Latest posts by Alvin Bryan (see all)
- Millionaire Tyupkin Malware ATM Hackers May Come to US, India After Hitting Europe - October 23, 2014
- BitLicense Will Allow Bitcoin Spying in New York - October 22, 2014
- Australians are Fighting Data Retention Laws - October 22, 2014
Early in August, Twitter released an update for their Two-Factor Authentication that uses Public Key Cryptography and push notifications. This is nothing new to Internet companies, but Twitter has brought it to a new level.
Twitter 2-Factor Authentication and TOTP 6238 Flaws
Put simply, your phone will generate an RSA key-pair. It keeps the private key while the public key goes to Twitter. So when someone tries to log on to Twitter, a Twitter generated nonce is sent back to the browser. A push notification is also sent to your phone so you get a notification to authorize the login, including the time, location and the browser used when the login request was made. Approving the login uses the private key that your phone stored to sign it. Then Twitter will recognize the nonce as authenticated and allow the login.
Most other services use TOTP 6238, including Google, Dropbox, and Amazon. Twitter’s Authy has had this functionality for a year but did not release it because they found flaws in the approach during testing. First, TOTP 6238 only works when the phone is online, so when a user is in a place where there is no reception, or don’t have a data plan, or aren’t on roaming when traveling overseas, they can’t use this service. Users will face different issues and eventually choose to disable it, leaving them unprotected. Second, TOTP 6238 decouples authentication entirely from the location. This allows users to authorize other people to log on remotely with a simple authorization of an authentication request. It is convenient, but can be used to trick someone into authorizing the request. Showing the IP, location, browser and other data is not enough to properly determine whether or not to authorize a request. And these requests are easy to spoof because the data is easy to duplicate. An attacker familiar with the user (probably through monitoring Tweets and other user data online) can easily select good values to trick the user.
The result of Twitter’s research showed that using Public and Private key pairs prevents attackers from stealing the keys in case Twitter servers are compromised. This provides the added protection that users need for account security. We don’t yet know how well the system Twitter has chosen will work and what attackers will come up with to get past it. But so far it looks like a solid idea for easy account security. As Twitter explained, designing a secure authentication protocol for login verification is tough, and designing one that is also simple and intuitive is even harder.
Twitter VPN Plus Authy
Authy hasn’t yet proven itself. This is a good reason to continue using VPN services. Security experts agree and encourage users to get a good Twitter VPN. A VPN will not secure users’ Tweets, but it will secure communications between them and Twitter. There are a lot of vulnerable points between a user’s computer and the Twitter website. This is how attackers gather the data that they use to manipulate authentication decoupling. A Twitter VPN creates a private tunnel through which the VPN encrypted data is sent. This assures that the data is not accessible to attackers. It also secures any other data sent over the Internet so they can’t get familiar with the user. The Twitter VPN works to hide the user’s IP address to prevent access to IP data like location. It prevents tracking of the user’s online activities to prevent further data collection from other websites and services. A good Twitter VPN therefore secures all user data and traffic to take care of that area of weakness. Then Authy can step in and secure the account from the Twitter end. Together, a reliable Twitter VPN and Authy can provide the all-around Internet security that users need to avoid sneak attacks.
Computer and browser security is still of vital importance, of course. With or without a Twitter VPN and the new 2-Factor Authentication, unsecured devices using outdated browsers and software are vulnerable. Users should make sure that they always keep their anti-virus software, firewalls, and browsers up-to-date. These updates are released to give users protection against the latest hacker tricks and malware threats. Ignoring them opens a doorway for hackers. Browsers should also always be set to reject third party cookies. Cookies that are needed to ensure proper functioning of websites should be regularly cleaned out, ideally after each browsing session. Taking care to avoid clicking on unverified links is also very important. If a user intentionally visits a website laden with malware and grants access, there is nothing any software or service can do to prevent device infection. Passwords are the last note here. Secure passwords are essential defenses against attacks. Use secure passwords, change them regularly, and do not opt to stay logged in to any online services. Always log out so that attackers cannot use data they may have taken from your account activity to pose as you and access your account and device.