> "We used a rep that literally done all the work for us"
This is why the privacy and security guarantees of almost all companies, credit bureaus, banks, the IRS, the department of motor vehicles, etc., are worthless. Every customer service rep that works at any of those places -- all 500 or 5000 or 50,000 of them -- can pull up info on anyone at any time. The only thing that prevents that is rules. There are no technical countermeasures.
I'd like to see a system where it is physically impossible for a customer service rep to discover any info about me until I authenticate and authorize it. Or to at least offer me the option to lock my account such that I need to authenticate and authorize before any access is given to the customer service rep.
Does anyone know of customer service panels at big companies or government departments where this is the case? I.e., it is literally impossible for a rep to browse random customer information even if they are willing to break the rules? If it's been done somewhere, it would be interesting to hear how it was implemented.
The problem is that customers don't remember basically anything. I don't know my telephone banking password for any bank. When I call, I get asked to tell them what my last transaction was, or my mother's maiden name and DOB (public info), or what town I last used my card. I've been wrong about the recent usage questions more often than I've been right, and they say "close enough".
The technological measures have to account for human behaviour. Otherwise you just end up with almost everyone not being able to access almost everything almost all of the time. People are forgetful, irrational, stubborn and stupid. So are institutions. Put them together and you have a social engineering dream world (literally our current world).
This is a more general and larger problem where society is constantly bending over backwards to cater to the 2% lowest performers.
If you added up all the costs of the people at the lowest extremes (by various metrics), I'd venture to guess that we could increase our prosperity (by various metric) by an order of magnitude.
Example: When I started my startup, we made the decision not to hire any salesperson who wasn't proficient in using a computer (we have no IT support line). We also made the decision to not sell to any customer that couldn't figure out how to use the website (we have no telephone support).
I cannot even tell you how multiplicative the benefits are. The 2% employees who couldn't use a computer or clients who couldn't use the website were responsible for 90% of the issues we had at my prior company. Everything from regulatory complaints, to lawsuits, to ad-hoc report requests, to virus infected PCs, to... the list goes on and on.
Having smart people is great. Not dealing with idiots is equally important.
> This is a more general and larger problem where society is constantly bending over backwards to cater to the 2% lowest performers.
As your parent said, it's not 2%, it's more like everyone. No one is perfect all the time.
More importantly, it's one thing when hiring, but are you seriously suggesting 2% of the population shouldn't be able to use Twitter or online banking or other online services? 140,000,000 people should effectively face social death because you can't be fucked to help them?
This is backwards, we should be sacrificing profits and convenience to be more inclusive.
I think we need to be honest about what the most dysfunctional bottom 1-2% are costing us.
...and it's not correct to say that "everyone is imperfect sometimes" because the correlation between people who are problems across various metrics, is high.
When I bought my house a couple years ago, I had to put my signature to make a big and urgent money transfer. The bank however didn't accept my signature for some reason, though I had been using it every time with them.
It appeared that normally they not really check if it matches, but this time given the transfer amount they did. And it just so happened that the signature they had scanned in their system was the first one I ever made as a kid (30yrs ago) when I opened the account.
Finally after many retries they turned the monitor to show me the expected signature and let me practice it on a piece of paper, so it would pass some other approval stage.
With a 200 yard line waiting behind me, sweating profusely, I finally managed to reproduce something. The sale went through, luckily, and immediately after I ditched that bank account.
It sounds really useless but requiring a signature means a fraudster would have to forge a signature which is a separate, perhaps more easily proven crime that carries extra penalties.
This kind of poor security is why we need legislation to make banks responsible for financial damages due to identity theft or fraud. When they will be on the hook for potentially millions of dollars, maybe they will care more about security and offer better protections than a signature
> The sale went through, luckily, and immediately after I ditched that bank account.
I believe most banks allow their customers to change their signature to something they can replicate more consistently — but it probably relies on showing up to a branch and producing sufficient ID.
I was told that a bank would not approve a transaction because the signature I had provided in a Word document was not similar enough to the one on file.
