Twitter CEO Jack Dorsey was hacked Friday. How to protect your Twitter account

Dorsey was probably a victim of SIM exchange, a practice in which a hacker will bribe or otherwise convince a mobile operator's employee to exchange a phone number for the hacker's device.

"Some can just get someone making $ 12 an hour and offer them a thousand dollars to make a SIM swap," Brian Krebs, a leading cybersecurity journalist, told CNN Business on Saturday.

Thanks to a feature leftover from Twitter's early days, if a hacker gains control of the phone number associated with your Twitter account, they can text all tweets they want to the Twitter number, 40404, and they will immediately be published to your account. The hacker does not need any other verification ̵[ads1]1; not even your password.

Asked by CNN Business on Saturday, Twitter declined to comment on whether it would change its security practices following the Dorsey incident.

 Our lax cybersecurity policies jeopardize our choices and our data

Until it works, there doesn't seem to be any real way to turn off the feature that the hacker or hackers apparently exploited to take over Dorsey's account. In fact, the only way to do that is to make your account smaller overall. But there are still some things you can do to protect your account from this type of attack.

Verification Codes

First, it is always a good idea to always have two-factor authentication, as an additional verification step to verify your identity beyond your regular password. But even two-factor won't protect you from a SIM swap hack.

Not all verifications are made equally. A hacker can cut off security codes sent via text message, making it useless.

Fortunately, Twitter offers several more secure verification methods.

One step better would be to use the Google Authenticator phone app, which will give you codes. A hacker then needs your actual phone to get the codes. Or you can use a physical security token, a small piece of hardware you can buy separately that generates security codes. A hacker would usually need to steal that key to access an account.

Replace your phone number

Right now, the only way to turn off the ability to use text messages to send a tweet from your account is to delete your phone number from Twitter completely. But there is a catch: Doing so will disable two-factor authentication on your account. I tried several times to keep two-factor enabled on my own Twitter account while deleting my phone number from it. Every time it appeared Twitter would allow me to do so, but when I updated the page, two-factor was off.

What you can do instead, if you're in the US, is try to replace your phone number with a number generated by Google Voice, as first suggested on Twitter by Krebs . A Google Voice phone number is not managed by a mobile operator and no one a hacker can talk to to help them gain control over your number.

"You can't get someone from Google Voice on your phone if you try," Krebs told CNN Business.

That's not a perfect solution, Krebs said, since your Google Account can also be hacked via SIM swap if you're ready to receive two-factor authentication text messages for that account. And everyone outside the United States must find an alternative service. But it will still be effective if you enable an alternate verification method on your Google Account and follow other generally good security procedures like setting very strong, unique passwords for all the sites you use and using a password manager to keep track of them.

CNN's Kevin Collier contributed to this report.

Source link

Back to top button