Security News

Twitter has announced that it will no longer support SMS two-factor authentication unless you pay for a Twitter Blue subscription. In a blog post released this week, Twitter said that non-Twitter Blue users using SMS 2FA authentication have until March 20th, 2023, to switch to another 2FA method, or it will be disabled.

Hackers breached CircleCi in December after an engineer became infected with information-stealing malware that their 2FA-backed SSO session cookie, allowing access to the company's internal systems. In a new security incident report on the attack, CircleCi says they first learned of the unauthorized access to their systems after a customer reported that their GitHub OAuth token had been compromised.

A new targeted phishing campaign has zoomed in on a two-factor authentication solution called Kavach that's used by Indian government officials. LNK files are used to initiate code execution which eventually downloads and runs a malicious C# payload, which functions as a remote access trojan," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a new report.

Comcast Xfinity customers report their accounts being hacked in widespread attacks that bypass two-factor authentication. Similar to Gmail, Xfinity allows customers to configure a secondary email address to be used for account notifications and password resets in the event they lose access to their Xfinity account.

GitHub will require all users who contribute code on the platform to enable two-factor authentication as an additional protection measure on their accounts by the end of 2023. Imposing 2FA as a mandatory measure for all GitHub accounts will make the platform a safer space where users can feel more confident about the quality of the code they download from repositories.

As you'll know if ever you've lost a phone, or damaged a SIM card, mobile phone numbers aren't burned into the phone itself, but are programmed into the subscriber identity module chip that you insert into your phone. A crook who can sweet-talk, or bribe, or convince using fake ID, or otherwise browbeat your mobile phone provider into issuing "You" a new SIM card.

The attackers try out the entered credentials on the legitimate website, triggering the sending of a 2FA code to the victim, who then enters a valid 2FA on the phishing site. The threat actors then attempt to use the entered 2FA code to log in to the victim's account as long as they act before the timer runs out.

At which point the crooks immediately try to use the combination of username + password + one-time code they just got hold of, in the hope of logging in quickly enough to get into your account before you realise there's anything phishy going on. As a result, social media users are understandably concerned about protecting their accounts in general, whether they're specifically concerned about Twitter or not: Lure you to a real page with a facebook.com URL. The account is fake, set up entirely for this particular scam campaign, but the link that shows up in the email you receive does indeed lead to facebook.com, making it less likely to attract suspicion, either from you or from your spam filter.

MFA protects a system, location, or sensitive data from being accessed by an unauthorized user. MFA systems also consider a one-time password/code received by the user via SMS or authenticator app as a possession factor.

In the past few months, we've seen an unprecedented number of identity theft attacks targeting accounts protected by two-factor authentication, challenging the perception that existing 2FA solutions provide adequate protection against identity theft attacks. For over a decade now, implementing 2FA/MFA has been considered the best-practice solution organizations must implement against account hijacking attacks, whether those were based on phishing, brute force, password theft, or any other fraudulent way of obtaining login credentials.