Helpfully, they provided me with a screenshot of the one they had on file... one copy and paste later and the problem was resolved.
Yup, but also because they could have my evolved adult signature on file, or at least asked me after certain time interval to update it for their records.
I guess one, admittedly brutal, solution is for customers to act like the immune system. Call up, fudge your way through to something that should be protected, and then escalate to a manager and report that you got access to your own account with vague details; they can listen to the call log to verify.
Worst case is that the rep gets fired (which sucks..) but if enough reps get fired then future reps will be hired and trained more diligently.
Whenever I call into E*Trade, first they send me a text with a code. They can't see the code, they just get a box and have to enter in the code I give them and it tells them if they are right.
Then after that I have to read off my 2FA code. In other words, they have to log in with the same 2FA that I do.
So a random customer service rep couldn't access my account without my phone in their hand, even if they managed to clone my SIM to get past the text message check.
I’m not sure habituating people to getting asked for 2FA codes is a good idea. Seems like it’s just going to make people more susceptible to social engineering attacks.
I’ve long considered why apps don’t have some VOIP client in them; if one can Face ID into their account, and use the VOIP client to connect to a rep - then the metadata associated with the call can inform the rep you are who you say you are. Seems E* is almost there!
Presumably the process for that is much more involved and fewer people have the power to do it. And if it requires the approval of two higher up people to do then that lowers the risk even further.
I dunno but I have been unable to get back my Gmail account after changing phone numbers, and unable to change email on Netflix account after credit card I used to open account expired.
Seriously who designed a system that habituates people to giving out 2fa codes over the phone?? That's explicitly a weakness of the 2fa system, nobody should ever read out or forward their 2fa code.
In this case it sounds like the user is calling ETrade, so unless the user calls a wrong number that just so happens to be a hacker it's unlikely this would be an issue.
Actually, that is a very common trick that scammers have used and still do. In the past they would buy Google ads or do some black hat SEO to get their fake number to the top of search engines.
Then, people searching for things like "Microsoft tech support" would get the scammers number and call it. Google and other search engines will even pull that number from your site and handily present it to you at the top of the search results to make it appear even more legit.
Taking over unclaimed Google map listings for businesses is also really common.
Simply buying a toll free number that is close to the customer service number for a large company is bound to get you more inbound callers than you care to scam.
So no, absolutely no excuses for teaching people to share their 2fa codes.
I'm really surprised that this is the top comment right now because even the most basic back of the envelope check shows that it is wrong.
Think about your own life: how often do you lose money because an insider hacked your credit accounts and bank accounts? How often do you get pulled over and your car taken away because someone changed the title/tags in DMV records? How often is your identity stolen by an employee at the IRS?
These bad things all happen to some people, of course, but the VAST majority of the time, they do not.
It is obvious that there are effective countermeasures to prevent and mitigate insider threats. Insider threat is not a new concept, and there are well-proven tactics for addressing it.
I agree with most of your post, but the parent comment is not wrong about customer service panels being accessible by employees. A friend of mine worked at a call center for a major us phone provider, the only thing stopping employees from accessing customer records is a point based penalty system for infractions. While my friend worked there, one employee was caught accessing customer records and was never fired or anything and continued to do shady things until quitting. It was discovered he'd worked at multiple call centers before and did the same thing.
Around the same time, at a nearby call center, two employees were caught ordering multiple manager's laptops, which managers can use to access customer records from their home. These laptops were sent out to multiple addresses and never found.
> Does anyone know of customer service panels at big companies or government departments where this is the case? I.e., it is literally impossible for a rep to browse random customer information even if they are willing to break the rules?
