Twitter SMS authentication security won't stop attacks, say experts

Twitter's long overdue rollout of two-factor authentication doesn't plug every angle of attack and won't guarantee that customer accounts aren't compromised in future, experts have warned.

Twitter introduced its secure two-factor option earlier this week after an accelerating number of hijacks against high-profile and corporate users, including The New York Times, Associated Press, the BBC and Burger King.

This allows account holders to choose that logins be authenticated using SMS codes sent to mobile handsets in addition to the passwords that have proved so vulnerable to compromise.

Although the move has been welcomed as a necessary step in the right direction, some have reservations about its practicality and long-term security.

For individuals, having to retrieve an SMS code for every login across possibly several accounts could prove awkward. While this will be less of an issue for larger organisations, managing which mobile numbers are set up to receive the codes could prove another hurdle.

"I do have some unanswered questions on how this will be implemented for large organisations that have multiple users with access to the company Twitter account," said Troy Gill, senior security analyst for email security firm AppRiver. "This might make use slightly more cumbersome," he predicted.

So much for practicality, which is always a trade-off. But will it improve security under real-world conditions?

There are two broad weaknesses with this approach, the first of which is pointed out by David Emm, a senior security researcher at Kaspersky Labs.

"Many people log into their Twitter account from their smartphone via the Twitter app which doesn't require login credentials to be entered each time.

"This means that the same device is being used for both authentication factors and if this device is lost or stolen, whoever finds or has stolen it will be able to access the account," he said. "Therefore, in effect, there is no longer two-factor authentication."

Emm also worries about the possibility that attackers will shift their focus to stealing the authentication codes, which has already been successfully tried during the disastrous 'Eurograbber' online banking attacks that hit a variety of financial institutions last summer.

"It is possible that we will see the development of smartphone-based malware that is specifically designed to steal the SMS authentication code," said Emm. "We have already seen similar malware designed to steal mTAN numbers for banking transactions and examples include ZitMo (ZeuS-in-the-Mobile)."

Dana Tamir, Enterprise security director of security specialist Trusteer, concurs. The mobile adds a layer of inconvenience but it is far from watertight. Enterprises need to be aware of its limitations.

"Two factor authentication for every tweet is a must for high risk accounts like the AP, 60 Minutes and CBS that when compromised can spread false news that can spread quickly."

"However, although considered strong, two-factor authentication alone is not really adequate as cybercriminals using financial malware have already found ways to circumvent it using Man-in-the-Browser attacks," he said.

"Trusteer has found that fraudsters bypass SMS based authentication by taking over victims' mobile SIM cards or installing malware on mobile devices that redirect SMS messages to fraudsters."

Standing back, Twitter's two-factor SMS roll-out could just be the start, a necessary short-term fix to a growing problem in advance of the firm's likely IPO. Other layers might be needed.

"Twitter should also strongly consider enabling options other than SMS and even consider allowing enterprises to enable location and or IP based log-in options," suggested Amar Singh, CISO for News International and chair of the ISACA security group.

"These are good baby steps," said Singh.