The hacking of the Twitter CEO account highlights the dangers of 'SIM exchange' fraud
WASHINGTON: Even with considerable security precautions, Twitter CEO Jack Dorsey became the victim of a shameful compromise when the attackers took control of his account on the platform by hijacking his phone number.
Dorsey became the ultimate goal of the so-called SIM swap fraud, which allows a scammer to trick a mobile operator into transferring a number, which can cause people to lose control not only of social networks, but also of bank accounts and other confidential information.
This type of attack points to a weakness in the authentication of two factors through text messages to validate access to an account, which has become a popular method of intrusion in recent years.
Twitter said Friday that the account was restored after a brief time in which the attackers posted a series of offensive tweets.
But Ori Eisen, founder of the Arizona-based security firm Trusona, which specializes in password-free authentication, said the quick fix should not be seen as an answer to the broad problem of SIM swap fraud .
The problem is not over, Eisen said, noting that these types of attacks have been used to take over other high-profile social media accounts and for various types of fraud schemes.
Eisen said it is unclear how many people are attacked in this way, but that automated technology can create billions of calls that attract people to deliver information or passwords.
Some analysts say that hackers have found ways to easily obtain enough information for a telecom operator to transfer a number to a scammer's account, especially after hackers of large databases that result in personal data sold in the Dark web call
Text messages from mobile accounts can be hijacked by sophisticated hardware techniques, but also by the so-called 'social engineering', which convinces a mobile service provider to migrate their account to another unauthorized phone, said R David Edelman , former White House. Advisor who runs a cybersecurity research center at the Massachusetts Institute of Technology.
It only takes a few minutes of confusion to make mischief like the one Dorsey experienced. Thousands of these attacks have been reported in countries where mobile payments are common, including in Brazil, Mozambique, India and Spain.
Researchers at security firm Kaspersky say that the security systems of many mobile operators are weak and leave customers open to SIM exchange attacks, especially if attackers can collect information such as birth dates and other data.
In a recent blog post, Kaspersky researchers Fabio Assolini and Andre Tenreiro said some cases come from cyber criminals who pay corrupt employees of mobile phone operators, for only $ 10 to $ 15 per victim.
The interest in such attacks is so great among cyber criminals that some of them decided to sell it as a service to others, the researchers wrote.
In Brazil, some criminals have seized the victims' WhatsApp accounts, using them to ask the person's friends for urgent payment, Assolini and Tenreiro wrote.
This is a fairly mature avenue for fraud, said Joseph Hall, a technologist at the Center for Democracy and Technology in Washington.
Hall said some operators are using artificial intelligence to separate legitimate SIM card replacements from fraud, but that this has not been universally implemented.
He would blame operators for not having more robust ways to authenticate users, he added, while calling Twitter to offer better safeguards.
A false tweet from the president or another prominent person could have devastating consequences, such as a fall in financial markets, Hall said.
These kinds of things become difficult to counter, because even after the information comes out that it is a hoax, people may not believe it, he said.
The Dorsey case, Hall said, highlights the need for better forms of authentication, especially for large online platforms such as Facebook and Twitter, where messages can have an impact.
This could involve a physical key that connects to a device or software-based system such as Google Authenticator, Hall noted.
Eisen said that, paradoxically, the drive for longer and more complex passwords has led to increased use of insecure text messages for authentication.
Security professionals must accept the fact that what used to work doesn't work now, he said.
We need to find solutions that are not so easily exploited by the bad and that are easy for people to adopt.