Following Jack Dorsey’s Twitter account getting hi-@jack(ed), Twitter has temporarily yanked the ability to tweet via SMS – one of the possible ways that the account of its founder and CEO got taken over by racist/anti-semitic/bomb-hoaxing hijackers last week.
Twitter announced on Wednesday that it’s doing so due to what it says are vulnerabilities that mobile carriers need to address, and due to its reliance on having a linked phone number for two-factor authentication (2FA) – something it says it’s working to improve.
We’ll reactivate this in markets that depend on SMS for reliable communication soon while we work on our longer-term strategy for this feature.
— Support (@Support) September 4, 2019
Dorsey’s account getting hijacked wasn’t the result of a system compromise, Twitter said last week. Rather, it was due to the phone number associated with his account being compromised. That suggests that Dorsey may have been the victim of a SIM swap.
LEARN MORE ABOUT HOW SIM SWAPS WORK
Twitter hack section starts at 31’07, SIM swapping at 33’00”.
Click-and-drag on the soundwaves below to skip to any point in the podcast.
Audio player above not working? Download MP3, listen on Soundcloud or on Apple Podcasts, or access via Spotify.
Twitter didn’t indicate how long it would disable SMS support for tweets. It did note, though, that it will “soon” reactivate it in markets that “depend on SMS for reliable communication.” In fact, as of Thursday, Twitter said that it had already turned SMS back on in a few locations that depend on it to tweet.
It was still off for the rest of the world, Twitter said, and would stay off while it works on a “longer-term strategy” for the feature. Twitter didn’t give an estimate regarding how long its longer-term strategy would take.
What to do?
Wrestling back control of a hijacked account can take a long, painful time, particularly if your name isn’t Jack Dorsey. To avoid going through that misery, read our guide to securing your Twitter account.
Simon McAllister
Keep it disabled until a failsafe mechanism that prevents unauthorised SIM swaps is implemented.
I know that this may not make some people happy, but the expectation for ‘all’ the carriers and their staff to prevent SIM swaps happening is to just too big a wish. I’ve dealt with so many of these with various carriers, in many cases repeated incidents for the same customer, where the carrier just doesn’t seem to learn from the previous incident.
At least with 2FA/MFA/2Step, you have device registration, which moves the responsibility away from the SIM/carrier to you, the user/customer.
Plus, there’s also the impersonation of the CLI that we’ve discussed here before, which is another weakness.
SMS has never been considered to be reliable, let alone secure.
Mahhn
Does this semi-officially make 2FA with one device single FA, or just bad practice?