Last week’s report on the Twitter hack revealed that even if you have multi-factor authentication in place, your employees can still be a weak link.
On 14 October, New York State’s Department of Financial Services released a report on Twitter’s now infamous 2020 security incident.
What happened at Twitter?
For anyone who missed it, for several hours on 15 July, the Twitter accounts of high profile users - including Barack Obama, Kim Kardashian West and Elon Musk - started behaving very oddly (or just more oddly than normal, in the case of Elon Musk).
As if they’d been struck by the same collective philanthropic urge, a small army of famous people started tweeting bitcoin keys and offering to double the money of anyone who transferred cash into them. Of course, the money didn’t double - it disappeared into the digital pockets of a 17-year-old hacker and his friends who ended the busiest day in Twitter’s history $118,000 richer.
Although the incident was embarrassing for Twitter, the truth is it could have been so much worse than it was. If the attackers had chosen a less noisy and more patient mode of attack, or sold the access they’d gained to a more organised and professional outfit, they could have visited vastly more damage on Twitter and its users.
In a year when criminal gangs have routinely crippled businesses with malware like Maze or REvil and demanded seven- or eight-figure ransoms, it was a cheap lesson.
So, what is that lesson?
There’s plenty we can learn from the attack on Twitter, but one aspect from the report really caught our eye:
The attackers were allegedly able to access so many users’ accounts because they compromised Twitter’s own internal tools. They achieved this by calling up Twitter staff and pretending to be from the company’s IT department. They then directed their victims to a phishing website that looked like the Twitter VPN (Virtual Private Network) login page.
Like many companies, Twitter uses MFA (Multi-Factor Authentication) to secure its VPN. It didn’t help:
Code-based MFA is many things but it isn’t a defence against phishing, despite what you might have read in the cybersecurity press. If an attacker can convince you to type a password, they can convince you to type an MFA code underneath it. It’s that simple.
App and push notification-based MFA are similarly fallible. As with the Twitter hack, if criminals use your phished credentials immediately after stealing them, users will simply follow through on the MFA push notification it generates, not realising they’re delivering this information into the attackers’ hands.
What can organisations do?
Amongst its conclusions the report recommends “regular cybersecurity awareness training for all employees” as well as “regular phishing and vishing exercises”, which we agree with wholeheartedly.
What it doesn’t say is that if your systems rely on MFA then your phishing exercises need to include it too. If they don't, you can get started running them with CultureAI for free below.
CultureAI's security culture management system allows you to easily orchestrate and automate mature cyber security awareness, behaviour and culture programmes.