After hacking of Twitter CEO account, here’s how to protect your accounts

September 7, 2019

Less than a minute

بعد اختراق حساب المدير التنفيذي لتويتر .. إليكم كيف تحمون حساباتكم

English
العربية

SAN FRANCISCO — When hackers took over the Twitter account of Twitter’s chief executive, Jack Dorsey, last week, they used an increasingly common and hard-to-stop technique that can give them complete access to a wide array of the most sensitive digital accounts, including social media, email and financial accounts.

Called SIM swapping, it allows hackers to take control of a victim’s phone number. In recent months, SIM swapping has been used to hijack the online personas of politicians, celebrities and notables like Mr. Dorsey, to steal money all over the world and to simply harass regular people.

Victims, no matter how prominent or technically sophisticated, have been unable to protect themselves, even after they have been hit again and again.

“I’ve been looking at the criminal underground for a long time, and SIM swapping bothers me more than anything I’ve seen,” said Allison Nixon, the director of research at the security firm Flashpoint. “It requires no skill, and there is literally nothing the average person can do to stop it.”

How a SIM swap works
Criminals have learned how to persuade mobile phone providers like T-Mobile and AT&T to switch a phone number to a new device that is under their control.

The number is switched from a tiny plastic SIM card, or subscriber identity module, in the target’s phone to a SIM card in another device.

Sometimes hackers get phone numbers by calling a customer help line for a phone carrier and pretending to be the intended victim. In other recent incidents, hacking crews have paid off phone company employees to do the switches for them, often for as little as $100 for each phone number.

Once the hackers have control of the phone number, they ask companies like Twitter and Google to send a temporary login code, via text message, to the victim’s phone. Most major online services are willing to send those messages to help users who have lost their passwords.

But the temporary code is sent to the hackers.

Phone companies have been aware of the problem for years, but the only routine solution they have come up with is offering PIN codes that a phone owner must provide in order to switch devices. Even this measure has proved ineffective. Hackers can get the codes by bribing phone company employees.

“It just doesn’t seem like the AT&Ts of the world are really doing anything to make it more difficult,” said Erin West, a deputy district attorney in California’s Santa Clara County and a member of a law enforcement task force focusing on the problem. “I live in fear that I will get SIM-swapped because it’s not that difficult.”

No American authorities are keeping statistics on the frequency of the attacks. But Ms. West and others who are tracking cases said they had become more frequent over the last year.

“Account takeover fraud is an industrywide problem,” said Paula Jacinto, a spokeswoman for T-Mobile. “We use a number of safeguards to help protect against this crime and offer customers a variety of options to help them protect their own information.”

Who has been hit?
It is difficult to ascertain how many mobile phone users have been hit by a SIM swap. But people around the world, from Kenya to Hollywood, have complained about it.

In recent weeks, the most prominent targets have been celebrities like Mr. Dorsey, the actress Jessica Alba, and online personalities like Shane Dawson and Amanda Cerny (her second time). The hackers used the accounts to post offensive messages to millions of followers. They also gained access to private communications.

Matthew Smith, who owns an internet-focused design studio in South Carolina, has been hit by SIM swappers four times — three times this year alone. Hackers had long wanted his Instagram handle, @whale. That made him a target.

Every time the attackers have gained access to his social media and email accounts, Mr. Smith’s phone provider, T-Mobile, has assured him that it has put additional measures in place to protect his account. While he has managed to get back his social media accounts, he has not regained access to two Google email accounts that held years of communications.

In the most recent incidents this summer, after the attackers got into a new email address, they contacted Mr. Smith, his family and his friends to threaten him and his children with information from his accounts.

“It feels sickening,” Mr. Smith said. “It feels like everything you own, and you thought was safe and yours — that someone is playing with that like it is a toy.”

T-Mobile said it would not comment on specific customers.

Victims have complained that after the attacks, they have struggled to get help from their phone companies, or to even get someone on the line at a phone company who understood the problem.

When the recording artist King Bach lost and then regained control of his phone number in late August, he posted an angry video on Twitter in which he said he had spent hours on the phone with AT&T.

“The customer service is trash,” he said. “I couldn’t get no help.”

AT&T did not respond to numerous requests for comment.

Progressing from pranks to theft
SIM swapping became popular in the hacking community years ago. Attackers were mostly interested in taking control of rare or iconic social media account names, like a Twitter or Instagram account with just one name.

But hackers soon realized they could gain access to more than social media accounts.

In 2016, SIM-swapping gangs started targeting cryptocurrency holders. Unlike traditional bank transactions, once virtual currency is moved to a new address, the transaction cannot be reversed. American bank accounts have been less vulnerable to SIM swapping because banks will generally reverse any criminal transactions.

Over the last year, law enforcement officials have arrested some of the gangs stealing cryptocurrency. For the first time, a hacker was sent to jail and is serving a 10-year sentence.

The number of online crews focused on SIM swapping has been growing, researchers said, as has the range of victims and the type of accounts.

In Africa, gangs have used SIM swapping to target financial accounts tied to mobile phone providers, like the popular MPesa service in Kenya. South African officials said there were over 11,000 incidents there last year, triple that of the year before.

Security experts have recommended that companies stop using phone numbers to help customers recover accounts.

“This is a technology problem because we are using a very old technology that is not designed to be secure to send secure codes,” said Fabio Assolini, a security researcher at Kaspersky Lab, who lost his own phone number in a SIM-swapping attack last year.

