EnlargeTwitter

If ever there was a surefire way to sour users against a two-factor authentication system that was already highly flawed, Twitter has found it. On Tuesday, the social media site said that it used phone numbers and email addresses provided for 2FA protection to tailor ads to users.

Twitter requires users to provide a valid phone number to be eligible for 2FA protection. A working cell phone number is mandatory even when users' 2FA protection is based solely on security keys or authenticator apps, which don't rely on phone numbers to work. Deleting a phone number from a user's Twitter settings immediately withdraws account from Twitter 2FA, as I confirmed just prior to publishing this post.

Enlarge

Security and privacy advocates have long grumbled about this requirement, which isn't a condition of using 2FA protection from Google, Github, and other top-ranked sites. On Tuesday, Twitter gave critics a new reason to complain. The site said it may have inadvertently used email addresses and phone numbers provided for 2FA and other security purposes to match users to marketing lists provided by advertisers. Twitter didn't say if the number of users affected by the blunder affected was in the hundreds or the millions or how long the improper targeting lasted.

Company officials wrote:

We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties. As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising.

Security advocates, including Matt Green—a Johns Hopkins professor specializing in cryptography—wasted no time castigating Twitter for the gaffe.

"In all seriousness: whose idea was it to use a valuable advertising identifier as an input to a security system," he wrote on Twitter. "This is like using raw meat to secure your tent against bears."

In all seriousness: whose idea was it to use a valuable advertising identifier as an input to a security system. This is like using raw meat to secure your tent against bears.

— Matthew Green (@matthew_d_green) October 8, 2019

Not all 2FA was created equal

Two-factor authentication has emerged as the single-most effective means for protecting accounts against phishing and so-called credential-stuffing attacks (the latter uses passwords swept up in breaches on one site to guess passwords on unrelated sites). As the name suggests, 2FA requires a factor—for example, a security key or a fingerprint—in addition to a password to successfully log in from a device that has never accessed the account before.

Over the past few years, security practitioners have increasingly turned away from 2FA based on SMS text messages. The reasons: (1) attackers can take control of users' phone numbers by impersonating the owners and getting the carrier to swap out the SIM card, and (2) SMS messages can be hijacked through weakness in the Signalling System No. 7 routing protocol that cellular carriers use to make their networks interoperable. Attackers have been known to actively exploit these weaknesses Read More – Source