By adding two-step authentication, did Twitter actually make itself secure?
Two weeks ago, Twitter announced that it was offering two-factor authentication to its customers. Experts agree it was a step in the right direction, but it’s clearly more of a cover-our-ass move than a solution.
First, let me say that we here at StrikeForce Technologies are a huge proponent of two-factor authentication and applaud anyone that is taking steps to protect their customers, employees or family. Twitter’s half-solution puts the onus on the customer. Now, when a breach occurs, they can say it’s your fault, not theirs, if you don’t use their two-factor solution. If they access the user credentials with two-factor implemented, they can say they have taken steps to prevent it… the same steps that Google, Facebook and Microsoft have taken (to cover their own asses).
Here’s why the addition of two-factor is just window dressing:
Use
Two-factor works well in a corporate setting when IT can mandate its use. Customer facing applications won’t likely generate much use. People simply don’t want to take extra steps when doing the things they’ve always done. “If” you can get customers to use two-factor, there are other problems to worry about.
Out-of-Band Authentication
The real strength of out-of-band two-factor authentication comes by using two separate channels to send the username and password for login purposes. The username is sent over the normal data channel, while the password is sent over a separate channel (telephone network). For example, if a user wants to login into his/her account remotely, they put their username in the login screen on the computer and click login. Two seconds later, their mobile phone will ring and ask them for a secret PIN code (or use their voice or other biometric). By splitting the user’s credentials and sending them over two separate channels, this makes the login process significantly more secure than sending both pieces of information over the same data channel which can easily be compromised by malware attacks.
Google, Facebook and Twitter utilize in-band authentication, making them easily susceptible to malware attacks.
The Truth About Out-Of-Band Authentication: What It Is and What It Isn’t
Many solutions claim to be out-of-band solutions as they do, in fact, use a separate channel (usually a mobile device) for the authentication piece. However, be aware of where the input of that second channel goes. For example, if you enter your login/password online and your mobile device shows a PIN code that you enter back online, you take away the security of the separate band. If your authentication goes back in band, it becomes easily stolen with malware. Google, Facebook and Twitter authentication each go back in band making them easily susceptible to malware attacks. A true out-of-band solution would require your PIN on your mobile device which would then enable the access without going back into the original channel.
More than 90% of the successful breaches leveraging stolen user credentials had a keylogger installed.
Malware and Keyloggers
Malware is most likely the culprit in each of the Twitter breaches that have occurred. When user credentials are stolen, keyloggers are undoubtedly the real threat. The Associated Press reported that the bogus Tweet that sent the Dow plunging occurred after a phishing attack of its staff. According to Verizon data breach reports, more than 90% of the successful breaches leveraging stolen user credentials had a keylogger installed (usually through phishing attacks). Currently, the only technology that is proven to stop keyloggers is keystroke encryption.
Pairing keystroke encryption with out-of-band authentication is the only way to stop these types of breaches from happening.
Twitter has taken a step to secure their house, but it only a partial step. They have locked the door, but like Google, Apple, Dropbox and Facebook before them, they left the key under the mat. To think that two-factor authentication, the way they designed it, would have prevented the Syrian Electronic Army (who took credit for the AP breach) from accessing the Associated Press Twitter account is just foolish. Nor would it have prevented attacks on the BBC, E Online, Reuters, Burger King, Jeep, NBC News, Fox News, or any other high profile twitter breach. It’s time for these companies to add keystroke encryption to their protection tools. Unlike two-factor, it requires customers to do nothing different from the way they already work.
Pairing keystroke encryption with out-of-band authentication is the only way to stop these types of breaches from happening.
