Authentication for Bitcoin Holders

Jack Dorsey’s Twitter Account Hacked and the Importance of Stronger Authentication for Bitcoin Holders

Jack Dorsey’s own account, CEO of the microblogging platform Twitter, was hacked on Friday evening. Attackers used their 20-minute window to post racist tweets, and also announced that a bomb was planted in the company’s office..

The dubious tweets were later removed, and platform support reported that the phone number associated with Dorsey’s account had been “compromised by an oversight of the mobile service provider.” “This allowed an unauthorized person to compose and send tweets via text messages from a phone number. The problem has now been resolved, “writes Twitter account Twitter Comms.

Several messages posted to Dorsey’s account were tagged #ChucklingSquad, which belongs to the hacker group behind the attack, and were sent using the Cloudhopper infrastructure, which Twitter acquired in 2010 to integrate its services with SMS services. This has led some users to believe that Dorsey’s account has been linked to Cloudhopper over the years, but in reality this is not the case..

Image: @Hooray

As Wired explains, the Twitter API accompanies all SMS messages processed through the Cloudhopper framework with a tag. This confirms that in order to publish messages from the Dorsey account, the attackers in this case did not even need to crack his password, because access to the phone number is accepted by the system as sufficient confirmation to provide access.

SIM swapping in the cryptocurrency space

For crypto investors, Dorsey is also known as the founder of digital payments company Square, a supporter of Bitcoin and the technology for scaling its Lightning Network blockchain. Last week, renowned Bitcoin Core developer Matt Corallo joined the Square Crypto team to develop open source projects to improve the Bitcoin ecosystem with Dorsey’s money..

The problem with SIM swapping – this is the type of attack that attackers have done with Dorsey’s account – is probably more pressing in the cryptocurrency market than in any other industry. This is due to the fact that two-factor SMS authentication is often used as the default method of protecting accounts, thus opening up an additional vector for attacks..

It is worth noting that this type of attacks has been known for a significant part of the last decade, however, their heyday fell on 2017-2018 due to the growing popularity of cryptocurrencies and the number of accounts with large sums of money, for the protection of which SMS authentication is used..

So, for example, the damage from the actions of SIM swaps since the beginning of 2018 in the United States was estimated at $ 50 million a few months ago. And although it is publicly known about such cases mainly in Western countries, the technical ability to carry out attacks is available in other regions as well..

“Perhaps now that someone as famous as Jack Dorsey has suffered from SIM swapping, the major mobile service providers will notice that this is not normal. The fact that social engineering can lead to the disclosure of my data is absurd. Fix it, ”writes crypto trader ArcaChemist.

Alternative two-factor authentication methods

Unfortunately, there is little that cryptocurrency users using SMS authentication can do to ensure their own security. However, they have access to other methods of protecting their accounts, the most common and available of which is the Google Authenticator application. It uses algorithms developed by Google LLC to generate 6-digit one-time digital passwords that must be provided in addition to the standard login / password pair when logging into your account..

In many cases, this will be enough to avoid the undesirable of the increased interest of attackers in your account. Those who want to go even further can consider purchasing a hardware U2F token, such as the YubiKey – these devices are easy to use, but under the case they have well-thought-out cryptographic protection based on the private and public keys familiar to users of cryptocurrencies..

And finally, recently non-custodian exchanges, such as Binance DEX, have added the ability to authorize using hardware wallets, which allows them to be used not only for storing cryptocurrencies, but also for exchanging them..

“Immediately change the authentication on Twitter and on crypto-accounts to something that is not related to SMS, for example, Google Authenticator”, – in the light of recent events, calls on the CEO of the Tron blockchain project Justin Sun to his subscribers.

Similar articles