Threat Management

Two-factor authentication may have done little to stop the AP Twitter hijack


Could two-factor authentication have prevented hackers on Tuesday from compromising the Twitter account of the Associated Press to send a bogus tweet that President Obama was injured in White House explosions?

Maybe, maybe not.

While there was a wave of renewed calls Tuesday for Twitter to introduce two-factor authentication for its more than 500 million users, some experts questioned whether such functionality would have worked given the style of attack used.

"People really had their pitchforks out for Twitter yesterday, and I thought it was a little undeserved," Aaron Higbee, CTO of PhishMe, which provides companies with simulations of phishing attacks, told on Wednesday. "This wasn't Twitter's problem. This was AP employees getting phished."

Higbee, citing reports that Twitter is readying a two-factor product, said it likely would not have been effective to prevent the AP compromise, allegedly pulled off by the "Syrian Electronic Army," a group of hacktivists sympathetic to the Assad regime in Syria.

That's because the intruders were able to glean the AP's Twitter login credentials thanks to a spear phishing email that targeted some staffers just prior to the compromise. Victims were directed to a sign-in form and asked to enter the username and password for the account. Had this form also included a field for an additional mode of authentication, such as a code received via text message or email, the hackers could have pilfered that as well, Higbee said.

"They're just going to relay that [to Twitter] and get the session cookie so that for days they [could be] authenticated to Twitter," Higbee said. 

Richard Bejtlich, CSO of incident response firm Mandiant, tweeted Wednesday that he agreed with Higbee's assessment, but said two-factor authentication would be helpful if the hackers had tried to, for example, guess the victim's password.

"[Two-factor authentication] isn't a panacea", Bejtlich tweeted, "but it's helpful."

Higbee admitted that in instances where attackers use a common means to compromise social media or email accounts – by taking advantage of the password recovery feature – two-factor would help. But most attackers are capable of working around this additional layer of security.

"It raises the bar marginally," Higbee said. "If Twitter was the only one doing this, maybe the attackers would have gone to the AP's Facebook page."

Twitter remains a two-factor holdout. Companies such as Facebook, Google and Apple, among others, have jumped on board.

Meanwhile, in light of a spree of Twitter account compromises at the hands of the Syrian Electronic Army, including feeds belonging to NPR and CBS' "60 Minutes," more information is coming in about this collective.

"Syria, like Iran, Israel, Estonia, China, Russia, and other countries, is leveraging the talent, patriotism, and enthusiasm of its internet-savvy youth to act as a force multiplier in its military and geopolitical operations at almost zero cost and very little risk," wrote Jeffrey Carr, a security expert, in a missive about the group.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.