Security-watchers don’t appear overly impressed with Twitter’s introduction of two-factor authentication (2FA) to its service.
While some infosec experts welcomed the move, others argued that while it might help protect the accounts of individuals, it is ill-suited to the safeguarding of shared accounts of organisations – many of which have fallen victim to recent hijacking attacks.
On 22 May, users of the iconic micro-blogging service were given the option of using the 2FA service – which verifies login attempts by way of a code sent to a pre-registered mobile phone, as explained in a blog post by Twitter here.
The introduction of something stronger than basic user name and password authentication follows a spate of hijacking attacks over recent weeks where a long list of media organisations – including AP, The Telegraph, the BBC, The Guardian, The Financial Times and satirical new site The Onion – have had their Twitter feeds hijacked to promote propaganda from the pro-Assad Syrian Electronic Army.
The Telegraph and The Onion both said after the attack that they had been pwned via a determined multi-stage phishing attack where the attackers ultimately gained control of webmail accounts running social networking feeds.
High-profile individuals, including former Doctor Who actress Karen Gillan, have also had their Twitter feeds hacked to promote diet pill scams and other such crud.
Multi-user access, anyone?
But 2FA is useless to media organisations, or even small businesses, which have multiple users requiring access to the same account, experts contend.
“Media organisations which share breaking news via social media typically have many staff, around the globe, who share the same Twitter accounts,” explained Graham Cluley in a post to Sophos’s Naked Security blog. “2FA isn’t going to help these companies, because they can’t all access the same phone at the same time.
“Either those people will have to leave themselves permanently logged into Twitter (which is itself unwise from the security perspective), or one central trusted person will have to ‘own’ the phone – and share the six-digit code with journalists as they try to log in to share breaking news stories. It’s a complex problem to fix, and for that reason many media organisations may choose not to enable Twitter’s additional security at this time.”
Virus Bulletin anti-spam test director Martijn Grooten added that the same problem would be faced by most businesses that maintain a corporate Twitter feed.
“So if I want to share the company’s Twitter account with a colleague and set up two-factor authentication, we’d have to share a phone too,” he notes.
Jeremiah Grossman, CTO of WhiteHat Security, was more upbeat in making much the same point. “Twitter rolls out 2FA for users: good stuff, but how to support shared accounts,” he said.
A job listing, which has since been pulled, posted in February suggests Twitter has been looking for coders to develop “user-facing security features, such as multi-factor authentication and fraudulent login detection” for some months.
Cluley added that Twitter could learn lessons from Facebook, which has had a two-step login approval system since 2011, and also has multi-user access.
“In time, Twitter will surely mature and offer appropriate security, and mechanisms which recognise how many corporate brands and news organisations are using Twitter today,” he said.
“Maybe they will one day adopt a system like Facebook has, where multiple users can have access to an account – all with different levels of authority, all with different usernames and passwords.”
GooglePlus has also created a more sophisticated authentication set-up for shared accounts, Cluley told El Reg. “Google Plus and Facebook both give a way for individuals to have access to a brand page, but log in through their individual accounts (using 2FA, and different passwords),” he explained.
Logging in through your smartphone? When 2 (factors) become 1
David Emm, senior security researcher at Kaspersky Lab UK, said that while two-factor authentication will make it harder for hackers to hijack accounts, there are some potential pitfalls with the new approach, even for consumers.
He is less critical than Cluley about Twitter’s design choices.
“It’s easy to see why Twitter has chosen to use SMS as the second authentication method,” Emm explained. “Nearly everyone today has a mobile phone, so this method doesn’t require people to carry around an extra token or device that generates the one-time passcode.
Additionally, the cost of rolling out this technology is miniscule in comparison to investing in tokens and shipping them to its customers.”
“However, there are some potential pitfalls with using SMS as an authentication method. Many people log into their Twitter account from their smartphone via the Twitter app which doesn’t require login credentials to be entered each time.
This means that the same device is being used for both authentication factors and if this device is lost or stolen, whoever finds (or has stolen) it will be able to access the account.
Therefore, in effect, there is no longer two-factor authentication.
“Also, it is possible that we will see the development of smartphone-based malware that is specifically designed to steal the SMS authentication code. We have already seen similar malware designed to steal mTAN numbers for banking transactions. Examples include ZitMo (ZeuS-in-the-Mobile),” he added.
Cluley agreed that even those who enabled two-factor authentication were still vulnerable to some of the more sophisticated forms of phishing and man-in-the-middle-attacks.
“Determined online criminals could use “man-in-the-middle” techniques to grab the six-digit passcode alongside your password and username,” Cluley explained. “So, even if you do turn on Twitter’s 2FA, you still need to double-check that when you enter your username and password, or your six-digit code, that you are *really* on Twitter’s https website.
Otherwise, the crooks can just use all three items to log in as you,” he warned.
Emm was more willing to give Twitter some credit for moving in the right direction in giving users improved authentication tools. “Twitter’s use of two-factor authentication should be welcomed with open arms,” he said.
“Two-factor authentication makes it difficult for someone to hijack an account by adding another method of validation. To date, a static password has been the only thing securing Twitter accounts, and all too often these are easy to guess,” he concluded.