We've pointed out some problems with Twitter's new two-factor authentication. For example, since just one phone number can be associated with an account, Twitter's two-factor authentication won't work for organizations like the Associated Press, The Onion, or The Guardian. They were hacked; they could still be hacked again in the same way. However, security experts indicate that the problem is worse than that, a lot worse.

Twitter's Two-Step Program

Ask Josh Alexander, CEO of authentication company Toopher, how you'd go about hacking Twitter now that two-factor authentication is in place. He'll tell you that you do it exactly the same way you did before the advent of two-factor authentication.

In a short, droll video about Twitter's two-factor authentication, Alexander congratulates Twitter for joining a "security two-step program" and taking the first step, admitting a problem exists. He then goes on to illustrate just how little the SMS-based two-factor authentication helps. "Your new solution leaves the door wide open," said Alexander, "for the same man-in-the-middle attacks that compromised the reputations of major news sources and celebrities."

The process starts with a hacker sending a convincing email, a message advising me to change my Twitter password, with a link to a fake Twitter site. Once I do, the hacker uses my captured login credentials to connect with the real Twitter. Twitter sends me a verification code and I enter it, thereby giving it to the hacker. At this point the account is pwned. Watch the video—it shows the process very clearly.

It comes as no surprise that Toopher offers a different kind of smartphone-based two-factor authentication. The Toopher solution keeps track of your usual locations and usual activities, and can be set to automatically approve usual transactions. Instead of texting you a code to complete a transaction, it sends a push notification with details of the transaction including the username, the site, and the compute involved. I haven't tested it, but it looks sensible.

Avoid Two-Factor Takeover

Security rockstar Mikko Hypponnen of F-Secure posits an even more dire scenario. If you haven't enabled two-factor authentication, a malefactor who gains access to your account could set it up for you, using his own phone.

In a blog post, Hypponen points out that if you ever send tweets via SMS, you already have a phone number associated with your account. It's easy to halt that association; simply text STOP to the Twitter short code for your country. Note, though, that doing so also halts two-factor authentication. Sending GO turns it on again.

With this in mind, Hypponen posits a scary sequence of events. First, the hacker gets access to your account, perhaps via a spear phishing message. Then, by texting GO from his own phone to the appropriate short code and following a few prompts, he configures your account so that the two-factor authentication code comes to his phone. You're locked out.

This technique won't work if you've already enabled two-factor authentication. "Perhaps you should enable your account's 2FA," suggested Hypponen, "before somebody else does it for you." It's not entirely clear to me why the attacker couldn't first use SMS spoofing to STOP two-factor authentication and then proceed with the attack. Could I be more paranoid than Mikko?

Further Reading

Security Reviews