Is there a flaw with Twitter two step verification?

Earlier this week Twitter announced its much awaited two-step verification process (see Mashable for more).

I am worried I might have spotted a fatal flaw in the process that makes hacking a twitter account EASIER if you enable two step verification.

Twitter have been obviously inspired by Google’s two step verification process, making use of your mobile phone SMS service.

On the surface this makes perfect sense – a mobile phone is a very personal possession that you are unlikely to ever leave behind…however there is a fundamental difference in that Twitter also allow you to control your account through SMS whereas, as far as I know, you can’t control your Google account through SMS….

Let me explain.

In order to use the two step twitter verification, you need to register your phone number with them. An “added benefit” is that, once you have associated a mobile with an account, you can also tweet via text message. You send a text to 86444 (in the UK) and it will appear as a tweet. See the twitter help pages for more on controlling twitter through SMS.

It is quite hard to socially engineer someone into giving you their twitter password. It is far easier to socially engineer someone into giving you their mobile number (just ask!), and it is a fair bet that a personal twitter account will be associated with their personal mobile (how many of us have separate mobiles just for verification!). In fact a surprising number of people include their mobile number on their twitter bio, or tweet their numbers in public.

On top of this, anyone who has received a text message with the caller ID of “Your PPI claim” will know it is fairly easy to “spoof” a fake caller ID.

SO. If I was the Syrian Electronic Army (who have been linked to many of the recent twitter hacks – including that of Associated Press), I’d be trying to send fake tweets via text message with a spoofed caller ID, rather than faffing about trying to get into www.twitter.com.

Twitter do offer a SMS PIN function but it doesn’t work in the US, and you have to turn it on as a user.

I’d love to know if anyone can prove me right (or wrong!) – can you really send a tweet by spoofing the caller ID? What do you think about the two step verification – let me know in the comments!

5 comments to Is there a flaw with Twitter two step verification?

  • David White

    Expands on the holes in this new verification process I thought of. This is intended for individuals but Twitter is used corporately by teams as well. Many people who tweet on behalf of their organisation are doing so with the permission of that organisation with an account owned not by them but by their employer. Introducing mobile phone number verification makes it very difficult for companies to maintain control. I can’t help thinking how this will work with popular management tools like Hootsuite which are sold on being the ‘middleware’ protecting the individual tweeter from the corporate account and password.

    It may well be there is a way around these concerns. My issue is that too often, social media giants seem to issue enhancements to their service (Facebook recently introduced comment replies). It seems that they rush these enhancements out without thought or guidance about the knock-on effects on the rest of the service. Facebook are notorious for this. I immediately had a dozen questions following the introduction of comment replies but there is nothing forthcoming from Facebook. Users are left to experiment and find out to their cost what the knock-on effects with be.

  • I think the only way to test a system is to break a system (and this I will try to do on an old mobile I have). I like your thought process here, and I can see why it could be a concern. However, you’ve already unwittingly identified the fundamental flaw – the human.

    No amount of tech will make humans less gullible or trustworthy – if you could create that then you’d solve a large proportion of the crime prevention problems around large scale tech frauds. However, I do think that the extra step aimed at individuals (key point) will make a difference. Add in to that the lock function on most phones and I think it could be beneficial. Of course, there are large, organised and incredibly advanced tech savvy groups that *could* take advantage of this and will find a way to do so at some point in the future. I guess the point I’m trying to make is that there is no foolproof way and to make progress we have to make mistakes – you can never roll something out once it is perfect – otherwise nothing would ever materialise!

    As for David’s point – passwords under Twitter TOCs should never be shared, so they wouldn’t ever include this in the dev process for this function anyway. Yes, many do it but it’s still breaking the terms. As for using a dashboard for large organisations (such as MusterPoint) it would have to be an organisational policy that everything goes through the desktop of mobile version of it, so mitigating against this ‘text to tweet’ function.

    I can see what they are trying to do – texting a tweet can certainly be useful when out of 3G or wifi (I’m thinking rural beat officers as a very basic example) but also as I found during both the funeral of Baroness Thatcher, Olympics parade and Jubilee, there is simply no way to tweet when there is a massive demand on data (so many of my tweets were delayed until I ran to somewhere a few streets of way, thus rendering them pointless) so I wonder if actually, this might be a small price to pay if you can ‘push through’ via text. Clearly playing devil’s advocate, but might this benefit not outweigh the potential risk identified?

    So, back to your original question… ahh.. the point being, I really don’t know! (But I took a long and convoluted PR way of saying it). Good post, Andrew. It’s good to be challenged in thought and put ideas out there, so thank you.

  • David White

    From Twitter T’s & C’s

    Passwords
    “You are responsible for safeguarding the password that you use to access the Services and for any activities or actions under your password.”

    This is all I could find regarding the security of passwords. I don’t read this as ‘passwords should never be shared’. It says the password should be safeguarded. I think they’ve written it like this to acknowledge that non-individuals are using Twitter amongst other things. I feel confident that our process would count as safeguarding but I know other processes used by others which may not. Employing middleware management tools strengthen this even further.

    In relation to the topic, I still feel there is a better way to implement 2 or 3 tier security than involving mobile phone numbers. My bank asks for a basic password followed by three randomised digits from a second password PLUS the answer to a memorable question. I have no problems with this on a daily basis either via desktop or mobile device. I’m not aware that my mobile phone number is associated with my bank account at all. If an online bank account can be secure using this method, so can a Twitter account. Both passwords and the answer to a memorable question could be ‘known’ by trusted individuals and stored for use in the middleware management tool and would go some way towards making things more secure. As Christine says – despite everything, the biggest flaw in the plan is always going to be the human – not the machine.

    My solution would be:

    1. Implement ‘bank-style’ 2 or 3 tier solution as described above
    2. Insist passwords are at least 10 characters long (not 20 that Twitter recently suggested)
    3. Insist on a high minimum standard for password strength – reject insecure passwords and ‘try again’
    4. Insist that passwords are changed every 6 months

    Tweeting by SMS text has always been an option in Twitter and is a useful alternative method to WiFi or mobile data signal problems. It works for tweeting but I see flaws in its use for securing the account.

  • Andrew

    So it turns out that I am not the only person concerned about SMS spoofing as a way of hacking twitter.

    The security hole was only plugged (finally) in December 2012: http://www.theregister.co.uk/2012/12/05/twitter_dumb_sms_bug_plugged_again/

    Having played with it this morning (including using orange’s “send a text from our website as you” function – the closest I could get to spoofing an SMS callerid) it does seem to be plugged.

    It also looks as if they have turned off the SMS long numbers (07624800379)…at least for networks where there is also a shortcode (86444). This makes sense because shortcode calls stay within the network (orange) rather than going between networks.

    So good news…but I am still not sure 2 stage authentication is going to work in a corporate setting!

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>