Twitter SMS authentication security won't stop attacks, say experts

Attackers will target handsets

Twitter's long overdue rollout of two-factor authentication doesn't plug every angle of attack and won't guarantee that customer accounts aren't compromised in future, experts have warned.

Twitter introduced its secure two-factor option earlier this week after an accelerating number of hijacks against high-profile and corporate users, including The New York Times, Associated Press, the BBC and Burger King.

This allows account holders to choose that logins be authenticated using SMS codes sent to mobile handsets in addition to the passwords that have proved so vulnerable to compromise.

Although the move has been welcomed as a necessary step in the right direction, some have reservations about its practicality and long-term security.

For individuals, having to retrieve an SMS code for every login across possibly several accounts could prove awkward. While this will be less of an issue for larger organisations, managing which mobile numbers are set up to receive the codes could prove another hurdle.

"I do have some unanswered questions on how this will be implemented for large organisations that have multiple users with access to the company Twitter account," said Troy Gill, senior security analyst for email security firm AppRiver. "This might make use slightly more cumbersome," he predicted.

So much for practicality, which is always a trade-off. But will it improve security under real-world conditions?

There are two broad weaknesses with this approach, the first of which is pointed out by David Emm, a senior security researcher at Kaspersky Labs.

"Many people log into their Twitter account from their smartphone via the Twitter app which doesn't require login credentials to be entered each time.

"This means that the same device is being used for both authentication factors and if this device is lost or stolen, whoever finds or has stolen it will be able to access the account," he said. "Therefore, in effect, there is no longer two-factor authentication."

Emm also worries about the possibility that attackers will shift their focus to stealing the authentication codes, which has already been successfully tried during the disastrous 'Eurograbber' online banking attacks that hit a variety of financial institutions last summer.

"It is possible that we will see the development of smartphone-based malware that is specifically designed to steal the SMS authentication code," said Emm. "We have already seen similar malware designed to steal mTAN numbers for banking transactions and examples include ZitMo (ZeuS-in-the-Mobile)."

Dana Tamir, Enterprise security director of security specialist Trusteer, concurs. The mobile adds a layer of inconvenience but it is far from watertight. Enterprises need to be aware of its limitations.

"Two factor authentication for every tweet is a must for high risk accounts like the AP, 60 Minutes and CBS that when compromised can spread false news that can spread quickly."

"However, although considered strong, two-factor authentication alone is not really adequate as cybercriminals using financial malware have already found ways to circumvent it using Man-in-the-Browser attacks," he said.

"Trusteer has found that fraudsters bypass SMS based authentication by taking over victims' mobile SIM cards or installing malware on mobile devices that redirect SMS messages to fraudsters."

Standing back, Twitter's two-factor SMS roll-out could just be the start, a necessary short-term fix to a growing problem in advance of the firm's likely IPO. Other layers might be needed.

"Twitter should also strongly consider enabling options other than SMS and even consider allowing enterprises to enable location and or IP based log-in options," suggested Amar Singh, CISO for News International and chair of the ISACA security group.

"These are good baby steps," said Singh.

Join the CSO newsletter!

Error: Please check your email address.

Tags Burger Kingnew york timesBBCPersonal TechThe New York Timessecuritytwitter

More about BBC Worldwide AustralasiaBurger KingCBS CorporationDana AustraliaISACAKasperskyNews InternationalTrusteerTrusteerTrusteer

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place