Jack Dorsey’s 4.2 million Twitter followers recently received a stream of offensive messages and plugs for the hacking group’s discord channel. According to The Verge, appears the hackers got in through Twitter’s text-to-tweet service, run by Cloudhopper.
To understand more about the attack, how it happened and what tech companies need to do to tighten up security, Digital Journal spoke with a leading technology commentator.
How did the attack happen?
Commenting on the hack, Alexander García-Tobar, CEO and co-founder of Valimail tells Digital Journal that the form of the hack demonstrates a new type of vulnerability that may digital systems have not addressed: “This incident is a perfect example of the risks associated with communication – any form of communication – when sender identity is not authenticated. A hacker or hackers were able to take over or spoof Jack Dorsey’s phone number, probably by impersonating him in a call to his mobile service provider.”
This demonstrates the importance of having more than one system for authentication in place. Multi-factor authentication involves two or more authentication factors (something you know, something you have, or something you are).
García-Tobar explains that these forms of identification hacks are becoming more common: “The spoofed tweets sent through Dorsey’s account are despicable and offensive, yet far greater damage can be done using similar techniques. We see this play out over and over again with email communication.”
García-Tobar clarifies how this works: “A hacker leverages impersonation to send extremely convincing spear phishing emails to a company employee, and in no time, fake invoices are paid, consumers’ data exposed, wire transfers are made to fake companies – the list is endless.”
What can be done to prevent attacks?
In terms of what can be done to prevent such attacks, García-Tobar expalions that: “to stop these attacks, we must focus on validating and authenticating sender identity, no matter the form of communication. With email, we can do this by taking steps like properly enforcing DMARC and implementing advanced anti-phishing solutions that confirm senders’ identities before allowing emails to enter employees’ inboxes.” DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a standard that enables domain owners to specify a policy for how they would like receivers to handle email messages that fail authentication.
He also states that these vulnerabilities need to be discussed and understood by the public and by law-makers: “Until we prioritize these initiatives as a society, we will continue to see attacks and an erosion of trust in our main forms of communication: phone, text, email, and social media.”