Twitter is one of the largest social media networks on the market. It's not a bumbling startup, it's a mature tech company in the center of the tech space.
> Twitter said on Wednesday that it would stop allowing some users to post updates via text message, which made Twitter access particularly easy for SIM swappers. But that will not stop hackers who use the SIM swap to log in to a victim’s Twitter account. (Twitter said it was working to improve this.)
At the risk of jumping onto hot-takes, at what point is it reasonable to say that Twitter as a company just isn't taking security seriously? The first response from Twitter should have been, "we turned off SMS password resets immediately", not, "we're working on it." This is the kind of mistake I expect a technologically naive company to make. It's a mistake I would expect a bank to make, or a startup with 7 engineers total.
I don't understand how a company can brush aside an attack where attackers took over their CEO's account. I understand everybody does dumb things occasionally, but how big is Twitter's security team? Nobody thought this was a problem?
There must be some aspect to this I'm missing; how does doing password resets over SMS pass any security audit? This isn't new, even mainstream sources have been talking about SIM-swapping for years.
> Twitter said on Wednesday that it would stop allowing some users to post updates via text message, which made Twitter access particularly easy for SIM swappers. But that will not stop hackers who use the SIM swap to log in to a victim’s Twitter account. (Twitter said it was working to improve this.)
At the risk of jumping onto hot-takes, at what point is it reasonable to say that Twitter as a company just isn't taking security seriously? The first response from Twitter should have been, "we turned off SMS password resets immediately", not, "we're working on it." This is the kind of mistake I expect a technologically naive company to make. It's a mistake I would expect a bank to make, or a startup with 7 engineers total.
I don't understand how a company can brush aside an attack where attackers took over their CEO's account. I understand everybody does dumb things occasionally, but how big is Twitter's security team? Nobody thought this was a problem?
There must be some aspect to this I'm missing; how does doing password resets over SMS pass any security audit? This isn't new, even mainstream sources have been talking about SIM-swapping for years.