Thanks Twitter, but here’s everything that’s wrong with your two-factor authentication set-up

twitter two step verificationAfter much ado, Twitter finally rolled out two-factor authentication. The AP hack that gave Wall Street a good scare may have been the final straw; unfortunately as much as you’d like this two-factor authentication update to keep your accounts secure and safe from hackers, there are more than a few reasons why it’s not going to solve the Twitter hacking problem.

Twitter doesn’t have the best track record when it comes to security, nor has Twitter proven to its users that security is top-priority (because it’s not). And unfortunately Twitter’s implementation of two-factor authentication is a joke – and it’s not the only security problem the network has.

SMS-to-browser system leaves loopholes for hackers

It’s great that Twitter is finally recognizing and admitting (in its own way) that its platform is vulnerable, but don’t believe for one second that your account is safe. Twitter is still just as easy to hack as it was before, and there really aren’t any significant hurdles that these hackers need to jump over even with two-factor authentication.

If you’re in disbelief, let me tell you that the Syrian Electronic Army isn’t impressed. “We expected more than that :),” SEA’s leader The Shadow says via email. So expect continued Twitter hijackings even with Twitter’s two-factor authentication.

Why? Well the social network decided to go with a SMS-to-browser two-factor authentication system, which is still easy to hack with man-in-the-middle attacks. In fact this doesn’t even necessitate any major tweaks to existing hacking strategies.

So for an organization that first and foremost employs phishing attacks to gain access to accounts, is the Syrian Electronic Army sweating? Nope.

How to (easily) bypass Twitter’s two-factor authentication

A phishing attack starts off with a malicious email that looks exactly like what you might receive from Twitter. The email might inform you that your Twitter account has been compromised and ask you to reset your password, and many if not most unwitting users will click through to the link embedded in that email. Now two things can happen here: First you may have opened yourself up to downloading a malicious file like a Trojan virus. The second is a man-in-the-middle attack where you might encounter a site that looks exactly like The catch is that this site is asking you to reconfirm your account information including your user name and password. Then if you click “Submit,” you’ve just handed the “hackers” the keys to your account.

So how can anyone hack Twitter with two-factor authentication in play? The account info you’ve just entered will automatically be entered into the real by the hacker. And seeing as how you’ve had your account info entered into for you, Twitter’s two-factor authentication will ping the victim with the SMS and temporary password as expected, Toopher (a two-factor security service) CEO Josh Alexander explains.

At that point, since you’ve received an SMS from Twitter, you’re probably under the assumption that the account recovery process seems legit and would continue to enter in that temp password into the fake Twitter site. Of course once that’s done you’ve lost complete control of your account. “It looks like a lot like the real Twitter site,” Alexander says of the fake recovery site. “Now when you log in there, it transmits your credentials to the hacker. The hacker takes those credentials, they input them into the real Twitter site, and Twitter’s new technology will allow them to push a SMS to you with their one-time pin. The two-factor authentication then instructs you to enter that into the Twitter site to confirm. When you do that, you’re doing that at the fake Twitter site, and the hacker passes that pin to the real Twitter site. By that time, the hacker has full access to your account.”

There’s more than one way to hack Twitter

SMS spoofing

Now to make matters worse, if skilled hackers feel like they’re in the mood to troll some users, Alexander adds that there are ways to intercept SMS or even block the message. That strategy is far harder, as there are time constraints and physical distance constraints. It’s admittedly not something Twitter would need to be concerned about considering the difficulty.

What’s far more dangerous is finding out that your phone number is no longer associated with your account. F-Secure detailed an alternative methodology called SMS spoofing that it tested and confirmed was able to deactivate two-factor authentication by SMS spoofing the word “STOP.” But to successfully accomplish this, a hacker will have to know your phone number.

With two-factor authentication out of the way, a hacker can use a phishing attack as we described earlier to gain access without concerns about two-factor authentication.

Malicious input validations

If the hacker feels bold enough, they can attempt an attack directly at using unchecked input validation – hackers input malicious code into the target site and cause the site to spit out information, senior VP at software quality analysis firm CAST Lev Lesokhin says, which include attacks like cross-side scripting, buffer overflow, and SQL Injections.

In the years that Lesokhin has been analyzing structural issues in the source code of website and applications for CAST from a security, stability, and performance standpoint, and he says that of the 500,000 lines of code that these sites or software have on average, CAST discovers between 100-150 major exploitable issues.

