The Twitter account of Twitter CEO Jack Dorsey, known by twitter handle @jack was apparently hacked last friday. The suspected method o fthe account takeover is a SIM swap, whereby attacker intercept the SMS message by changing teh association of SIM card number to different device.
I spent my Saturday morning testing out whether you can fend off SIM swapping hackers by deleting your phone number off Twitter and whether that lets you still keep two-factor authentication on.
Short answer: no.
— Shannon Liao (@Shannon_Liao) August 31, 2019
This incident is a perfect example of the risks associated with communication – any form of communication – when sender identity is not authenticated. A hacker or hackers were able to take over or spoof Jack Dorsey’s phone number, probably by impersonating him in a call to his mobile service provider.
The spoofed tweets sent through Dorsey’s account are despicable and offensive, yet far greater damage can be done using similar techniques. We see this play out over and over again with email communication. A hacker leverages impersonation to send extremely convincing spear phishing emails to a company employee, and in no time, fake invoices are paid, consumers’ data exposed, wire transfers are made to fake companies – the list is endless.
To stop these attacks, we must focus on validating and authenticating sender identity, no matter the form of communication. With email, we can do this by taking steps like properly enforcing DMARC and implementing advanced anti-phishing solutions that confirm senders’ identities before allowing emails to enter employees’ inboxes.
Until we prioritize these initiatives as a society, we will continue to see attacks and an erosion of trust in our main forms of communication: phone, text, email, and social media.