Yes - no names for obvious reasons but where I work (trust me you've heard of them/probably use them and they are a huge tech company) it is very hard to get access to anything even slightly customer related. You need to go through multiple levels of review and approval (often your manager, their manager, and then directors/VPs) with genuine business justifications that actually looked at (no "asdf" here) to get access, and then it is usually only permitted for a window of months at most before it is auto-revoked. Then once you have access, every actual time you look at the data you need to provide justification (e.g. a ticket number that is actually checked to make sure it is open, not reused over and over, and not just 1234567890 etc and so on), and every single action you do with the data is tracked and audited so there is a complete 100% paper trail of who looked at what, when they did it, and why they were doing it, with traceability through to the tickets/bugs/etc for why there were even doing this in the first place. Abnormal things (e.g. systematic/repeated/etc) raises flags that do terrible things to your career. Each system/data source needs its own independent approval process.
There is no "god mode".
It is not uncommon for people to wait weeks for approvals to go through to access their own data to validate a bug fix etc. I think these safeguards are worthwhile - many would see them as a hindrance.
At past places, I implemented a call-centre UI once. We made it so that the service rep would initially not see anything about the customer, so the "Please can you confirm 3rd letter of your memorable word" or whatever meant that the service rep literally had a text box to type that letter in which had to match before they could proceed - they didn't see the whole world on screen and wait to see if the user got it right. I am not sure how common this is - when I do this from the customer side these days often the answer is immediately acknowledged by the rep without any kind of delay or typing noises so I am guessing they have my entire record on their screen and are just waiting for me to say the right things before continuing the call :(
This is very consistent with what I've seen of AWS. Engineers have had to jump through many hoops to look at my account even when I've reported a bug and ask them to look at my account.
This is why IMO Google has almost no customer service. Their weakest attack vector would be people. Imagine paying your infosec employees hundreds of thousands a year to protect your clients data. Next to them (in terms of data access) is your customer service team at $30,000 per head. Which team is easier to crack?
They do have customer service, if you pay for their premium service Google One. They also have support agents for YouTube creators above a certain subscriber threshold.
For reasons I cannot fully remember my voicemail broke many years ago. It goes something like: I’d switched to google voice for vm, where T-Mobile handled my line generally. Then google did something to google voice, some sort of discontinuation + merging with gmail and my vm broke. This occurred in tandem with me moving to a house with terrible cell reception and before wide spread WiFi calling support. The result was that many folks figured I’d had my number disconnected because calls which couldn’t connect to my phone would get the “disconnected number tone” when being directed to my voicemail box.
Every month or two I’d fill in the google support text area explaining the problem. No response for ~4 years. Just this Feb, for whatever reason, I decided to call T-Mobile and report it. Problem was fixed by a higher up tech that described the problem as “very strange” and the “first time” he’d seen something like this. It took approx. an hour.
Upon rumination I full accept that I took the “easy way out” by filling in the text box vs trying to talk to someone. End result is that google lost a gvoice customer and no one calls me anymore. meh
At least in the Chicago area, they seem to really prefer to speak on the phone. I'm hard of hearing so phone conversations are challenging at best and despite that, when I've actually been looking for work and talked with recruiters, if they do e-mail it's to ask me to call them. It's seriously annoying. I think a lot of recruiters here have managers who take the view that if they're not on the phone they're not "working."
Recruiters call me a lot in the UK. I assume it's because they're able to command your attention as long as you stay on the line. Emails are easily ignored.
We use OpsGenie at work. I've used their support a couple of times. Every time they needed to look at our company's account settings I've had to approve it (using some sort of OpsGenie internal tool).
I was pleasantly surprised.
It's impossible to tell as a customer how hard it is to access my data without that internal authorization system, but it at least looks better than nothing.
Obviously it can be bypassed in the sense that somebody has full administrator database access.
The point about schemes like this is that instead of having to give 1000 support reps full access, you only give a few sysadmins full access. The likelihood of something going wrong with the data (through mistakes, willful abuse, extortion, whatever) goes drastically down.
In fact, once you got such a permission system in place, it becomes very attractive for the organization to use it. I mean, customers love it, they spontaneously write comments about it on Hacker News.
Even if you begin adopting it only for security theater (i.e. everybody still actually has full access), eventually some principled engineer brings up the idea to maybe remove full access for everybody cause now they have the access-granting system anyway, and this time they'll make a convincing case because the "move fast and break things" people have way fewer practical objections.
