Twitter’s hack shows the danger of tying authentication to social media

What made Wednesday’s attack on famous Twitter accounts so problematic wasn’t the high profile of its victims, but the non-technical and repeatable method the assailants used.

The hackers used the apparent goodwill of ordinary people, not bots or sophisticated digital assaults, relying more on mind tricks than mastery of code. The incident, which resulted in compromises of accounts tied to Barack Obama, Joe Biden, Elon Musk, Kanye West, Apple’s corporate account, and others, were part of a social engineering scam that targeted Twitter employees.

The risk to the targeted individuals is likely not high, since the famous people tied to the accounts likely have very little direct connection with tweets often handled by communications staff.

But once a social engineering attack is successful, it potentially permits compromise of other services that are accessed via social credentials and the company’s internal systems.

Many websites let users log in with their Facebook, Apple and Google accounts; and many use a consumer's mobile phone number for two-factor authentication. If any of these are taken over, they could expose any other account they're connected to.

“This means they could similarly and potentially hack socially driven payment apps. The key point here is that Twitter employees can be socially engineered, like most employees anywhere, to give away some of the keys to the kingdom, whatever type of kingdom that may be,” said Avivah Litan, a vice president at Gartner Research.

Bloomberg News

Twitter referred questions to its own feed that includes an apology from CEO Jack Dorsey — who is also the CEO of Square, one of the brands that had an account was compromised in the attack — and an assertion that it has reduced access to internal systems while it’s investigating the incident.

The attack appears to be coordinated and well-planned, with messaging that appeared genuine. It’s easy to imagine Obama or Jeff Bezos or Michael Bloomberg announcing they are “giving back to the community” with a link for a donation. The faux Tweets, which have since been deleted, ask for a donation of bitcoin, with the promise of a return of a larger amount from the account holder.

“Social engineering can be something as common as phishing or as targeted as compromising the integrity of the human relationship,” said Steve Hunt, a senior analyst at Aite’s cybersecurity team. “Somebody conned somebody else.”

The attack also comes a few days after word leaked that Twitter is working on a possible subscription service. Codenamed Gryphon, the potential platform would involve Twitter enrolling users and obtaining payment credentials to offer transactions with a social context, similar to Venmo, as well as ways to add recurring payments for subscriptions which are growing in popularity during the coronavirus shutdowns.

Much like Facebook or WeChat, Twitter’s vast international scale makes it an attractive base for commerce, given how many people use Twitter regularly, often having it signed on or most of the day.

At the very least, the hack creates a perceived security link between the social messaging site and any service that’s layered on top of it.

“Given that social media are all about ease of use, attracting users in order to monetize them, but are likely run with a desire to police content and may want to de-platform people and businesses, one would have to consider all such apps to be potentially at risk,” said Colin Bastable, CEO of Lucy Security. “They may say it is all driven by algorithms but we know that, as with A.I., there’s a bunch of eyeballs with real access to data behind the scenes.”

Working from home can also make it easier to con people and commit other digital attacks. Across all industries, companies are stressed to mitigate security risks in changing environments in which it’s harder to flag suspicious activities with so many workers off site.

“People’s behaviors change when their work environments change, and this has made the ‘mark’ more susceptible to a targeted spear phishing attack,” Bastable said.

The celebrity who is probably more directly affected by the incident is Dorsey, one of Silicon Valley's most notable figures. Dorsey via Twitter said “We feel terrible this happened. We’re diagnosing and will share everything we can when we have a more complete understanding of exactly what happened.”

While Dorsey runs both Twitter and Square, the two companies don’t directly work together and Dorsey is more well known for his work at Twitter. However, there’s reputational risk for Dorsey, whose own Twitter account was taken over almost a year ago in a SIM swap attack.

“This is a big headache for Dorsey, who is generally known to be a progressive sharp entrepreneur who is generally smarter and more innovative than his competitors,” Litan said. “This definitely hurts his brand, at least temporarily. It’s a major embarrassment for him.”

There’s an additional reptuational hit for cryptocurrency, a category that has been dogged for years as a potential venue to hide criminal behavior given its anonymity.

Technically, crypto has nothing to do with this attack, other than it highlights that crypto makes it easier for attackers to launder money and stay relatively anonymous and hidden from law enforcement, at least in the short term, Litan said.

“If the hackers had asked the victims to transfer money to a given bank account, or to pay them off with credit cards, it would have been much easier for law enforcement and the banks to stop the funds from getting to the hackers,” Litan said.