Hackers briefly took over Twitter CEO Jack Dorsey’s account,
tweeting bomb threats and racist posts and served as a reminder of the relative
ease of compromising security.“The phone number
associated with the account was compromised due to a security oversight by the
mobile provider,” Twitter tweeted Friday.
“This allowed an unauthorized person to compose and send tweets via text message
from the phone number. That issue is now resolved.The company also said “there is no indication
that Twitter’s systems have been compromised.”The takeover seems to be the result of SIM-swapping, according to a BBC report that cited a Twitter official, with the offensive tweets coming from Cloudhopper, a company Twitter bought to support SMS. It also appears to work of the Chuckling Squad, which recently has hacked celebrity Twitter accounts like that of the late YouTube personality @Etika.This incident is a
perfect example of the risks associated with communication – any form of
communication – when sender identity is not authenticated,” said Alexander
García-Tobar, CEO and co-founder of Valimail. “A hacker or hackers were able to
spoof Jack Dorsey’s phone number, convincing the text to
tweet 40404 service that it was the mobile number associated with his
Twitter account.”Noting
that SIM swap scams have become a much more prominent and dangerous threat over
the past year,” Ryan Rowcliffe, lead of solution architecture at SecureAuth,
said, “it has been proven to be a shockingly easy way of subverting two-factor
authentication by either successfully tricking carrier agents to move a user's
phone number to a new SIM card or through bribing one of these agents."While “the spoofed
tweets sent through Dorsey’s account are despicable and offensive, yet far
greater damage can be done using similar techniques. We see this play out over
and over again with email communication,” said Garcia-Tobar. “A hacker
leverages impersonation to send extremely convincing spear phishing emails to a
company employee, and in no time, fake invoices are paid, consumers’ data
exposed, wire transfers are made to fake companies - the list is endless.”SIM
swap attacks also underscore the folly of “relying solely on two-factor
authentication. As consumers we have been accustomed to SMS being treated as
two-factor-authentication,” said Rowcliffe. “While this is better than nothing,
it has security implications.”The onus is on carriers,
users and the security industry to stop SIM-jacking attacks, he said."Since
carriers are the real targets in this scenario, they have a responsibility to
look for suspicious patterns running through their call centers and customer
service organizations in order to find fraudulent activity or reps who have
been bribed by cybercriminals," said Rowcliffe. “At the very least, consumers
should contact their phone carriers and request for additional security to be
applied to their accounts such as not allowing account changes without a
verification code delivered over a non-sms channel."
The industry “should be working with phone carriers to find alternative ways to confirm possession of the phone prior to allowing changes to an account of this nature," he added.García-Tobar said, the focus should be “on validating and authenticating sender identity, no matter the form of communication,” suggesting that organizations enforce DMARC to guard against email spoofing.
The industry “should be working with phone carriers to find alternative ways to confirm possession of the phone prior to allowing changes to an account of this nature," he added.García-Tobar said, the focus should be “on validating and authenticating sender identity, no matter the form of communication,” suggesting that organizations enforce DMARC to guard against email spoofing.
