Twitter Breaches, MFAs, and the Need for Identity Proofing
National Cybersecurity Awareness Month (NCAM) was initially launched in October of 2003 through a collaboration between the U.S. Department of Homeland Security and the National Cyber Security Alliance (NCSA). Together, they have been reaching out to consumers, SMBs, and corporations to ensure that individuals remain vigilant, and to take responsibility of their online security practices. Unfortunately for everyone, and every organization, there are always individuals and bad actors with malicious intents. As widely reported, there have been numerous incidents where national security information has been breached by employees and third parties which left the United States vulnerable because confidential information had been handed to its adversaries. However, while it may seem less consequential, breaches of social media accounts of policy makers, former or current world leaders, or business leaders can also have wide-reaching implications if not caught in time, as illustrated by the July 2020 Twitter breach.
As we are all aware, politicians and activists increasingly use Twitter to make policy, trade, and business announcements in addition to expressing opinions about current events. If an attacker compromises one of these accounts and tweets misleading or false information, it could create world-wide pandemonium.
In July 2020, Twitter was breached by a group of teenagers, masterminded by a seventeen year old, who were able to socially engineer their way around Twitter’s password reset policy. By posing as staff employees from Twitter’s IT department, they were able to convince actual Twitter employees to provide them with the credentials to internal Twitter administrative tools. Importantly, they were successful in circumventing Twitter’s MFA (multi-factor authentication) solution, most likely using SIM swapping, and targeted 130 high-profile Twitter accounts including business leaders such as Elon Musk, Jeff Bezos, and political personalities such as Barack Obama and Joe Biden. Part of their success was driven by their ability to change the email address tied to some end-user accounts and disable the MFA after the email change. So even if the account was set up to provide notifications to an email, phone, or Google Voice with a one-time authentication code, these authentication attempts could be intercepted by the new email and phone number that the hacker provided.
The attackers were able to log into the accounts, reset passwords, and send out tweets in forty-five accounts without the end users knowledge due to a loophole in some older accounts which allowed the email of an account to be changed without sending any kind of notification to the user. The scheme was only exposed because of the obvious dubious nature of the tweets’ subject matter which directed users to send Bitcoin to a fake charity organization within a certain time. You would think that the public would see through this but within 24hrs the Jeff Bezos account had 383 transactions totaling about $117,000. Twitter was very forthright in reporting how their system was compromised but what was disconcerting was revelation that some of their average employees have unnecessarily high-level access to global influencer accounts and that security gaps had been created by the dispersion of employees due to the COVID-19 pandemic.
Also, what if the posts weren’t as obvious and instead the attackers posted about a COVID-19 miracle cure or that trade with certain countries would cease? Next time the attackers could be nationalists, as first suspected, trying to discredit Twitter by showing how easily the platform can be hacked or they could have posted incendiary comments regarding global affairs and causes. It begs a related question, what damage could be inflicted if people the company thinks they know – third-party users who have access to systems and data could bypass MFA to gain access to an organization’s company protected data, and internal systems?
Imagine how the outcome of this situation would change if after calling the helpdesk instead of being asked to answer traditional knowledge-based questions, the identity of the individual calling could be verified through identity proofing technology. And only once that proof was completed could the help desk continue the reset function. SecZetta is now able to provide this service as part of our solution which is powered and verified by barcodes, government issued IDs, face recognition. So, in a scenario when a corporate account or an account with access authorized for multiple people had a user call in and request to add someone new, etc. an additional approval workflow could be added to the request before processing the change, effectively closing a common gap in most organizations processes.
As demonstrated in Okta’s blog: there are MANY ways you can circumvent MFAs if your policies aren’t correctly configured. Acknowledging that third-party users are statistically known to be higher risk than regular employees, organizations can also use SecZetta’s Identity Proofing, to further strengthen MFA-based processes, specifically for this group of users. Essentially, enforcing a policy that states no matter the use case, third- party users would have additional authentication requirements – be that passive or active in nature. While this does not replace the need for MFA, it can start to close some of the gaps like the ones exploited in the Twitter scenario.
SecZetta’S Identity Proofing can also be used to provide identity verification during the onboarding process, and as needed throughout an employee’s or non-employee’s lifecycle, and can also integrate with HR, IAM, IGA, and other systems. The capabilities align with the Identity Defined Security Alliance’s (IDSA) best practices and will be available in the SecZetta suite in Q4 of 2020.