Dave Humphreys - Aug 04, 2020

Twitter Hack in Bitcoin Scam Reveals Fundamental Security Flaw

FIDO  Breaches

Back in July 2006 when Twitter, then known as Twtrr, was unleashed onto the unsuspecting public, the world was a simpler and gentler place. President Bush rolled out an anticipatory in case Flu Pandemic Plan as a blueprint, but there was no actual pandemic. And it would be another three years before Bitcoin, the first decentralized crypto currency, made its debut.

The service, launched by the now-defunct Odeo, was simple, powerful, and innovative, but majorly insecure. As CEO Jack Dorsey proclaimed back in 2007, “One could change the world with one hundred and forty characters.” Not much has differed with regards to Twitter in the intervening time period, except the global bad actors now out-innovate the innovators, running rings around them whilst damaging companies and consumers alike.

A Coordinated Attack: Hackers Take over High-Profile Accounts

According to the New York Times, on Wednesday afternoon, July 21st, some of the rich and famous tweeted similar altruistic messages: just forward me some Bitcoin and I, out of the goodness of my heart, will send back twice the amount. The scam has badly embarrassed the powers-that-be at Twitter, or so they say.

Twitter’s support folks reported the company was subjected to a coordinated social engineering attack targeting employees who had access to internal administration systems and tools. The hacked employee accounts were used to access and tweet from the accounts of targeted social media aristocracy and to compromise several cryptocurrency Twitter accounts used to reinforce the scam.

To keep the owners of the hacked accounts from being alerted that their passwords had been changed, the hackers disabled (or diverted) the two-factor authentication (2FA) account security that typically sends texts or emails when passwords are changed. Without the password change alerts, account owners had to rely on other means to notice that something was amiss with their accounts. Further, account owners completely lost the ability to access their Twitter accounts as they had no access to the hacker-reset passwords.

One of Twitter’s first actions was to change the email addresses for the affected accounts. With new (presumably isolated) email addresses for the affected accounts, hackers were no longer able to access individual accounts. If they tried to change the password, they weren’t able to use the email address to make or confirm additional password changes.

How Could This Have Happened?

It is difficult to comment accurately on the administration authorization regime within Twitter, but on the face of things, despite having agreed to 10 years of security audits as part of a 2010 Federal Trade Commission settlement, internal policies appear far too lax for a company that holds accounts for people who actually can change the world with the wave of a wand of words. Based on media reports, it’s hard to understand exactly what happened. However, since employee accounts were compromised to gain access to internal admin tools, it’s not too much of a stretch to assume employee accounts were protected by passwords or shared-secret authentication.

As reports of data breaches have become common, our society seems to have become numb to them. It doesn’t need to be this way. Passwords are the leading cause of data breaches on the internet accounting for more than 80 percent of hacking-related breaches. Passwords are an outdated means of accessing accounts or data. The sooner passwords and other forms of shared-secret authentication, such as one-time passwords (OTP), knowledge-based authentication (KBA), and SMS codes are eliminated, the safer we will be, and the hacking news coma will be relieved.

Stronger Authentication Exists. Why Not Use It?

If the Twitter admin accounts had required a strong authentication method, this particular hack would have been a lot more difficult to pull off. There is some speculation that there was an ‘insider’ admin at Twitter involved; in this case using strong authentication for the admin user wouldn’t have helped prevent the hack. However, if the administrator policy had been designed to require a second admin (using strong authentication) before any 2FA was disabled for a user, that would have made it extremely difficult for the hacker.

The FIDO Alliance, a nonprofit standards group of more than 200 companies from around the world, has been working for more than five years to eliminate passwords from enterprise and the internet. They have standardized three protocols that have had dozens of implementations on the market for the past four years.

Web Authentication (WebAuthn), a core component of the Alliance’s FIDO2 set of specifications, is an API that allows websites to update their login pages to add FIDO-based authentication on supported browsers and platforms. FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.

In 2017, the National Institute of Standards and Technology (NIST) published a draft Special Publication 800-63-3, Digital Identity Guidelines, naming FIDO-based solutions as the highest level of authentication technology assurance for federal use.

The Passwordless Opportunity for a More Secure Future

IT professionals know that internal administration tools require the highest possible level of security controls. They may need to learn about the newest and most secure ways but importantly, what they really need is internal buy in from the top of their organizations.

Forward-seeking companies can easily roll out a better alternative for authenticating humans to devices. The vast majority of these authenticating devices need nothing more than the basic Universal Second Factor (U2F) protocol in passwordless mode to enable the registration of the first U2F key presented as the administrator's key to the device.

Twitter has been far-sighted enough to support FIDO authentication as an option for its users, yet it seems they haven’t used this security infrastructure to secure their internal systems. At a minimum—especially with their history of data breaches—they should require strong authentication for employee access. And it is time to start innovating again and take one important step further. To protect as many of its users as possible, Twitter should aim to have a vast majority of its user base—including all verified accounts—authenticate into their Twitter accounts by using FIDO2. If Twitter ‘mandated’ its customers to use FIDO2 it would be possible to design their platform to prevent the FIDO2 requirement being turned off for its users by an admin. Account recovery is a separate topic that we won’t discuss here.

What is Twitter waiting for? With the rapid maturation and support for WebAuthn, over 85 percent of today’s browsers now support FIDO2 Authentication—and FIDO2 works on both iOS and Android mobile devices.

The WebAuthn specification defines further use cases for public-key cryptography, which will continue to raise the bar for future hackers as the recommendations are implemented. $1.3B was wiped off the market value of Twitter due to the attack; strong authentication could be implemented for a tiny fraction of that amount.

About the Author

Dave Humphreys is a Regional VP of StrongKey, a Cupertino, CA and Durham, NC company focused on securing data through key management, strong authentication, encryption, and digital signatures. Take a look at StrongKey’s FIDO2 information here.

Cybersecurity can be hard, we get it. Click here to request a free security assessment.