2FA is supposed to be a more secure way of protecting your online accounts. It adds an extra layer of security on top of your password so that even in the event your password has been figured out, the hacker won’t be able to get into your account unless they had your phone.
However, in Twitter’s case, it seems that a company that Twitter was using to send its 2FA text messages was actually secretly helping governments track people. The company in question, Mitto AG, was reportedly helping governments to secretly surveil and track mobile phones.
This is according to a report from Bloomberg in which Twitter told U.S. Senator Ron Wyden that they would be transitioning away from using Mitto’s services. This was apparently done by Mitto cofounder and chief operating office Ilja Gorelik, and the company claims that they had no involvement and were investigating the matter.
The tracking was achieved by exploiting vulnerabilities in mobile telecoms protocol Signaling System 7 (SS7), a flaw which was known since 2016 that could be used to not only track the person’s location, but read text messages or listen to calls. Like we said, 2FA is a good idea, but perhaps it’s time that companies move away from text-based 2FA and instead rely on authenticator apps or even physical security keys.