Dotcom threatens to sue web giants over patent 'infringement'

By , on
Dotcom threatens to sue web giants over patent 'infringement'
Photo credit: Juha Saarinen/ITnews

Two-factor authentication limited, experts say.

Twitter today rolled out two-factor authentication using SMS as secondary identity verification device in reaction to attacks on its users' accounts, a move which has already attracted a potential lawsuit.

Several high-profile media Twitter accounts have recently been compromised, prompting the increase in security. 

But the social network has incurred the wrath of New Zealand-based internet entrepreneur Kim Dotcom, who has laid claim to being the inventor of two-factor authentication.

Dotcom yesterday said on Twitter the likes of Google, Facebook and Twitter offering two-step authentication was a "massive IP infringenement" on what he claimed were his innovation and patent. 

Dotcom's patent is assigned to him under his previous name, Kim Schmitz. It is filed in the United States and the European Union, and covers a "method for authorising in data data transmission and communications systems".

The patent, US6078908, was filed in April 1998 and published in June 2000.

Dotcom is now threatening to sue unnamed United States companies for infringing on his patent, in response to his prosecution for alleged copyright crimes.

The internet file-sharing tycoon said he wouldn't sue Google, Facebook and Twitter if they helped to fund his legal defence against US allegations of copyright infringement.

Dotcom estimated the case would cost US$50 million or more to pursue. His own assets and that of his file-sharing company Megaupload have been frozen by the US government.

2FA busted

Despite the land grab, security experts said two-factor authentication had its limitations.

"Mobile SMS authentication is busted ... two-factor authentication as a concept has been busted," digital identity expert Stephen Wilson said.

"The test has always been that you need a second physical factor that’s out of band, a second channel."

During the AusCERT information security conference being held in Queensland this week, two presenters showed how it was possible to use NFC or RFID stickers to compromise mobile phones.

"If you can get into the command module of the phone and make it send SMSs then that will create man-in-the-middle attacks for SMS authentication," Wilson said.

"If you can do that I don’t see why you couldn’t command a phone to pop up a message that would at least look like an SMS so then you can mount a man-in-the-middle attack on any SMS 2FA."

Wilson said despite the Comms Alliance deprecating SMS authentication, it was a better solution than nothing.

"Even though these things are flawed theyre certainly better than nothing."

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?