a mobile number.
0 - https://www.ftc.gov/legal-library/browse/cases-proceedings/2...
Personally, I'd rather deal with the hassle of carrying around multiple hardware tokens than give companies a continuous stream of data about my personal life to use against me.
https://www.itnews.com.au/news/telcos-declare-sms-unsafe-for...
And nothing has changed to make SMS any more secure since 2012...
If it was just SMS, I would move the SIM card elsewhere and hey-presto.
It's really a new form of torture to have to remember a really complex password and to do a TFA log in every time a change needs to be made now, one of my least likeable parts of modern jobs. It's not even like we had breaches, it just became mandatory and now a lot of things like cloud config go largely unchecked by admins because it's so tedious to log in so frequently and they often get locked out the minute they forget their phone at home because email is often another password/TFA hurdle... Stupid wins first these days. Breaches still happen elsewhere all the time despite TFA adoption as well, hackers keep engineering workarounds, and mobile security is compromised when personal devices are used anyway. A much better approach is in segmenting data, and only retaining essential/required data, but systems are made to collect far too many details on users and subject matter overreaching a "need to know" basis, which also dramatically increases the impact of modern data breaches.
TFA used to be based on email and it was just fine. The only reason why phones became mandatory is precisely because of illicit use of phone contacts by these platforms. The bootleg calls also probably eats up tons of money in terms of prepaid minutes for people with those types of plans, yet whenever there is a fine, none of the affected people see true justice.
1) Mobile Phone (landline is not required)
2) The phone number/address needs to be the same as for the card.
I don't use a mobile phone for the card. I use my landline, so I entered that.
I didn't enable 2FA on Uber but it insisted on sending me a code via SMS (of course, to my inaccessible US number). That was incredibly stupid and shortsighted. Meanwhile, all services that were set up for Authenticator MFA worked just fine over the European carrier's LTE.
It is crazy that my capitalone mastercard wouldn't allow me to do the validation through my capitalone app!
Hmm. That might be difficult. I always thought the reason Twitter required phone numbers was to stop spam accounts from being created. So a phone number is basically acting like an expensive captcha. This order seems to be saying Twitter needs to stop requiring phone numbers. That might lead to an increase in spam accounts.
I created my current Twitter account a few years ago and it remained dormant for a while. It was flagged as "in violation of our policies" despite having not made any tweets or using a handle or nickname that would cause offense to anyone. In order to resolve this, I had to enter my phone number to "secure" my account. I don't know what process triggered this review, but I'll be damned if it didn't smell like an easy way to associate an existing marketing profile with my Twitter account. Of course, it's vitally important to profile a service I used to keep up with industry news and post about Goban puzzles.
I've also run into similar patterns on Discord and similar platforms; "Oops! Something suspicious is happening with the account [you literally just created]. Please add a phone number to your profile to proceed."
Although I follow a reasonable set of practices around identity/password management, I usually architect my risk profile with a "I don't care if I lose this account" approach. If that statement isn't true, then I will happily apply all of the security measures available. However, it seems like the idea of creating "I don't care" accounts is becoming increasingly difficult as we continue to invest in user marketing analytics and lower the barrier of entry to these types of technologies that do not have the consumer's best interests in mind.
I did try uploading a celebrity photo instead, and of course it didn’t work. But I was shocked at the need to post a photo of myself. That is way past my creepy threshold.
This happened to me the other day, but for an account which is years old, owns a server with 1200+ members, and... is already logged into Discord on another web browser.
I usually use Firefox for chatting, and Chrome for voice chat (since it works better than FF for that). So I usually have FF permanently open, and I log into Discord through Chrome from time to time to voice chat. So this one time I open up Chrome (while, again, I'm simultaneously logged in through FF and can fully use my account), try to log in, and... I get a "verification required" screen.
They allegedly think I'm an abusive user so they're preventing me from logging in into Discord without verifying my account, but they're simultaneously letting me fully use my account? How does this make any sense? Any abuse I can do I can already do because I'm already logged in, from exactly the same computer.
I wrote to their support asking what's up with this, and they basically told me they don't care, and that I will be required to verify. Of course they won't tell you why they're doing it, because "security".
I regularly receive crypto scam DMs on Discord and they're seemingly unable to block those kinds of accounts, but they sure as hell are good at bullying legitimate users like me.
This should have hurt Twitter way more.
Same here, linked it to PSN to get images off my PS4 and it was flagged before I could do anything.
Never did add my number and shortly after that they had a leak where any hacker could figure your number out.
Seriously twitter- go suck an egg. With so much money, how can you betray trust of your users? I get daily calls from car warranty scams because of stuff like this
It was especially infurating, because I did not have a smartphone, only a land line, and they wanted to send an SMS.
edit: they should also be required to dump the phone numbers (even to be recollected later, without the deception), but I didn't see that in the article. Are they being allowed to keep the proceeds of a crime?
