“Social engineering” is an underlooked component of hacking, one that has fallen out of the limelight in recent years as things like phishing emails and improperly secured cloud storage have captured the world’s attention. A recent spree of Twitter hacks indicates it might be heading back to center stage. A number of high-profile accounts, the biggest of which was CEO Jack Dorsey’s personal account, have been taken over by way of a SIM swap attack that relies primarily on smooth-tongued operators manipulating a customer support agent at a telco.
How a SIM swap attack works
Social engineering used to be one of the main ways that hackers gained illicit access to information. They would call up a company and pretend to be someone they are not, using some combination of slick charm and knowledge of the target and the company’s inner workings to convince a hapless employee to give up the goods.
The SIM swap attack is just a modern form of social engineering. The attacker merely needs to know what phone company the target uses. They then call the company, speak to a customer service agent and pose as the target. They convince the customer service agent to switch the target’s phone number to a SIM card that they own. In some cases, they have simply bribed an insider at the telco to do it.
This gives the attacker immediate access to any phone calls and text messages coming in to the target’s number, as well as a good deal of their call and messaging history. It also allows them to pose as the target via legitimate-looking outbound calls and messages.
Due to a security lapse in Twitter’s direct messaging system, it can be used to send tweets as well. A SIM swap attack does not completely take over the target’s Twitter account, but it does allow an attacker to tweet anything from it thanks to Twitter’s system for direct messaging via SMS. If the attacker happened to have the target’s password, they could also intercept two-step verification passwords that are sent by way of SMS.
As you can see at the link, Twitter simply requires you to text your tweet to a certain number to have it posted. There is no password or secondary verification in this process; as long as it’s coming from the phone number tied to the account, it goes through.
So once in possession of a target’s telco account by way of the SIM swap, the attacker is free to fire off tweets through any account tied to that phone number.
The Twitter hacks
Jack Dorsey was the most high profile victim of a hacking group calling itself the Chuckling Squad, which went on a roughly two-week spree of similar Twitter hacks. The group also tweeted through the accounts of a number of prominent YouTube personalities and podcasters in the week leading up to the Dorsey attack. After the Dorsey Twitter account was hacked the Chuckling Squad took advantage of their roughly 20 minutes of access to fire off a series of offensive tweets and memes to his four million followers, which is generally what they do when they gain access to accounts.
In hindsight, Dorsey was probably fortunate this Twitter hack was exposed by a bunch of pranksters tweeting at 3 AM in America. Hackers with this kind of access to social media accounts could have gone much farther. For example, they might have done something to manipulate Twitter’s stock price via a fake announcement from Dorsey. A tweet campaign that was less obviously fake could have caused lasting damage, particularly if the attackers prepared convincing deepfaked video or audio in advance. They might have also used this window to spread malware to Twitter users.
Alexander García-Tobar, CEO and co-founder of Valimail, expanded on the potential damage a Twitter hack of this nature could cause:
“This incident is a perfect example of the risks associated with communication – any form of communication – when sender identity is not authenticated … The spoofed tweets sent through Dorsey’s account are despicable and offensive, yet far greater damage can be done using similar techniques. We see this play out over and over again with email communication. A hacker leverages impersonation to send extremely convincing spear phishing emails to a company employee, and in no time, fake invoices are paid, consumers’ data exposed, wire transfers are made to fake companies – the list is endless.
“To stop these attacks, we must focus on validating and authenticating sender identity, no matter the form of communication. With email, we can do this by taking steps like properly enforcing DMARC and implementing advanced anti-phishing solutions that confirm senders’ identities before allowing emails to enter employees’ inboxes.
“Until we prioritize these initiatives as a society, we will continue to see attacks and an erosion of trust in our main forms of communication: phone, text, email, and social media.”
A particular vulnerability at AT&T?
Though Dorsey and Twitter had no comment on the issue, a number of the YouTube personalities that were hacked publicly blamed AT&T.
It’s unclear what the connection is to the Twitter hacks, if any. It could be a coincidence that the angry celebrities who chose to vent publicly all used AT&T as their carrier. Chuckling Squad might have some sort of connection at the company they were able to leverage.
It could also be that AT&T is uniquely vulnerable to SIM swap attacks in some way. Crypto investor Michael Terpin took the company to court a year ago after losing $23 million in cryptocurrency as the result of a SIM swap attack. He claimed that the company was negligent and that the breach was due to a security oversight, allowing attackers access in spite of the use of a unique PIN to protect his account.
Should multi-factor authentication include text messaging?
Two-factor authentication is considered a baseline standard for account security at this point – you have a password, but you also verify with something else that you physically possess.
Since everyone carries a phone, the phone has become that default secondary item. Many sites give users no other option for secondary verification but a text message or robocall sent to their phone, which is an obvious security failure if the account was compromised due to a SIM card switch (as happened in all of these Twitter hacks).
Should phones be considered too vulnerable to be used in a multi-factor authentication process? Perhaps, because they ultimately rely on a factor beyond the control of the end user: they are only as good as the security policies and customer service agents at the owner’s telco.
Some of the information needed to pass a customer service verification check can be found through public sources. The rest of it often makes it out into the wild as a result of data breaches, eventually finding its way to a giant “combo list” containing information on millions of people. It’s trivial for attackers to comb through these lists garnering the information they need to perform a SIM swap attack.
Anyone concerned about a SIM swap attack should contact their mobile phone service provider to see if a PIN can be added to the account that must be presented before any services can be ported. Some telcos ask users for a 6 to 15-digit PIN, and this would be virtually impossible to guess if a unique number is used. If the telco does not implement this as a security practice, then the use of any phones it services should be considered too vulnerable to a SIM swapper to serve as an authentication factor.
Alternatives include a physical security key (dongle) that plugs into a USB port or uses Bluetooth; some phones and mobile devices, for example certain models made by Google, have the capability to act as their own physical security key.