Twitter CEO’s Jack Dorsey Validates 2FA Vulnerabilities
According to the 2019 MidYear QuickView Data Breach Report by Risk Based Security, the first half of 2019 has had over 3,800 publicly disclosed breaches exposing over 4.1 billion records. These astounding numbers have incited many companies to step up their cybersecurity game. Enterprises are investing precious internal resources - time and money - into implementing two-factor authentication (2FA) to ensure customers’ data and privacy are protected. 2FA is the evolution of passwords, which consists of pairing something you know (such as a password) with something you have (a smartphone or token). The big issue with this approach is that 2FA is already considered obsolete and not hard to breach. The underlying principle of 2FA is that the approximation of two things that are unique to a person must mean that the individual is whom they claim to be. This affirmative is not always accurate though.
Last Friday, August 30th, we observed an episode that made 2FA enthusiasts cringe. Twitter’s CEO Jack Dorsey’s Twitter account was hacked, and the details of how it happened were just made public: by SIM swapping, a growing technique with hackers in the U.S.
SIM swapping is a simple social engineering tactic in which hackers convince or bamboozle mobile carriers’ operators into transferring a phone number to a new SIM. Through SIM swapping, hackers gain control over one of the two security pillars of 2FA. Luckily for Twitter’s CEO Jack Dorsey, the damage was done through vulgar and obscene tweets, but it could have gone much further.
With temporary control over a phone number, hackers can bypass 2FA systems and gain control over anything that the security system tried to protect. Financial fraud is one of the objectives of hackers, and eye-popping cases such as the Silicon Valley executive who had his $1 million dollar life-savings robbed through SIM swapping are not uncommon. Furthermore, the government has long discouraged the use of 2FA. Since 2016, the National Institute of Standards and Technology (NIST) has had guidelines that recommend against the use of SMS-based authentication, such as 2FA, since it is an easy-to-breach solution.
Twitter’s CEO Jack Dorsey's case portrays that anybody can be a victim of SIM swapping. Even though this specific case does not involve a breach through a 2FA system, it does show how vulnerable these systems are. If SIM swapping was hard to achieve, hackers would not pursue it only to troll Twitter. Companies that are implementing 2FA are adding a certain layer of security to their system, but they are also adding a solution known to be highly flawed.
If your company is ready to get rid of inconvenient and insecure 2FA, click on the button below.