You might have heard that the founder of Twitter, Jack Dorsey, recently had his Twitter account hijacked. You are probably wondering how a tech-savvy founder of a technology company could possibly lose control of his account at his own company. Personally, I can’t think of anything more embarrassing. It turns out the culprit was his phone. Specifically, the SMS texts that Twitter was using to provide two-factor authentication codes. Twitter has suspended the use of SMS for 2FA for the time being because of this high profile and embarrassing hijack.
Two year ago NIST came out with a new set of password standards for federal information systems and networks. One of the two-factor methods that they deprecated was two-factor codes via SMS. They objected to the fact that SMS communications are hardly ever encrypted, and so the communications channel was deemed to be insecure. The other problem is SIM cloning, where an attacker who knows enough about their target to successfully impersonate the target with their mobile phone operator. If the attacker can get a new phone with the target’s SIM card, it is a simple think to get the two-factor codes delivered to the new phone. The only clue the target has is that their phone stops working. Then the target has to try to convince the mobile phone operator that they were cloned, and get their service back. This can be frustrating and take time, while the attackers are using their copy of your phone for all sorts of stuff, such as logging into your other accounts and taking THEM over.
This is evidently what happened to Jack Dorsey, and why Twitter has dropped support for SMS 2FA codes. I’ve got a few places where SMS 2FA is still all that is offered by the website, but I expect to see sites and services moving away from SMS. At other sites that offer more options, I expect they will remove SMS as a choice from their two-factor options.
Perhaps this has affected you relative to accessing your own Twitter account. If so, this is a good time to look into other two-factor options, such as using Google’s Authenticator, Authy, or a Yubikey for your two factor codes.