Having your social media account hacked is bad. Having your social media account publicly hacked when you’re the CEO of the company is much, much worse.
On Friday, August 30th, this became reality for Jack Dorsey, CEO of Twitter. During the attack, a hacking group known as Chuckling Squad took over Jack's own account to blast offensive material and promote themselves. Days later users, security professionals and twitter administrators are reviewing the aftermath. The good news is, security specialists were able to quickly figure out right away what went wrong. The bad news? Jack is victim of SIM swapping, a growing weak point when systems use telecom numbers to authenticate. It's a difficult attack to defend against, but one the telecommunications industry in particular needs to step up on.
The hijack: what happened?
In Jack’s case, he connected his twitter account to his cellphone carrier’s texting plan, using Twitter’s newly acquired service, Cloudhopper. By connecting his phone number to his account, he could send to text messages directly to twitter. Least anyone blame Cloudhopper however, Twitter has permitted connections between accounts and phone numbers for some time now. Even without text-to-tweet services, many users connect their twitter accounts to a telecom carrier for SMS authentication. It's a common security feature that, sadly as this attack proves, may no longer be viable.
Many users are aware that when attackers access their phone, personal accounts are at risk. That's not big news. If you leave your phone on the subway and someone picks it up, they can access all of your apps instantly. For smartphone OS developers like Google (Android) and Apple (iphone) that's the logic behind locking your device and anti-theft measures. What is a surprise are the attacks by phone that occur without compromised devices. In a SIM swapping attack, stealing the device as it turns out, is unnecessary. Attackers can get into linked accounts by control of your phone number alone, and that's much easier than most of us imagine.
What SIM swapping and how does it work?
The sad truth is, getting control of a users’s phone number isn’t nearly as difficult as it ought to be. A SIM swap is when the hacker convinces the telecom provider they are the account’s owner, and need their number transferred to a new device. They know it can be done. While calling a service provider to switch a phone number from one phone to another should raise red flags, in the world of portable communications it's business as usual. Hackers are well aware that telecom networks regularly receive calls from users who need access from new phones: the user has damaged an older system, lost their device, or simply upgraded to something new.
“Hi, this is Jack Dorsey. I have a new phone and want to switch my numbers.”
For some, a call like this is all it would take. Even if the telecommunications company attempts to verify the contact’s identity, this can be simple to bypass, particularly now in a world of social engineering and old passwords for sale in the dark web.
“Hi Jack, I just need to verify your account. When is your birthdate/mother's maiden name?”
There can also be malicious activity within the telecom, if an administrator with the right access privileges is bribed into making the switch. As Lt. John Rose states during an interview with Krebson Security:
How could this attack have been prevented?
Jack’s attack is an ugly reminder: we’re only as ‘secure’ as our weakest link. Connecting our social media to smartphone texting is no longer secure, now that attackers have discovered a weak link with telecom providers. This is not necessarily a slam against telecoms, only recognition that the game is changing. SIM swapping is effective as an attack effective *because* we frequently connect our phone numbers with other services.
You can still have a smartphone with texting capabilities. You can still have added two-factor (2FA) or multi-factor authentication security. However, users who want to avoid hackers accessing accounts via SIM swaps should consider alternative forms of how accounts are authenticated. These can include:
Authentication apps, such as those by Google and Microsoft. These apps work similar to SMS, only instead of delivering a code through text messaging, the security code is provided through an encrypted app. Other popular programs include LastPass and Authy.
Email authentication: old-school but still viable, receive a security code by email, which can't by bypassed using SIM swapping. Be warned however, this authentication type is meaningless if the attacker already has access to your email account.
Physical security keys and hardware tokens: an expensive option, but for 2FA solutions they can also be the most difficult to bypass. The Verge has published a list of the best hardware security keys, while business owners looking for solutions at the corporate level should consider companies like RSA.
Remember: whatever you do, don't drop the 2FA
Unfortunately, you may find some systems won't allow for authentication apps or alternative measures. In those situations, should you drop the 2FA entirely?
Don't you dare.
No, seriously, if there's one outcome security professionals do not want from this situation, it's for users to give up on the idea of 2FA entirely. Too often we struggle to get users to recognize how important multiple authenticators are, and be willing to turn these systems on. As Grzegorz Milka stated in USENIX Enigma 2018, over 90% of Gmail users aren’t using any two-factor authentication at all. That's a large number of accounts far more vulnerable than they need to be. As Chris Hoffman states with How-To Geek:
"Yes, app-based two factor authentication is better than SMS-based authentication. But, if SMS is all a service offers, it’s still better than not using it at all."
Phones that use SMS-based authentication may be vulnerable to SIM swapping, but SIM swapping takes time and effort. Accessing accounts via password alone are much easier to accomplish, requiring less time, planning, and a pining hopes on the right phone call.
Telecom verification: time for an upgrade
With such a public hack, now is the perfect time for telecommunications companies to ask how they prevent SIM swapping attacks. They need better verification processes to spot incoming SIM swapping attempts and combat them. It’s in their best interest: carriers already regularly partner with technology providers, benefiting from the publics increased use of online networks. 2FA by text has been a boon: after all, users need a viable carrier and text messaging package to make it work.
So how to make our phone numbers more secure? For starters, consider adding a PIN number to your account. Keep it unique for this purpose, something that won’t be vulnerable if a data breach elsewhere exposes an in-use password. Telecommunications companies that don’t already offer this option should highly consider adding it to future offerings. Another safeguard is to require employees performing SIM swaps to use dual authentication. Make it harder to bribe an insider by requiring more than one person on the inside to make the switch.
Jack's hack was public, but in a way he's lucky: the attack was obvious, the method of attack quickly revealed. Suppose however, that it hadn't been the case? SIM swaps can happen to more than social media accounts. Suppose the attackers had gone after accounts with a bank, ebay or amazon?
Hopefully the attack, along with revelations over SIM swapping in general encourage more platforms to adopt different types of multi-factor authentication, and for telecom companies upgrade how they allow phone numbers to be switched. Otherwise future attackers may be looking for more than stir up some attention and public embarrassment.