When I woke up this morning, I did not expect to have a hot take opinion on Twitters CEO Jack Dorsey being SIM swapped, allowing the attacker(s) to send several tweets from his account using the text to tweet service. But here we are, apparently.
The idea I want to push is that a phone number which is attached to a SIM card is not a good way to be sure someone is who they say they are. This is somewhat unintuitive for a lot of people, since when you get a text message or a call from a phone number that belongs to your sister (for example) you tend to feel quite confident that it is in fact your sister. There WAS not really a lot of value in stealing a persons phone number.
It IS valuable to steal a persons phone number
But now, when peoples accounts are using phone numbers as their second factor for authentication (usually some form of sending a 6-8 digit number as a text message upon attempting to login) stealing a phone number is actually quite valuable. And more importantly, not at all as hard as you might expect.
SIM swapping is something that happens more often than you might expect and while I could argue that Jack should‘ve been more prepared for it given his public position and all that, the truth is a lot of us have an account strategy that amounts to "let‘s hope for the best". Those of us that have a better strategy have usually had something bad happen to us in the past.
However I have an additional gripe with Twitter on the subject of using a phone number as your second factor. Twitter is a big tech company, and they do technically allow people to use a TOTP (Time based One Time Password, the QR code thingy you know and love), which is better because it doesn‘t depend on your phone number. But Twitter does everything in their power to get your phone number, probably because they want that information to allow more Twitter users to find each other, and possibly for other nefarious reasons*. Let‘s look at an example of trying to set up two-factor authentication for my Twitter account.
Setting up 2FA on Twitter without a phone number.
Here is my Twitter settings. I‘ve removed my phone number (due to what happened to Jack). Let‘s click the security item shall we...
Ah, Two-factor authentication. Just the thing I came here for! The first time around I missed the little note at the bottom stating that
After you turn on two-factor authentication, you can then choose to use a mobile security app or a security key as your second factor instead.
You MUST add a phone number before you can opt in to a much stronger way of 2FA (exposing yourself to SIM swapping). Here when Twitter says "Mobile security app" they mean TOTP and when they say "security key" they mean a hardware security key, such as a yubikey.
Let‘s click and setup some 2FA shall we.
Apparently Twitter is going to stay true to it‘s word and force me to setup an SMS based 2FA, aka they want my phone number, no matter the cost to my security. I‘m not going to sugarcoat this, there is no way Twitter doesn‘t know about SIM swapping. They are making a choice here to force people into a less secure 2FA method, just so they can get your phone number.
It‘s not worth another image but next I re-added my Twitter password, and then gave them my google voice phone number.
Don‘t compromise your security by adding your phone number to online accounts with this one weird trick...
Exactly for situations like this, I have a google voice phone number that I don‘t give out to anyone, but that I can use to receive 2FA codes. I highly recommend having a phone number that is not tied to a SIM card. Not all services provide TOTP-based 2FA and in those situations I use the google voice number as a SIM swap safe way of having 2FA.
Regardless, at this stage of our journey we have added some form of phone number to Twitter and pointedly ignored a little checkbox encouraging us to allow twitter users to find our Twitter account by searching for our phone number (allowing Twitter to look at our contact books and figure out who knows who).
Now that I've enrolled Twitter is suddenly allowing me to use the Mobile authentication app (TOTP). To be clear: There is NOTHING stopping Twitter from allowing me to have TOTP based 2FA without adding my phone number. Twitter is forcing this onboarding experience because they want your phone number. And given text to tweet (the service where you can send a text message from your phone number and it will post a tweet) and attackers stealing your number through SIM swapping, this is a completely sub-par method of 2FA compared to using TOTP. The fact that they force this is nuts.
Going the extra mile
However, there is a way to get around this for the intrepid security nut. Simply onboard onto TOTP (Mobile authentication app, such as google authenticator or 1password) and then turn the SMS based security off. Twitter forces you to jump through a lot of hoops to get there though.
Remember to save your backup code somewhere, otherwise if you drop your phone in the toilet it can be very hard or impossible to unlock your account.
And with that you can safely delete your phone number from your account. You have now protected yourself against SIM swapping and still have a perfectly secure 2FA on your account.
Apparently Twitter removes your mobile authenticator based 2FA if you remove your phone number. The reasoning (see item 4 in read more) being that they may need the phone number to verify who you are. But of course this whole Jack Dorsey getting SIM swapped debacle has hopefully convinced you that a phone number is not necessarily the safest way to verify someones identity. So what you actually want to do is keep the google voice number attached to your account but still just use the Mobile authenticator (TOTP) as your 2FA.
The fact that Twitter also silently removes your 2FA if you remove your phone number is completely bananas. This journey has gone from strange to outright bewildering for me.
Unless I‘ve been using too much jargon above the fix for this should be obvious. Don‘t force people to onboard onto SMS based 2FA before giving them the option to use TOTP or a security key. There. Done. Fixed. Problem solved.
For the users of Twitter the fix is a lot more complicated. You could go the route I laid out above, or you could use a service such as https://mysudo.com/ (YMMV). But the point of this post isn't really to lay the burden on the end users to handle their security better, it's moreso to encourage companies to help their users have a safer experience by default.
- *wild speculation.
- Good podcast (Reply All) that talks about SIM swapping: https://gimletmedia.com/shows/reply-all/v4he6k
- The frighteningly simple technique that hijacked Jack Dorsey’s Twitter account - The Verge