14 DAY TRIAL // Josh Davis is a computer science student at Iowa State and he took the time to build a website where everyone can see which online services employ two-factor authentication.
His motivation stands in the high-profile hijacking of the Twitter @N handle belonging to Naoki Hiroshima a while ago.
“About a month ago I was going through the process of looking for a new domain registrar to transfer my domains to. My number one criteria was a secure registrar. Although I don't own a rare Twitter handle, it was scary to think about how the extortion of Naoki Hiroshima was possible just because of a lost domain name,” Davis wrote.
He explains that although GoDaddy supports two-factor authentication, it was Hiroshima's PayPal account that gave the hijacker the room to do a lot of damage.
“I did a Google search for a list of sites with two factor auth and the results were pretty dissatisfying. The first result was a website with a huge list of sites that was barely usable,” Davis writes.
So, he has put together a rather simple list of sites that contains details about the security level they employ. The sites are divided into several categories, such as Social networking, retail, email, finance, online payments, developer tools, backup and sync, site domains, gaming, cryptocurrency, health, communication and others.
Each entry is color coded according to whether two-factor authentication is available via SMS, Google Authenticator, Authy, or a custom recipe.
If none apply, the site will appear marked in red and a button will help you urge that particular website to support two-step authentication for an added layer of security.
To make things easier, the list can be modified with a little help by adding it to Davis’ list through his Github repo.
As a reminder, the hijacking of the @N Twitter handle was possible because of a weakness in the security systems employed by PayPal and GoDaddy.
Naoki Hiroshima had once been offered $50,000 ($36,000) for the username, which he refused. Hiroshima, a developer, says that hackers had often tried to steal his account by resetting the password, but until recently, none had chosen to extort it out of him.
The attacker first tried the Twitter trick by resetting the password. When he tried to get Twitter to send the password to one of his personal accounts, the microblogging platform’s employees didn’t fall for it.
Then, he tried something else by calling PayPal where he convinced an employee into giving him the last four digits to Hiroshima’s credit card number, which he then used to call GoDaddy. The numbers were used to confirm his identity and so he took control over the GoDaddy account where Hiroshima was hosting several important websites.
By threatening to delete all his websites, the hacker got Hiroshima to agree to hand over the @N Twitter handle.
Ever since then, GoDaddy has improved its security procedures and Twitter returned @N to the rightful owner.