“Most folks in the security community know that performance issues and stability issues are the same kind of issues that allow hackers to get in,” says Lesokhin. For instance a DDoS is one way to overload servers with too many users and too many queries that the overwhelmed server starts spitting out error messages. And from this information, hackers can map out a point of entry.

Two-factor authentication is a hassle

While Twitter wouldn’t let us know how many users have added two-factor authentication, we’d guess that a higher percentage of users have ignored the option. You can’t blame them – typing a temporary code with every login is really a hassle.

“It really destroys the user experience now that you have to pull out your phone every single time you want to log in; you have to manually transcribe this code from your phone to the browser. You still have the same vulnerability to a man-in-the-middle attack as you did, now granted Twitter added an extra step, but it doesn’t make it any more difficult for the hacker to actually violate you,” says Alexander.

As for brands with multiple people managing one account, well you’re going to be hard pressed to find these users adopting this security measure – that is unless they’re potential or previous victims. The brands and publishers who are aptly using Twitter are largely doing so to get news out – and they want to do so in a timely, real-time, fast manner. The code eliminates that altogether. 

There are more secure alternatives out there

The SMS channel isn’t the core issue. It’s the fact that Twitter requires users to input the code into the browser, which can easily be undermined by MitM (Man-in-the-middle) and MitB (Man-in-the-browser) attacks. So it actually won’t take all that much to make Twitter a lot more secure.

For instance, Twitter could just ask its users to verify their account by replying to an SMS. That would remove any chances of falling victim to a MitM.

Or, if you’re really concerned about verifying your account via the SMS channel (since Man-in-the-mobile attacks are getting more popular), Toopher’s security service offers a push notification and location based authentication. To authenticate your access attempt you’d just reply to the push notification within your phone. And you only need to authenticate an account once. Toopher grants its users access to certain websites depending on your location. All you need is your phone in your pocket (turned on) and that means there’s no need to pull out your phone again if you’ve set up Toopher to enable Twitter access whenever you’re at your office or home.

We’re not saying that this is fool-proof – it’s not. But it’s far better than what Twitter put together.

Even simpler solutions would be the notifications you’d get sent via email alerting you of the browser and locations you’ve signed into Twitter from – a strategy that Facebook uses – or even prompting you via SMS to check and confirm the location and IP address that you’ve signed in from.

It’s not perfect, but it’s a start

Lesokhin says that not every site will be up to date with the latest security standards. Different companies reach goals at different paces. What these sites can do in the mean time is to make the job a lot harder for hackers and patch up any issues. Alexander and Lesokhin would agree that Twitter’s two-factor authentication system is the right start in the social network’s bid to become more secure.

But Twitter isn’t just motivated to figure out its security issues based on recent attacks. Twitter has the Federal Trade Commission to answer for. The FTC finalized Twitter’s settlement for Twitter’s “failure to safeguard personal information” in the wake of high-profile attacks in 2009 that included President Barack Obama’s account being compromised, among eight other accounts.

Coming out of that settlement, starting in 2011 Twitter became subject to a security audit every other year for 10 years.

To Twitter’s credit, whether or not the social network was “inspired” by the FTC, it announced the introduction of DMARC (Domain-based Message Authentication) in February of this year to curb phishing and man-in-the-middle attacks. DMARC recognizes fishy domain names that might replicate Twitter’s site and prevents these phishing emails from reaching the intended victims. Email clients including AOL, Gmail, Outlook, and Yahoo! Mail are participating in the program.

Not only this, but Computer Weekly reports that Twitter is using open source automated security tools to detect issues in the code that its engineers are writing. “The last bug is the best predicator of the next bug, so we wanted to understand why something happened to ensure it would not happen again, which is where automation is useful,” said Alex Smolen Twitter product security team software engineer at the Security Development Conference 2013.

While Twitter is the one currently on the hot seat, security isn’t only a problem for its platform. Facebook, Google, LinkedIn, among other companies employ two-factor authentication systems that can be exploited with varying degrees of difficulty alongside other weaknesses. Still, Twitter is one of the most insecure sites right now, and you shouldn’t feel totally impenetrable because of the two-factor authentication update.

Get our Top Stories delivered to your inbox: