According to Bloomberg, Twitter has informed US Senator Ron Wyden (D-OR) that it’s transitioning away from using Mitto AG’s two-factor services to deliver authentication codes to its users. Twitter’s two-factor services are reported to have been secretly selling access to its networks to governments, enabling them to locate people of interest, and in some cases obtain their phone logs.
Read More: Facebook Two-Factor Authentication (2FA) will Become Mandatory for High-Risks Accounts
Spying allegations over two-factor services
Company COO Ilja Gorelik allegedly sold surveillance technology firms access to Mitto’s networks, allowing them to track people using their mobile devices. Meanwhile, Mitto told Bloomberg that it had no knowledge or involvement in Gorelik’s surveillance operation and that it’s launching an internal probe to determine if its technology and business had been compromised.
Apart from Twitter, Mitto’s clients include; Google, WhatsApp, LinkedIn, Telegram, TikTok, Tencent, and Alibaba. Since the report came to light many other clients have cut ties with the firm, although, it’s unclear if big names like Google will part their ways. Some unconfirmed reports also suggest that Gorelik is no longer involved with the company.
Security crisis around 2FA
One of the most common methods of 2FA is SMS text messages. The problem here is that SMS is not a secure medium, hackers have several tools in their arsenal that can intercept, and spoof SMS – SMS two-factor authentication validates the identity of a user by texting a security code to their mobile device. The user then enters the code into the website or application to continue – As Daniel Cid, founder of CleanBrowsing, points out, it’s not just the phone networks, but phone companies that are bad at security. Hackers have been known to track mobile phone carriers into transferring a victim’s phone number to their own phone.
Source: Bloomberg