"So how can anyone hack Twitter with two-factor authentication in play? The account info you’ve just entered will automatically be entered into the real Twitter.com by the hacker. And seeing as how you’ve had your account info entered into Twitter.com for you, Twitter’s two-factor authentication will ping the victim with the SMS and temporary password as expected, Toopher (a two-factor security service) CEO Josh Alexander explains.
At that point, since you’ve received an SMS from Twitter, you’re probably under the assumption that the account recovery process seems legit and would continue to enter in that temp password into the fake Twitter site. Of course once that’s done you’ve lost complete control of your account."
"Hackers sent the customers emails falsely claiming to be from ABN Amro. If recipients opened an attachment, software was installed on their machines without their knowledge. When customers visited their banking site, the software redirected them to a hacker-controlled mock site that requested their security details.
As soon as the hackers received these details they were able to log into a customer's account at the real ABN Amro site, before the expiry of the fob-generated number. They could then transfer the customer's money." (they didn't need to redirect the customer to intercept the credentials but it makes it harder to detect)
It's not a huge step. Training users not to reuse passwords (or login IDs!) would be a huge step. Not using easily found personal information for password recovery would be a huge step. Implementing the second factor in a less feeble way would be a huge step.
This is a small step. Like a padlock made of cardboard, this is the weakest attempt they could make. They probably don't even use heuristics to determine if your environment has changed so they can re-challenge you (now industry standard among authentication solution providers).
Twitter added this feature because they've had too many high-profile hacking stories in the media and nobody would keep investing in a company whose security track record is a tabloid joke. This is a step towards keeping their users and potential investors from running for the hills.
Here are some alternative methods to secure user credentials:
- Bcrypt
- Require the login ID to be separate from their email address or public handle
- Verify two-factor PINs via reply
- Additional authorization methods for group accounts (no shared logins)
Two factor is a huge step. One of the biggest impacts of phishing is due to credential reuse across sites. The damage that a phishing site (or compromised site) can do is quite limited if you have two factor auth for your other sites. Also, online phishing attacks are doable but have the disadvantage of the victim being right there and potentially able to notice the intrusion instead of the damage being done at arbitrary points in time later.
Are you completely secure against phishing when using 2fa sites? No. And you never will be. But you're significantly safer than you would have been without it.
In what way is bcrypt an alternative method when compared to two factor auth? Also, from the point of view of the live MITM attack you mentioned above physical tokens or TOTP wouldn't help either. What exactly are you proposing they do?
Err, you're right, bcrypt wouldn't help stolen passwords and a token wouldn't help a mitm. TOTP would be useful if it were used in a separate channel, but not in this case. I was just brainstorming ways to make authentication suck less in general.
http://www.digitaltrends.com/social-media/thanks-twitter-but...
"So how can anyone hack Twitter with two-factor authentication in play? The account info you’ve just entered will automatically be entered into the real Twitter.com by the hacker. And seeing as how you’ve had your account info entered into Twitter.com for you, Twitter’s two-factor authentication will ping the victim with the SMS and temporary password as expected, Toopher (a two-factor security service) CEO Josh Alexander explains.
At that point, since you’ve received an SMS from Twitter, you’re probably under the assumption that the account recovery process seems legit and would continue to enter in that temp password into the fake Twitter site. Of course once that’s done you’ve lost complete control of your account."
http://www.theregister.co.uk/2007/04/19/phishing_evades_two-...
"Hackers sent the customers emails falsely claiming to be from ABN Amro. If recipients opened an attachment, software was installed on their machines without their knowledge. When customers visited their banking site, the software redirected them to a hacker-controlled mock site that requested their security details.
As soon as the hackers received these details they were able to log into a customer's account at the real ABN Amro site, before the expiry of the fob-generated number. They could then transfer the customer's money." (they didn't need to redirect the customer to intercept the credentials but it makes it harder to detect)