by Lou Steinberg
On July 15th, a number of high-profile Twitter accounts tweeted messages associated with a bitcoin scam.As the dust settles, the questions naturally turn to “How could this have happened? How could user accounts have been hijacked en-masse?”
Incidents like this are generally the result of multiple control failures. What’s more concerning is when an important layer of controls isn’t designed in.
Twitter uses a number of well-known techniques to prevent individual account takeovers by fraudsters. Some, like passwords and texted pins are obvious. Others, like device fingerprinting, may be less so.
But this wasn’t an account takeover in the classic sense. It was to a large degree (based on available reports) a privileged access problem. In this case, it appears as if Twitter has a customer support tool that allows them to log-in to a user’s account as the user, to better understand reported problems.
At least part of the question should clearly shift from “How were accounts hijacked?” to “What controls are there to limit running sensitive tools? Did controls fail, or did they not exist?" This is not a “security-only” exercise; understanding where to place controls requires business risk-management skills.
This is also not a theoretical exercise. The classic “maker-checker” model says that when a person wants privileged access, an independent check should be done to ensure his/her access rights apply in this specific moment.
One way to do this is to see if there is an open support ticket against the account in question. A simple database call to see if the user had reported a problem (preventing the tool from running without one) would likely have helped a lot.
Of course, a rogue support person can open tickets, so a better “checker” is the actual account owner. Had the account takeover tool required authorization from each user to run, the hack would have been stopped in its tracks.
Ideally, that authorization would be secure without requiring the user to login to Twitter (since support calls are often about problems logging in). Imagine a message on the user’s phone asking her/him to authorize access for someone to use his account. Unless actively working with support, his/her response would likely have been “no.”
Authoriti has spent years developing ways to simplify and improve security by letting people control how their accounts and data are used. If you see places where you could benefit from better privileged access controls, and a frictionless security experience, we are here to help.
Lou Steinberg is Chairman and Co-founder of Authoriti.