AP Twitter Hack: 2FA Wouldn’t Have Helped

When a hacked Twitter account spreads false news of an explosion at the White House and causes hysteria that spurs a 140 point drop in the stock market, it should encourage calls for Twitter to bolster its security measures, so it’s no surprise that many are clamoring for Twitter to offer 2-factor authentication. One problem with this – news outlets are reporting that hackers gained access to the AP’s account through a phishing attack. While 2-factor authentication makes it more difficult to phish an account, it will not prevent this type of attack from being successful (nor will a more complex or longer password for that matter).

If a user is tricked into revealing login credentials to a false landing page, 2-factor authentication will only limit the time the hacker has access to the account. Attackers would need to collect the 2nd factor of authentication, but the underlying tactics would remain the same. Even if a session cookie expires every few hours (which for Twitter would be days – not hours or minutes), then the attackers would still be able to cause the kind of mayhem we saw today. As we saw, it only took minutes for a tweet to make stock trading algorithms go bonkers. The following graphic provides a visual of the process a hacker would follow to get past 2-factor authentication (note that this isn’t how the AP was hacked, it’s how a hacker would attack Twitter if it had 2-factor authentication):

For an organization like the AP, which likely has multiple users accessing its Twitter account, security measures would have to extend to whatever platform it uses to perform group tweeting. At PhishMe, we have struggled to find an effective way to share tweeting privileges, as Twitter itself doesn’t offer a way to do this; we’ve been forced to use 3rd party platforms. Any additional security Twitter implements won’t be very valuable for organizations if it doesn’t also roll out an ability to have multiple users tweet from an account. This is not to say Twitter shouldn’t implement a more robust layer of authentication, but it also begs the question of how far should it go? Twitter wasn’t designed for group use. If it adds layers of security, will it solve the group use problem? The fact is, if the AP employees had recognized the phishing email, and never surrendered login information in the first place, this all may have been avoided. As long as users fall for these tactics, adversaries will develop tactics to trick users into leading them around technical security layers. –Aaron @higbee