Twitter is not the world's – or even America's – biggest social media platform. It's a publicly-traded tech company that routinely struggles with user numbers and user engagement, as an otherwise accepted metric to prove a platform's immediate value to its investors – and to the world at large.
But make no mistake – at the end of the day, the value and the appeal of Twitter remains firmly rooted not in its daily user numbers or its obvious monetization prowess – but in its ability to pull in those who come up with news stories and those who disseminate them – and ultimately, those who create them, and trust them.
And that also means the value of online identities of those persons and organizations – sometimes not merely valuable but essential points – become tied to the platform – and how, and if, Twitter manages to protect those users and identities.
In this context – think of the world's biggest media outlets, think the United States' serving president – who, by the way, is routinely shamed for his savviness in working social media to his advantage.
In any case, it's unlikely that any of these facts have been lost on the news or political organizations who rely on Twitter to get their message across. But given its importance and influence, the logical question then becomes – how safe is it to actually use Twitter to transmit messages truthfully and faithfully, and build your online identity? In other words – how can a user defend against possibly disastrous identity theft?
That means – how sure can an average Twitter user, or indeed a prominent political or otherwise figure – be sure that their Twitter account is reflecting exactly what they and they alone are posting, and meaning to push out into the world? In this case, a hacker taking over the account of a public figure could have disastrous and even lethal social and geopolitical consequences.
This question is pertinent this weekend, not least after Twitter's own CEO Jack Dorsey's account has recently been hacked.
For about half an hour, Dorsey appeared to be sending out into the world a series of compromising and unsavory tweets.
Twitter uses two-factor-authenticate (2FA) – a security practice requiring users to provide two authentication factors in order to prove their identity and hopefully, afford the system a higher level of security.
But what happens when, as in Twitter's case, two-factor authentication relies on users' phone numbers? And more importantly, what happens when this security model pretty much breaks down? And more pressingly and alarmingly – how could any of this even be happening?
Twitter's way of providing two-factor authentication (2FA) is for users to give their phone number to the company. As user Sonya Mann said on Twitter, this protection goes away if a hacker accesses your phone number using the “SIM swap” technique – in fact, in this case, a Twitter user account could be reset using your phone number.
apparently I am not allowed to use Twitter 2FA if
I remove my phone number from my account, because Twitter doesn't actually care about my safety or security pic.twitter.com/e9VtMmYYuH
— 🤖 sonya, supposedly 🎀 (@sonyasupposedly) July 21, 2019
I expected this kind of user-hostile security malpractice from, like, banks! not from, uh — wait this is totally in line with my expectations for Twitter
— 🤖 sonya, supposedly 🎀 (@sonyasupposedly) July 21, 2019
“The phone number associated with the account was compromised due to a security oversight by the mobile provider,” Twitter said at the time Dorsey's account was hacked.
You might think – Twitter is surely too big to fail its users in this way.
But you might want to think again.
At the heart of this type of security incident lays the “SIM swap” – where hackers steal people's identity to access bank accounts and credit cards, and indeed, online accounts, in order to commit online fraud, or wreak havoc with their identity, as has been the case with Dorsey, and others.
What attackers do is tap into their victim's phone communications – by fooling the telecommunications company's representatives, or even having a rogue operator on the inside – i.e. via a good old spot of successful social engineering.
SIM swaps result in much more than taking over of Twitter accounts – they can result in loss of passwords and cryptocurrencies, in other words, of real-world assets and income.
The way many companies now build their security model means that users can reset passwords using a code sent to their phone, in which case the attacker can carry on their job without learning the password of the victim, but merely by gaining access to the phone number associated with the victim.
The phone number in question required by Twitter from its users to provide to the social media platform before they can sign up for an account, and the security the platform promises comes with two-factor authentication.
And when Dorsey' account was compromised, Twitter blamed the mobile operator.
Given Twitter's influence and significance in the online world, you would hope these words had never been spoken, yet here they are: Twitter's two-factor authentication is described as “incredibly broken” in this tweet from Nomad List's founder, Pieter Levels.
Twitter two-factor authentication is so incredibly broken
I have a hardware key and authenticator app set up, but when I remove my phone number it disables ALL of my 2FAs and lets anyone login
— (@levelsio) August 31, 2019
It goes beyond the failure of providing a phone number that can be accessed in a SIM swap – “even hardware key and authenticator app set up, but when I remove my phone number it disables ALL of my 2FAs and lets anyone login,” the Levels said.
But the problem with using phone numbers as proof of identity and relying on this is flawed from the get-go.
Security experts and researches have been warning that the idea of phone numbers providing identity is deeply flawed – as they are not actually controlled by their users, and might instead become compromised over time or removed through any set of circumstances, including hacking, and even late bill payments – in other words, by whoever gains control of the phone number that is meant to guarantee your identity.
There have been many examples of how Twitter's security model revolving around users' phone numbers has gone wrong in the past. Earlier in the year, Simone Brunozzi, of Fabrica.city, a digital real estate blockchain transactions outfit – shared how his phone number, and then his Twitter account had been hacked – and how they work to regain his online identity via the phone number had been much easier than dealing with the damage done to his identity on Twitter.
In May, engineer Sean Coonce announced that he had lost $100,000 in a SIM port attack.
Coonce dubbed this “the single most expensive lesson of his life” – and shared the details in the hope that others might avoid similar consequences, and work harder to ensure their online identity's security.
In other words – there's now a technical flaw with Twitter's security that runs all the way down. One might even say, it's a systemic problem – one that utilizes two-factor-authentication, based on users' phone numbers.
Beyond these immediate issues, the question remains of how Twitter responds to security problems that plagued its own CEO – and the noticeably more time it took the company to react to the hacks faced by other users – notably by YouTube and social media stars like Shane Dawson, James Charles, and BigJigglyPanda.