There probably should be laws establishing ultimately responsible people with the unenviable duty of being responsible for illegal things corporations do (sort of like an engineer signing off on the design of a bridge), but doubtful such a thing will happen.
We're left then with personal responsibility being limited to people stupid enough to leave pretty explicit records of nefarious intent to commit crimes.
This way, a record can be subpoenaed if needed.
Don't keep records or don't have records of this particular decision? The person responsible for making sure the records are kept for that department will be in trouble.
There is some administrative "red tape" here, but it's not that bad, and much of these records already exist (or existed).
The problem is the political will to enact such a law; I agree that's not likely to happen.
In practice, it'll be hard to enforce, though.
It's bad, I agree.
But jail? That should be reserved for the most heinous crimes and criminals.
White collar malice, even more so in tech, has an enormous blast radius. It affects a giant amount of people. Sometimes in small ways, but small suffering multiplied by a huge number is a large negative impact on society.
If one could trace down the single person (most) responsible for the offense, I would fully support jail time. I doesn't have to be long. Maybe 3 months for a case like this. And a note on the criminal record.
So that they can FEEL it. Right now they hide behind a corporate shield and suffer no personal damage nor reputational damage.
If you're ever prompted to add a phone number to your account on some web service for "extra security", just click "remind me later" or "skip" as many times as possible.
They just won't listen. So give them a fine instead, that will make them listen.
The second 'wake up call' after the last one I've seen today: [2]
[0] https://news.ycombinator.com/item?id=29264937
To me, I'm too forgetful and dumb to not lose a yubikey, but I manage to not lose my phone.
They don't offer any backups (at least on iOS) and as a result, if you lose your phone, you are hosed. Google Authenticator also doesn't use iCloud for backup for files like other apps. I also just assume at this point no one owns that app and that it'll never get backups because that's how Google operates.
I've seen multiple people lose their TOTP codes this way and have been locked out of their accounts. Or even the more simple case, they buy a new phone, restore from backup and just assume everything is peachy then send their old phone back and then don't realize it until they open the app for the first time.
Use something with cloud backups for your safety.
For iOS users, I cannot say enough good things about https://apps.apple.com/us/app/otp-auth/id659877384. Author is responsive, encrypted backups, portable data format.
That’s inaccessible to a lot of people.
That being said, one-time use backup codes are a standard way out of the problem.
I was outraged and agree with you. It also takes on a new cast in light of this FTC action.
Only way to log in now is to provide them with a scan of my passport or drivers license.
...
I saw a tweet the other day that said they can't think of a worse purchase since Bank of America bought Countrywide for $40 billion.
TWTR has traded flat since its inception in one of the greatest bull markets of all time.
So, I co-architected the Opera Mini infrastructure. It peaked at a similar number of users (250-300M monthly active users). Sure, Twitter is much more DB-intensive, but transcoding web pages is pretty CPU intensive too, and typically we transcoded every single web page for them. Opera Mini was their only browser.
Twitter is spending $5B/300M =~ $17/user per year
I believe that from public sources, it's now possible to deduce that we spent less than a 1/100th of that per user/year, almost a decade ago.
Since we didn't have crazy money, we optimized things at every step. Or, well, mostly avoided doing stupid stuff.
That’s a ton of money for a website that is very text heavy with short/low quality videos and a largely fixed feature set.
It was almost certainly a fuckup where the phone # was mistakenly stored in a shared schema, and someone on the ads side saw it and decided to use it for targeting, knowing nothing about 2FA or how it got there. This probably only affects a tiny fraction of their users.
Potentially, sure.
>It was almost certainly a fuckup where the phone # was mistakenly stored in a shared schema, and someone on the ads side saw it and decided to use it
How is this an "almost certainly"? Do you have additional information you'd care to share on why you think so? If this were the case, it would point to insanely sloppy policies, procedures, and implementations.
>This probably only affects a tiny fraction of their users.
Why?
But it's not as much money as they're making in ad sales to those phone numbers. Twitter will just see it as a cost of doing business and there won't be any meaningful change.
There's a reason many places work on a "need to know" basis.
I still prefer to signup using a spam email address.
The article mentioned that the complaint was "filed by the Department of Justice on behalf of the FTC," which sounds a bit more involved than the FTC saying, "Hey Twitter, here's your sign, now pony up"...I have no idea how the game is actually played though.
> The 2010 complaint cited multiple instances in which Twitter’s actions – and inactions – led to unauthorized access of users’ personal information. To settle that case, the company agreed to an order that became final in 2011 that would impose substantial financial penalties if it further misrepresented “the extent to which [Twitter] maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information.”
