As phishing improves and spreads, the importance of two-factor authentication grows.

Maybe I’m the last person to know this, but phishing has spread beyond email. And it’s not really pretty.

Here’s the story: A few nights ago, I got a Twitter direct message (DM) from a friend saying that someone was saying nasty things about me, with a link. The link was a shortened ( link, so it was hard to see exactly what it pointed to. I followed the link on my cell phone, and got to a website that certainly looked legit, and I was foolish enough to login. Pwnd. A few minutes later, my Twitter account was spewing tweetspam about the latest pseudo-scientific weight loss fad.

It’s all fairly classic, except for a couple of things:

  • It happened via Twitter. I haven’t seen this before, but maybe I’m the last to know.
  • On the small cell phone screen, it was harder to notice that the fake login screen wasn’t right.
  • The guy who sent me the DM had exactly the same story: he was victim of a phish, didn’t notice because of the smaller cell phone screen, and evidently his account was used to forge the DM that was sent to me. So phishes are being chained.
  • While we’re used to distrusting messages from companies, we aren’t used to distrusting messages from friends.

Yeah, I was being a bit clueless. And I ignored (though I noticed) the odd, atypical phrasing of the original DM from my “friend.” Changing technology doesn’t make the bad guys learn grammar. But still, wishing I had acted on my instincts is pointless. As a security researcher told me a couple of years ago, highly targeted phishing attacks are going to look so real that you really won’t be able to tell whether or not a message is legit.

There’s a real moral to the story. What if Twitter, like Google and Facebook (and unlike Apple or Amazon) supported two-factor authentication? We’d have a much different picture. An Internet criminal might be able to use a phish to get my password, but he still wouldn’t have the second factor, the code sent to my phone to complete the login. And he wouldn’t be able to get that code; that’s a transaction entirely between me and the provider, a transaction that can’t be spoofed by a forged site.

It’s inexcusable not to support two-factor authentication. If you don’t have the technical chops to implement it yourself, use an authentication provider, like Google. Never use an authentication provider that doesn’t support two-factor authentication.

This goes double (if not triple or quadruple) if you’re handling financial transactions. Twitter is off the hook here, but Apple, Amazon, PayPal, this means you.


tags: ,