Twitter Attack - Was it SIM Swap Again?
Social engineering and SIM Swap attacks are the hidden backdoors to account takeover.
The attack on Twitter this week, that resulted in the takeover of a number of high-profile accounts, including Bill Gates, Barrack Obama, Elon Musk and Joe Biden, illustrates how easy it can be for fraudsters to take over accounts. Even with multiple layers of security, accounts are vulnerable to backdoors that fraudsters exploit.
How did this week’s Twitter attack occur? This will be a case study for many future information security training sessions. There was speculation that Twitter could have fallen victim to another SIM Swap attack, similar to that from last year, when the Twitter account of CEO, Jack Dorsey was taken over. In addition, in Brian Kreb's review of Who's behind Wednesdays Epic Twitter Hack the attackers suspected to be responsible for this week's attack are thought to be a well-known gang of SIM swappers. Now Twitter has publicly stated that this week’s attack was the result of a coordinated social engineering attack targeted at employees with access to internal systems and tools.
SIM Swap and social engineering attacks are not new. They involve convincing employees on the phone and other companies to enable access to accounts through re-setting of credentials.
SIM Swap attacks were identified as early as 2014 as a vehicle for fraud, and a vector for account takeover. However, they seem to be picking up steam. During the chaos of a pandemic, the opportunities for fraudsters to take advantage of chaos only increase. With systems, processes, and people under strain, the environment is ripe for fraudsters to take advantage of.
What is SIM swapping?
A SIM swap attack essentially takes advantage of two-factor authentication via SMS messaging. When a user selects SMS for two-factor authentication, they provide a phone # to receive a one-time passcode (OTP) via SMS. This code must then be entered to gain access into the account. This phone number is also used to send OTP codes for password reset requests.
SMS-based 2FA assumes that the user holds both the correct login credentials, and is in possession of the phone used to receive the one-time passcode.
Simple right? Unfortunately, fraudsters figured out how to exploit this form of the 2FA by using social engineering to contact the phone company or company holding the authentication credentials, and request the original phone number be redirected to a new phone number under the guise of being the real user with a new mobile phone. This is the SIM swap attack. With the phone number now ported to the fraudster's number, and with the fraudster now in possession of stolen credentials, then the fraudster can gain access to an account and turn off 2FA and reset the credentials.
NIST guidelines on 2FA via SMS
NIST has identified SMS as a restricted method for two-factor authentication in its 800-63 Digital Identity guidelines, however, it is still a commonly used 2FA method offered to users. NIST recommends that risk indicators of device swap, SIM change, number porting, or other abnormal behavior be considered before using this method for authentication.
Why is 2FA via SMS still in use?
Given the caution in the NIST guidelines regarding the use of SMS-based 2FA, why is this method still commonly made available and used?
The reality is that 2FA via SMS is one of the easiest forms of 2FA for a user to comprehend.
Many other forms of 2FA aren’t easy for the average user to use. The use of an Authenticator app, such as Google Authenticator, requires registering an account and scanning a QR code. Security keys require registration with each account and also create heart-stopping moments when you do not have your key with you. While 2FA using SMS may have vulnerabilities, many argue it is still better than just a password.
How to detect SIM Swap attacks?
The challenge in detecting SIM Swap attacks is ensuring that any request to change a phone number linked with an account, is being made by a legitimate user. Social engineering schemes are all based on convincing someone holding access to an account to reveal information that can be used to take over the account.
When a fraudster can correctly provide the correct answers to knowledge-based questions then what else can detect fraudulent behavior? The key to the answer is the word, behavior.
Behavioral biometrics is a form of risk-based, adaptive authentication that is able to assign a risk score based on whether user behavior adheres or deviates from behavior history. Behavior biometrics is based solely on user behavior versus static credentials that are routinely breached and stolen. There are many types of user behavior that are used for assessing fraud including IP address, geolocation, time of day, transaction type, mouse movements, and keystroke. Any variances from normal behavior would be an indicator of increased fraud risk. At Incognia we provide behavioral biometric fraud detection using location behavior, which is the strongest behavior signal for a mobile user.
How could the Twitter attack have been stopped?
Let‘s take the example of a fraudster who has successfully pulled off their social engineering or SIM Swap attack on a Twitter account. The fraudster is now logging into Joe Biden’s account (for example) and has successfully entered the correct credentials, and entered the correct authentication code received on their phone. This is where location behavioral biometrics kicks in. Looking at the location behavior history (or location fingerprint) for the user it will not match on the new device. From first login the location of the fraudsters device will be an anomaly and would be flagged as high risk and requiring additional security checks before proceeding with login. In the case when a user is logging in from a new device, being in a trusted location should be a requirement.
Lessons learned from the Twitter attack?
Social engineering and SIM Swap attacks are effective because they prey on people being fooled into handing over information and access to accounts. Adding in behavioral biometrics for risk-based authentication is a powerful weapon against fraudsters. Having the extra safeguard of behavioral biometrics to check current user behavior against the user's behavior history, could have helped to prevent this week's attack.