Twitter Breach

[MagicalAzareal]

Hackers Convinced Twitter Employee to Help Them Hijack Accounts

After a wave of account takeovers, screenshots of an internal Twitter user administration tool are being shared in the hacking underground.

www.vice.com

After Twitter Hack, Senator Asks Why DMs Aren't Encrypted

Twitter was previously exploring end-to-end encrypted direct messages, which would generally give user's more privacy around their communications.

www.vice.com

It looks like they used SMS 2FA (which is hideously insecure) instead of real 2FA (e.g. with an authentication app) or a hardware 2FA device. With SMS 2FA, anyone can phone up the phone company, pretend to be you and get your SIM transferred to another device.

 

[Jeremy8]

anyone can phone up the phone company, pretend to be you and get your SIM transferred to another device

This seems like the real problem to me, not SMS 2FA itself.

 

[MagicalAzareal]

This seems like the real problem to me, not SMS 2FA itself.

There is no good reason to ever use SMS 2FA. It is not secure. It is not 2FA. People have been advising against it for many, many years and yet some companies / people go ahead and use it anyway.

Do you use SMS for two-factor authentication? Don't.

Do 2FA the right way to keep hackers at bay.

www.cnet.com

For a large company like Twitter, it is just plain laziness and it is 100% on them. SMS 2FA doesn't even offer any advantage over an app.

Once you have an authentication app, you can use it anywhere and it doesn't rely on a mobile network as it is based on the current time and a secret key you load on the device for that site (which you may scan onto it with a QR code).

I would imagine the reason Twitter does something insecure like SMS 2FA is for marketing purposes although it is surprising employees would be caught too and it would be someone with full access to all DMs.

 

[Jeremy8]

There is no good reason to ever use SMS 2FA. It is not secure. It is not 2FA. People have been advising against it for many, many years and yet some companies / people go ahead and use it anyway.

Do you use SMS for two-factor authentication? Don't.

Do 2FA the right way to keep hackers at bay.

www.cnet.com

For a large company like Twitter, it is just plain laziness and it is 100% on them. SMS 2FA doesn't even offer any advantage over an app.

Once you have an authentication app, you can use it anywhere and it doesn't rely on a mobile network as it is based on the current time and a secret key you load on the device for that site (which you may scan onto it with a QR code).

I would imagine the reason Twitter does something insecure like SMS 2FA is for marketing purposes although it is surprising employees would be caught too and it would be someone with full access to all DMs.

Just playing devil's advocate here, but a lot of companies probably use text messages because it's a lot easier for the average person to understand. People who are bad with technology will have a hard time understanding authentication apps, even though it seems pretty simple to people like us. A lot of people also don't understand security and wouldn't understand why they have to download an extra app on their phone just to login. A lot of companies, including banks, using SMS 2FA. I suppose the point you're making is that it makes you less secure, not more secure, but there are a lot more companies than Twitter using it.

 

[MagicalAzareal]

Just playing devil's advocate here, but a lot of companies probably use text messages because it's a lot easier for the average person to understand. People who are bad with technology will have a hard time understanding authentication apps, even though it seems pretty simple to people like us. A lot of people also don't understand security and wouldn't understand why they have to download an extra app on their phone just to login. A lot of companies, including banks, using SMS 2FA. I suppose the point you're making is that it makes you less secure, not more secure, but there are a lot more companies than Twitter using it.

https://www.itnews.com.au/news/telcos-declare-sms-unsafe-for-bank-transactions-322194 Phone companies don't want you using it for anything secure either and they have been warning against it for a decade.

Also, if a bank employee makes an oops and accidentally lets someone drain 200 bank accounts, would you play the "devil's advocate" there? This isn't grandma getting phished, this is someone getting access to theoretically any private message stored on Twitter. Please take these problems seriously.

 

[Jeremy8]

https://www.itnews.com.au/news/telcos-declare-sms-unsafe-for-bank-transactions-322194 Phone companies don't want you using it for anything secure either and they have been warning against it for a decade.

Also, if a bank employee makes an oops and accidentally lets someone drain 200 bank accounts, would you play the "devil's advocate" there? This isn't grandma getting phished, this is someone getting access to theoretically any private message stored on Twitter. Please take these problems seriously.

Devil's advocate means you offer an explanation for an opposing view. In this case, we are talking about why hundreds of companies might be using text message authentication even if it's less secure than using authenticator apps.

