,
15 tweets,
4 min read
Read on Twitter
Let's talk about this hack a second, because this one? This is a problem.
He didn't have a bad password, or forget 2FA. Nobody hacked into Twitter.
They bribed someone at a mobile carrier to dupe his phone's sim card. cnn.com/2019/08/30/tec…
He didn't have a bad password, or forget 2FA. Nobody hacked into Twitter.
They bribed someone at a mobile carrier to dupe his phone's sim card. cnn.com/2019/08/30/tec…
What happened is Twitter allows tweets to be posted by SMS, without being logged in, by texting to 40404. If your phone number is connected to your Twitter account, the text is posted as a Tweet.
No password, no authentication token, just your phone's SIM card as your ID.
No password, no authentication token, just your phone's SIM card as your ID.
So the simple way to hack the account is to go to Sprint, or AT&T, or TMobile, find someone who works in customer service, and pay them to dupe the phone's SIM card.
All you really need is to know which mobile provider they use. You don't even need their phone number.
All you really need is to know which mobile provider they use. You don't even need their phone number.
This is a huge problem with another security system we rely on: using text messages as two factor authentication.
Which is dumb as hell. But your bank does it, your power company does it, your insurance company does it, etc.
It's cheap to do, so they all do it.
Which is dumb as hell. But your bank does it, your power company does it, your insurance company does it, etc.
It's cheap to do, so they all do it.
The problem being is, again: all you need is to know someone in customer service at a mobile provider to copy a SIM card.
By using the cloned SIM, any text message meant for them is sent to you. You can get into any account that uses SMS texting as two factor authentication.
By using the cloned SIM, any text message meant for them is sent to you. You can get into any account that uses SMS texting as two factor authentication.
Even worse: this can pretty much be done by anyone in customer service.
Someone working for $10 - $12 an hour, less than 30 hours a week, no benefits, etc.
They are *ripe* for bribery. Throw around a couple thousand dollars and you'll own anyone on that mobile network.
Someone working for $10 - $12 an hour, less than 30 hours a week, no benefits, etc.
They are *ripe* for bribery. Throw around a couple thousand dollars and you'll own anyone on that mobile network.
So, the takeaway here is: don't trust SMS text messaging as a security measure. It's probably the least secure option available.
Using an authenticator app like Google Authenticator or Authy? INFINITELY more secure.
And this dumb "tweet without a password via text" gotta go.
Using an authenticator app like Google Authenticator or Authy? INFINITELY more secure.
And this dumb "tweet without a password via text" gotta go.
PS: You can do this "hack" without bribing the customer service tech, I should mention.
You just social engineer them. Using the right information, you can do the "my phone was stolen and I need a new SIM card" routine, and it'll work. They'll clone you one on the spot.
You just social engineer them. Using the right information, you can do the "my phone was stolen and I need a new SIM card" routine, and it'll work. They'll clone you one on the spot.
Just to clarify:
A SIM card is not your phone's memory. It's your phone's ID. It's the "driver's license" it uses to access a cell network. Dupe it, and the text messages and calls meant for you go to someone else.
Authenticator apps? Not related, more secure.
A SIM card is not your phone's memory. It's your phone's ID. It's the "driver's license" it uses to access a cell network. Dupe it, and the text messages and calls meant for you go to someone else.
Authenticator apps? Not related, more secure.
Because while it's still possible, it's getting more difficult. Carriers are getting wise to the scam and are requiring more checks before just cloning someone's SIM card.
A bribed employee doesn't care and just clones it.
A bribed employee doesn't care and just clones it.
I don't.
What's even more frustrating is that there are numerous free authenticators available. All a company would need to do is set one up.
But again, that costs money. Why spend it when you can just keep using SMS when customers don't know any better?
What's even more frustrating is that there are numerous free authenticators available. All a company would need to do is set one up.
But again, that costs money. Why spend it when you can just keep using SMS when customers don't know any better?
Folks, my doctor's office uses SMS texting to allow access to my medical records, my appointment history, my lab results, all of it. It's not even two-factor, it's JUST an SMS text message to access the account.
It's like a steel vault with a lock made of lukewarm pastrami.
It's like a steel vault with a lock made of lukewarm pastrami.
You know why I get irrationally angry about pop culture portraying tech wrong?
Stuff like this is why. We end up with a public lazily misinformed and dangerously inept when it comes to the basic tech of the world around us.
Stuff like this is why. We end up with a public lazily misinformed and dangerously inept when it comes to the basic tech of the world around us.
Any two factor authentication using a system not designed for 2FA is by its nature insecure.
It's why the industry went through the trouble of inventing token generators and authentication apps. Nothing's 100%, but real 2FA is designed for security.
It's why the industry went through the trouble of inventing token generators and authentication apps. Nothing's 100%, but real 2FA is designed for security.
When you kludge together something like 2FA-over-email or 2FA-over-SMS, you're boned from the get-go.
Those systems all have known, glaring holes that can be exploited ... and in some cases (phone providers, webmail companies) that point of failure are employees.
Those systems all have known, glaring holes that can be exploited ... and in some cases (phone providers, webmail companies) that point of failure are employees.