The $150m fine is because twitter violated that settlement agreement.
> This article is written like a personal reflection, personal essay, or argumentative essay that states a Wikipedia editor's personal feelings or presents an original argument about a topic.
Wikipedia describes 2FA very matter of factly without any background on its history and its advocates [2].
[1] https://chrome.google.com/webstore/detail/authenticator/bhgh...
[2] https://en.wikipedia.org/wiki/Multi-factor_authentication
As far as the history, and "who", I think this has a very long history in the "security-industrial complex", which probably means : NSA. Certainly the idea of 2FA goes back as far as smart cards (early 90s). Then came RSA SecurID which I saw as a hack to give you something similar to smart card security but without the need to roll out a PKI. TOTP seems like it is a generic version of SecurID. I don't particularly remember any vendor agenda on all of this, more like everyone was looking to fulfill government and bank requirements for security then the techniques employed leaked out into the corporate/enterprise world, and finally (like, around today), have become mainstream in the B2C use case. My perception has been that all of this was pretty much about "making things better" by some definition of better that depends on reasonable security for reasonable cost, in the context of typical user behavior.
Did Jack Dorsey implement and endorse this scam?
[1][PDF] https://www.ftc.gov/system/files/attachments/office-technolo...
They violated that order and that's what the fine is for.
I was wondering what kind of authority the FTC has to impose fines based on what as a European I'd consider a GDPR violation (in the USA, this california privacy act thing sounds like it would be the nearest thing, but that's not federal so that couldn't be it). But what was this order about? Clicking the reference in the article:
> The FTC’s complaint against Twitter charges that serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including access to non-public user information, tweets that consumers had designated private, and the ability to send out phony tweets from any account including those belonging to then-President-elect Barack Obama and Fox News, among others.
> Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information
So this wasn't about privacy initially, the FTC's attention came from allowing some public figures' accounts to be hacked, after which it imposed some broad set of requirements, which are broad enough to now include this privacy issue. Not a bad outcome, but interesting turn of events to get the FTC to act as data protection authority.
what is that time limit for?
seems badly expressed to me. i suspect it means there will be a harsher punishment if this happens again within 20 years.
$150M for a repeat offense affecting millions of users is paltry.
I recently booked flight on American Airlines for my 80+ year-old father. I requested the golf cart to take him between gates.
Immediately I got a call from "American Airlines Health Alert."
They made it sound like there was an issue with the booking... "An important health alert related to your flight." And there was a "Press 1, if you're over 50" option.
Anyway long story short it was some shady marketing company selling me a panic button in case of falls.
The lady was like"these are very expensive devices"... "we'll give you the device... but you pay a small fee for monitoring every month."
Clearly she'd given the pitch 1,000 times. Didn't give me any time to talk. Finally, I was like, "Hey is there a problem with my Dad's flight, or are you just trying to sell me something?" And she hung up on me.
Fuck American Airlines. Fuck all the airlines really, but it should be illegal to target the elderly just because they asked for help with connection flights.
[0] https://www.pcgamer.com/uk/for-a-while-epic-games-store-will...
The current state of the web is completely laughable.
For some reason you cannot deactivate your account when it is locked.
So I contacted Twitter demanding that as EU citizen (which is true) I hereby demand all data about me that Twitter or its subsidiaries might have, including account data, to be deleted under the GDPR... Or alternatively unlock my account so that I would be able to deactivate it.
They were actually pretty responsible. My account was unlocked 30 minutes later and I was able to deactivate it.
>In addition to imposing a $150 million civil penalty for violating the 2011 order, the new order adds more provisions to protect consumers in the future:
>Twitter is prohibited from using the phone numbers and email addresses it illegally collected to serve ads.
>Twitter must notify users about its improper use of phone numbers and email addresses, tell them about the FTC law enforcement action, and explain how they can turn off personalized ads and review their multi-factor authentication settings.
>Twitter must provide multi-factor authentication options that don’t require people to provide a phone number.
>Twitter must implement an enhanced privacy program and a beefed-up information security program that includes multiple new provisions spelled out in the order, get privacy and security assessments by an independent third party approved by the FTC, and report privacy or security incidents to the FTC within 30 days.
Will these fines end up being paid out to everyone who now needs to deal with a lifetime barrage of spam calls and texts?
Jokes part I am glad they got fined. These kind of transgressions need to be dealt with publicly and Twitter is a big enough entity to send a message that this is serious. Of course I am sure you very company that got phone numbers already abused them :)
As soon as my account got restored I let their DPO know that I don't insist on the fulfillment of the GDPR request any more. And that I will follow through if Twitter pulls off this kind of blackmail again on me. Haven't had this issue any more.
