Who needs SS7 when you can sound convincing on a phone call to a cell provider?https://twitter.com/AlecMuffett/status/965377886478831617 …
-
Show this thread
-
Congressional campaign staffs is 3-15 people, most from random walks of life, on various cell providers, virtually none with technical expertise. The win, for attackers, for compromising them is, potentially, control of a branch of the US government.
1 reply 2 retweets 6 likesShow this thread -
For at-risk non-technical users, security has to work, without trying, practically by default, THE SAME WAY FOR EVERYBODY. NO insurgent campaign has security staff. SMS account recovery flows flunk that test.
5 replies 4 retweets 14 likesShow this thread -
Replying to @tqbf
Account recovery has always seemed like one of the hardest 'security' vs 'functionality' tradeoffs to solve for to me. What are better account recovery patterns?
2 replies 0 retweets 1 like -
Replying to @ncallaway @tqbf
Political campaigns typically have a specific person whose superpower is being very well organized (on smaller campaigns this is often the campaign manager), and I've been encouraging them to hold a master U2F key and recovery codes to all personal accounts
1 reply 0 retweets 1 like
For NGOs, there's often an office manager who fills this role. The key is to treat it as a social and organizational problem, not a purely technical one.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.