Twitter has finally remediated a two-factor authentication (2FA) security gap which could allow SIM swap attackers to unlock users’ accounts.
Until now, the firm has mandated that all users wanting to use strong authentication on their accounts must first enable SMS-based 2FA. It was impossible to switch off this function, even if they subsequently chose to authenticate via one-time password (OTP) apps or other methods.
That has finally changed now, with the social media firm allowing users to enroll in 2FA without a phone number. This means they can use any 2FA system that supports the FIDO2 WebAuthn protocol, without worrying that it could be circumvented by SIM swap techniques.
These have become increasingly common of late: hackers socially engineer a mobile phone carrier employee into believing they are a legitimate customer who wants their number ported to a new SIM.
By doing so, they get control of the number and can then try to force their way into any online accounts that might be protected by SMS-based 2FA.
This kind of activity has been particularly focused on stealing funds from victims’ digital wallets. Earlier this month, two men were charged with a major operation in which they allegedly stole over half a million dollars in cryptocurrency in this way.
In Many, nine men were charged with a similar conspiracy which is said to have netted them around $2.4m.
There are even greater stakes to play for in an impending courtroom battle between AT&T and entrepreneur Michael Terpin, in which the latter is suing the carrier for $224m after an employee mistake allowed cryptocurrency thieves to steal $24m of his personal funds from a digital wallet.
Back in August, hackers used a SIM swap attack to access the Twitter account of company CEO Jack Dorsey, in an incident which may have contributed to the change in official policy.