Twitter said on Wednesday that it would stop allowing some users to post updates via text message, which made Twitter access particularly easy for SIM swappers. But that will not stop hackers who use the SIM swap to log in to a victim’s Twitter account. (Twitter said it was working to improve this.)

Security experts are worried that hackers could step up their attacks and use the method to go after even higher-value targets. The phones and social media applications of several Brazilian politicians have recently been compromised.

“SIM swapping is proliferating, and it is going to keep proliferating until companies deal with this,” Ms. Nixon said. “This is a known issue at this point. There is not really any excuse.”

source: nytimes.com

كشف اختراق حساب جاك دورسي، الرئيس التنفيذي لشركة تويتر، يوم الجمعة 30 أغسطس/آب، عن خلل في أنظمة الشبكة الاجتماعية قد يجعل أي شخص مهدداً، من المشرعين إلى المديرين التنفيذيين ومستخدمي تويتر العاديين. وأثار ذلك تساؤلات خطيرة حول إمكانية الحفاظ على أمن حساباتنا لعدم ملاقاة نفس المصير.

على الأرجح، وقع دورسي ضحية لعملية تبديل بطاقة SIM، عندما يقدم المخترق على دفع رشوة أو يقنع موظف شركة الشبكات الهاتفية بطريقة ما لتبديل بطاقة الهاتف برقم الضحية ووضع البطاقة الجديدة في جهاز لدى المخترق.

فأحياناً يكون من السهل إقناع شخص يحصل على 12 دولاراً في الساعة أن يبدل بطاقة SIM الهاتفية مقابل 1000 دولار.

وبفضل الخاصية الموجودة منذ أيام تويتر الأولى، يصبح بإمكان أي مخترق يتحكم برقم هاتفك المرتبط بحساب تويتر أن يكتب أي تغريدات يريدها على رقم تويتر، 40404، وسوف تُنشر فوراً على حسابك. لم يحتج المخترق إلى أي مصادقة أخرى، ولا حتى كلمة المرور الخاصة بالحساب.

لا يبدو أن هناك طريقة حقيقية يمكن من خلالها إيقاف الخاصية التي مكنّت المخترق أو المخترقين من السيطرة على حساب دورسي. الطريقة الوحيدة لذلك تتضمن جعل حسابك أقل حماية بشكل عام. ولكن يظل هناك بعض الأمور يمكنها حماية حسابك من الهجمات من ذلك النوع

حساب تويتر ورموز التحقق

في البداية، من الجيد دائماً تفعيل المصادقة الثنائية، إذ تتضمن خطوة مصادقة إضافية لتأكيد هويتك بخلاف كلمة المرور العادية. ولكن حتى المصادقة الثنائية لن تحمي حسابك في حالة الاختراق عبر تبديل بطاقة SIM الهاتفية.

ليست كل عمليات المصادقة متساوية. بإمكان المخترق اعتراض رموز الحماية المرسلة عبر الرسائل النصية، ما يجعلها غير مفيدة.

لحسن الحظ، يقدم تويتر العديد من وسائل المصادقة الأكثر حماية.

إحدى الخطوات التي يمكنك استخدامها هي تطبيق مصادقة جوجل «Google Authenticator» الهاتفي، الذي سيقدم لك الرموز. سيحتاج المخترق عندئذ إلى هاتفك الفعلي للحصول على الرموز. أو يمكنك استخدام مفتاح حماية مادي، وهو جهاز صغير يمكن شراؤه بشكل مستقل يعمل على توليد رموز الحماية. سيحتاج المخترق إلى سرقة هذا المفتاح للوصول لحسابك.

تبديل رقم هاتفك

حتى الآن، يبدو أن الطريقة الوحيدة لإيقاف المخترق عن استخدام الرسائل النصية لنشر التغريدات من حسابك هي حذف رقم هاتفك من تويتر تماماً. ولكن هناك مشكلة؛ إذا فعلت ذلك ستعطل المصادقة الثنائية عن حسابك. وهنا يقول كثير من المستخدمين أنهم حاولوا مرات عديدة إبقاء المصادقة الثنائية قيد التفعيل على حساب تويتر مع حذف رقم الهاتف. وفي كل مرة يقول تويتر إنه يسمح بذلك، ولكن عند تنشيط الصفحة، تتعطل المصادقة الثنائية.

ما الذي يمكنك فعله بدلاً من ذلك، حاول تبديل رقم هاتفك بالرقم الذي تحصل عليه من خدمة اتصالات Google Voice، . رقم هاتف «Google Voice» لا يُدار بواسطة أي مقدم خدمة هاتفية ولا يمكن للمخترق أن يتحدث لأي شخص لكي يساعده على التحكم برقمك. ولكن غالباً هذه الخاصية في الولايات المتحدة الأمريكية.

وربما هذا ليس خياراً مثالياً؛ لأنه من الممكن أن يتعرض حساب جوجل الخاص بك للاختراق أيضاً في حال تبديل بطاقة SIM الهاتفية إذا كنت قد أعددت استلام الرسائل النصية للمصادقة الثنائية على ذلك الرقم. وأي شخص خارج الولايات المتحدة سيكون عليه العثور على خدمة بديلة. ولكنها ستظل فعالة في حال تمكين وسيلة مصادقة بديلة على حساب جوجل واتباع إجراءات الحماية الأخرى العامة المناسبة مثل إعداد كلمة مرور فريدة وقوية جداً على كل المواقع التي تستخدمها، واستخدام برنامج «مدير كلمات مرور» لمتابعتها.