Vendor Security, MFA & Social Engineering – Twitter

On July 15th, the social media world was taken by surprise when 130 twitter accounts were compromised. The 30 most high-profile accounts were manipulated into tweeting out a cryptocurrency scam that netted the scammers with about $118,000. Though the investigation is on-going it has been suggested that the root of the hack may have developed from three key components that were used to gain control of twitter’s administration tools: social engineering, an insider threat, and third party admin tools. At the end of last week three people who had been identified as being behind the scam included a 17 year old teenager from Florida. The teenager is now in custody along with his two other accomplices age 19 and 22.

A couple of weeks have passed and as stories have died down we thought this would be a good time to revisit this event but through a different lens. With this being the most publicized attack in recent times the effect on everyday consumers and businesses may still be positive.  Here are the 3 important areas of security that we think the Twitter hack has highlighted:

  • Multi-Factor Authentication.

When the hack initially happened the first few articles were discussing the use or non-use of multi-factor authentication (MFA). We hope that this may help the public understand and be more prudent on their use of MFA. Multi-factor authentication is essentially a method in which the user would be granted access only after two or more credentials are presented. An example you may have seen before would be when you enter a password (the initial authentication credential) and then you get asked for a code that has been sent to you via SMS (the second authentication credential).  The idea being that it makes it very difficult for someone that has stolen your password to gain access to your application.

  • Social Engineering.

As Twitter started to announce some of their initial findings it was understood that there was some social engineering involved to get them access to their administration tools. Hopefully as people learn what social engineering is they can find it easier to identify and thus be less susceptible to it. In cybersecurity, social engineering essentially means the psychological manipulation of people to disclose confidential information or into performing actions. Common examples the public may see are the same last name inheritance scam, Social Security on hold, IRS owed tax and of course the classic african prince scam which still rakes in about $700,000 a year.  Many of these use phishing in combination with phone calls.

  • Vendor Security.

Third-party vendor security is an on-going issue and we’ve seen large companies pay a lot more attention to the companies they work with and the quality of their security programs.  Often these vendors do not invest in security and so can be a weak link in the supply chain, it’s also possible for them to provide insecure software or there are even times when the vendor tools should be secure but the client hasn’t set them up correctly.

So while we can’t rewrite the past we can certainly look toward the future and use these events as a learning lesson. In the end, will the result be just a bitcoin scam that these 3 young men are guilty of or could they be pawns in a much bigger play.  The hackers obtained 36 of the 130 accounts’ direct messages, could this mean that we’re not done yet?

Posted in