Twitter's Security Woes Included Broad Access To User Accounts (bloomberg.com) 20
Twitter has struggled for years to police the growing number of employees and contractors who have the ability to reset users' accounts and override their security settings, a problem that Chief Executive Officer Jack Dorsey and the board were warned about multiple times since 2015, Bloomberg reported Monday, citing former employees with knowledge of the company's security operations. From the report: Twitter's oversight over the 1,500 workers who reset accounts, review user breaches and respond to potential content violations for the service's 186 million daily users have been a source of recurring concern, the employees said. The breadth of personal data most of those workers could access is relatively limited -- including such things as Internet Protocol addresses, email addresses and phone numbers -- but it's a starting point to snoop on or even hack an account, they said.
The controls were so porous that at one point in 2017 and 2018 some contractors made a kind of game out of creating bogus help-desk inquiries that allowed them to peek into celebrity accounts, including Beyonce's, to track the stars' personal data including their approximate locations gleaned from their devices' IP addresses, two of the former employees said. Concerns about Twitter's ability to protect user data deepened this month after hackers hijacked the accounts of some of its most famous users, including political leaders, business titans and celebrities, as part of an apparent cryptocurrency scam. The pressure on Twitter to protect its users isn't limited to the personal data it collects on them -- which is minimal compared to some other social media sites -- but extends to the influence its users wield, especially world leaders or the political dissidents who oppose them.
The controls were so porous that at one point in 2017 and 2018 some contractors made a kind of game out of creating bogus help-desk inquiries that allowed them to peek into celebrity accounts, including Beyonce's, to track the stars' personal data including their approximate locations gleaned from their devices' IP addresses, two of the former employees said. Concerns about Twitter's ability to protect user data deepened this month after hackers hijacked the accounts of some of its most famous users, including political leaders, business titans and celebrities, as part of an apparent cryptocurrency scam. The pressure on Twitter to protect its users isn't limited to the personal data it collects on them -- which is minimal compared to some other social media sites -- but extends to the influence its users wield, especially world leaders or the political dissidents who oppose them.
Re: (Score:2)
Twitter is a US company. It is not the company that is answerable to you, it is you who's answerable to the company.
https://www.youtube.com/watch?... [youtube.com]
And it ain't exactly news.
Two signatures required for amounts over... (Score:5, Interesting)
Seems like a good application for multi-party authorization.
Require N people to modify an account.
N could be 1 + log base 10 of the number of followers.
+1 for verified accounts.
So, yeah, Barack Obama (verified, 120M followers) calls in to make a change to his account, you're going to need to get 10 customer service reps on the call and all 10 are going to have to click OK on their own screen. Sounds extreme, but
- how many accounts have 10^8 followers?
- how often do those accounts call for service?
- how embarrassing is it going to be if one of those accounts gets hacked?
Re: (Score:3)
Or you could factor in the seniority of the CSRs involved .. so 10 CSRs, or 6 CSRs + 2 Team Leads (at 2x each). There's no way a single CSR should be able to make the kind of change that reflects the recent disaster.
Re: (Score:3)
Honestly, it should probably be (log base 10(followers) - 2), minimum 1. Starting to provide special protections for ten thousand+ followers is good.
Re: (Score:2)
Re: (Score:1)
Seems like a good application for multi-party authorization. Require N people to modify an account. N could be 1 + log base 10 of the number of followers. +1 for verified accounts.
So, yeah, Barack Obama (verified, 120M followers) calls in to make a change to his account, you're going to need to get 10 customer service reps on the call and all 10 are going to have to click OK on their own screen. Sounds extreme, but - how many accounts have 10^8 followers? - how often do those accounts call for service? - how embarrassing is it going to be if one of those accounts gets hacked?
Does Twitter-Twatter even have that many customer service reps that can actually speak the language that you speak?
Re: (Score:2)
Yep, in my former job there was an Site Security Manager who automatically replied "Approved" to any ticket without reading it. Finally someone higher in the food chain posed him a question in a ticket, he replied "Approved", and was out the door a couple of days later.
Re: (Score:2)
At one time I was hired at Microsoft as a short-term contractor to aid a project to migrate some NT4 domains into the larger Active Directory infrastructure. New guy with almost no references, just off the street, and my first day I had Enterprise Administrator and Schema Administrator permissions and was working in an office where there wasn't anyone else for most of the day. Even Bill Gates didn't have those permissions (I checked). When the project was finished and there was still several months left
Re: (Score:2)
So, yeah, Barack Obama (verified, 120M followers) calls in to make a change to his account, you're going to need to get 10 customer service reps on the call and all 10 are going to have to click OK on their own screen.
You shouldn't have hundreds of reps with access to Obama's account in the first place, you should have a dedicated group for VIP accounts, with additional training and likely explicit instruction on guarding against phishing, and probably some contractual things to make sure they understand the gravity of the work they are doing.
Twitter's new motto... (Score:5, Insightful)
Twitter's new motto: You get what you paid for.
Re: (Score:2)
There is a really simple solution for this (Score:2)
Screw Facebook. Don't join them if you aren't on. Get off of them if you already joined.
But if you suggest the same thing for Twitter, that is crazy talk. Honestly I don't get why so many people feel like they can't live without Twitter. I've never joined by choice (I actually am on Facebook by the way). There is life without Twitter. If I don't have an account, I can't be hacked.
Re: There is a really simple solution for this (Score:1)
Twitter curating news feeds of prominent accounts (Score:2)
Like an article of someone who is also critical of Twitter saying something bad about that person.
Alternatives (Score:2)