 

[MagicalAzareal]

Speaking of the general case of grandma, if companies would stop putting up SMS 2FA options, like many banks have by now, people will start using the more secure options instead. Multiple options confuses people and pretending SMS 2FA "might" be secure more so.

People install apps all the time for all sorts of frivolous reasons. It is a trivial cost to protect your bank account from being drained.

Devil's advocate means you offer an explanation for an opposing view. In this case, we are talking about why hundreds of companies might be using text message authentication even if it's less secure than using authenticator apps.

I find your invocation of the devil's advocate to be disingenuous and intended to cover up for Twitter's clear failings. It is one authenticator app for every site you might ever need to use. It is not complicated.

For someone with admin access to a large company with hundreds of millions of users, it would be hardware token + Possible manual confirmation that it is you when connecting + Manager oversight when touching sensitive accounts.

This is not a joke. In any other industry, you could be fined big and even go to prison for fooling around.

 

[zappaDPJ]

You have to keep in mind that the majority of people are unlikely to question any form of security if it's being touted by a recognized name. In the last 48 hours alone I've used 2FA via SMS three times including once to make a payment to pay off a credit card provided by Amazon.

The fact is almost everyone uses it and while I'm aware that it's not particularly secure, I have no real choice but to accept it.

 

[Nev_Dull]

I agree, most users don't know much of anything about the security behind the apps or sites they are using, and really, they shouldn't have to. It is entirely up to the companies like Twitter to maintain proper security in their software, and that nearly always comes down to economics.

Maybe they shouldn't be using 2FA via SMS, but changing that is an expensive proposition. Until there is a major (or in this case, a very public) breach, most of these companies will continue to opt for "acceptable risk" over the cost of upgrading.

Side note:

This isn't grandma getting phished

In defence of Grandma, far more young adults are fooled by phishing scams than old people.

 

[Paul M]

anyone can phone up the phone company, pretend to be you and get your SIM transferred to another device.

You need a better phone company then.
You cartainly cant just ring mine and do that, first you would need to know my password.
Things like transferring your number to a new SIM also require further checks.
SMS messages are also sent to the old device 24 hours before any transfer is started.

 

[Claverhouse]

Some of us don't have Smartphones and don't need them.

Not that the history of Android and Apple apps makes one want ever more apps anyway...

 

[ManagerJosh]

You need a better phone company then.
You cartainly cant just ring mine and do that, first you would need to know my password.
Things like transferring your number to a new SIM also require further checks.
SMS messages are also sent to the old device 24 hours before any transfer is started.

Most mobile phone companies have terrible security for consumers because they keep the bar low out of convenience for the lowest common denominator consumer.

 

[feldon30]

You need a better phone company then.
You cartainly cant just ring mine and do that, first you would need to know my password.
Things like transferring your number to a new SIM also require further checks.
SMS messages are also sent to the old device 24 hours before any transfer is started.

AT&T is notorious for just handing over SIMs / accounts to people who have any social engineering skills whatsoever. This is a major, widespread problem which has led to millions of dollars in cryptocurrency and hundreds of valuable domains and Twitter accounts being stolen. AT&T is the worst, but I'm not sure there's a "best" in the USA.

https://www.google.com/search?q=sim swap fraud

Remember when Apple and Amazon were asking for different pieces of information for verification? So you could call one, give them one piece of information and then they'd give you another, then you'd call the other and give them the newfound piece of information and that was verification used to unlock information in the other. Back and forth until you had everything you needed to own the account. They fixed some of this but it's still way to easy to steal accounts, even if you add a passcode on your account AT&T will let you past it if you have enough other information.

 

[enivid]

AT&T is notorious for just handing over SIMs / accounts to people who have any social engineering skills whatsoever. This is a major, widespread problem which has led to millions of dollars in cryptocurrency and hundreds of valuable domains and Twitter accounts being stolen. AT&T is the worst, but I'm not sure there's a "best" in the USA.

https://www.google.com/search?q=sim swap fraud

Remember when Apple and Amazon were asking for different pieces of information for verification? So you could call one, give them one piece of information and then they'd give you another, then you'd call the other and give them the newfound piece of information and that was verification used to unlock information in the other. Back and forth until you had everything you needed to own the account. They fixed some of this but it's still way to easy to steal accounts, even if you add a passcode on your account AT&T will let you past it if you have enough other information.

Heh... Here you have to come to a mobile company's office in person with your ID and to file a written request to restore a SIM. Of course, you could probably bribe someone in the management to circumvent this, but I am not sure if that would work well.