Security

Why two-factor authentication wouldn’t have saved the AP from getting hacked

Phishing emails

After a rash of major Twitter account hacks, rumor says the company will be releasing two-factor authentication. While this is a great extra protection, it’s not the panacea many are looking for.

Over the past two weeks, three major news outlets — NPR, CBS, and the Associated Press — have all had their Twitter accounts hacked. In the AP’s case, hackers took over the account and tweeted about a bogus explosion at the White House. Following that breach, many called on Twitter to introduce that golden security measure: two-factor authentication.

We saw something similar when a journalist was hacked through Apple, prompting the company to figure out two-factor authentication for iCloud. The rumor now is that Twitter is going to release its own version of two-factor authentication. For that, we say, thank you, Twitter! But as PhishMe chief executive Aaron Higbee points out: that’s not the be-all, end-all solution to the problem.

“You would think this is obvious, but there seems to be a lot of undeserved criticism directed towards Twitter simply because AP employees fell for a phishing attack,” said Higbee in an email to VentureBeat, “Calling on Twitter to provide two-factor authentication doesn’t solve the AP phishing incident, nor would a long, frequently-changed password. That’s not to say it’s not worthwhile. Twitter should make an effort to offer two-factor for those that want it.”

The AP confirmed that the hack was preceded by a phishing attempt in a post about the incident.

Brian Krebs provides an excellent overview of why two-factor authentication could fail in such cases. Summarized, people set up phony phishing websites where targets are tricked into submitting their login credentials, which might include two-factor authentication codes. These codes often expire, but for many consumer sites, they are left connected for days because companies don’t want to create a barrier to entry.

Many of these spoofed websites are done really well. In the case Krebs writes about, hackers made a fake Citibank portal that served up error messages just like the real website would if incorrect credentials were supplied. That’s sophisticated and difficult to detect for us regular folk.

Higbee suggests that Twitter open up its own “group tweet” abilities so employees don’t have to share the same login credentials for an official company account. But education on phishing for all types of company employees could help too.

A group of pro-regime Syrian hackers called the Syrian Electronic Army took credit for all of the Twitter breaches, though we haven’t been able to independently confirm this is the case. The group has not mentioned any phishing in its congratulatory touting, but often targets publications based on their coverage of the conflict in Syria. If you’re one of those, it’d be wise to alert your employees to phishing attacks now.

Phishing image via Shutterstock