That's a very 90s view. The modern view is that only robots are sysadmins, and those robots are indirectly controlled. Some humans have superpowers in some systems, but not in the whole system.
> I'd like to see a system where it is physically impossible for a customer service rep to discover any info about me until I authenticate and authorize it.
Isn't this the objective of Tim Berners-Lee Solid Project and their Personal Online Data storage (PODs) in the spec?
If you have a system where customer service reps are strictly unable to access your data without some kind of cryptographic authentication, that defeats the purpose of customer service for 80% of customers (who suck at using computers and mostly just lose their passwords). If you’re in the other 20%, you might as well use some kind of decentralized cryptographic system with no customer service anyway. This is one of the chief complaints I see against Bitcoin on here - “what if I lose my password?” - the implicit dual to that being that someone else can access your account without your password, and you hope they’re not a bad actor.
Yes but you can mitigate the risk by limiting the rate at which any rep can perform security-impacting operations such as password reset, and by denoting high value accounts as requiring additional manual approval.
I have worked on controls in this area for a few US health insurance companies.
From what I have seen, it is common to have additional restrictions on accessing high profile individuals and specific groups data. There is also a ton of auditing around this stuff.
It is more primitive than what you described, but things are heading in that direction. It is a somewhat harder problem space because many parties need access to a customer's records in that domain.
Ultimately, the only reason things are even this far along in health insurance is the regulatory environment. It'd be nice to have stronger privacy laws that compel companies to build good controls.
I worked for a healthcare claims processing company that at the time stored all the production database and server passwords in a text file accessible to half the company, all because the chief architect didn't want to remember passwords. Yet we were covered by HIPPA and "passed our audits". If people don't care to follow the law and can manipulate the audit, who is going to stop them?
How does a single rep coordinate the mass amount of posts across verified (and non verified?) accounts? That is an insane amount of access for 'a rep'. They can just copy and paste the same message across that level of accounts?
There are probably other factors involved, like access to other information used for MFA and compromising those mediums or using information related to them to assume identity.
When I worked at Apple Retail, there was an internal iCloud dashboard you could log into and see _metadata_ about customer accounts. You couldn’t see anything juicy, for Find My iPhone/Friends it was just the name of people would could see your location, not locations themselves. Number of documents, not access to actual documents.
But nothing was visible to you until you verified the customer through security questions, last four digits, etc.
I don’t know the details but whenever I call Hover for support, they have to email me a code that I have to read to them to unlock access to my account. If you have 2FA enabled you need to give them that code too. I’m not sure if they are just verifying but it sounds like they actually can’t do anything without the codes.
> Every customer service rep that works at any of those places -- all 500 or 5000 or 50,000 of them -- can pull up info on anyone at any time. The only thing that prevents that is rules. There are no technical countermeasures.
Yup. Doubly so for sysadmins, many of which have abhorrent data security practices.
My personal solution is to use cover names, disposable phone numbers, and unique email addresses (the +
trick is insufficient) for most services. My assumption is that the data is eventually either going to leak, or be used to threaten or harm me in some
way.
If none of the PII overlaps with me, it becomes a lot harder for such an event to affect me.
The only downside is that sometimes you get companies (Airbnb, Instacart, some
others) that have CSRs that demand a government photo ID to do certain tasks. Of course I don’t have any documents for these cover names, so usually the workaround is to just abandon that account, make another, and re-place the order or transaction in a way that doesn’t flag it for
manual review/intervention.
What are the form of the emails? text@singledomain.com, text@disposible.email.service.com ? What if the service requires constant SMS OTP that you cannot opt out of?
I use both forms, including AnonAddy for the latter. For services that insist on frequent SMS OTP I usually just replace them with a different service, or I use dtmf.io.
Great idea! User accounts are locked by default, and can only be accessed if unlocked, for a limited time period, by the user themselves. For extra security, though more friction, the unlock process generates a time limited access token, provided by the user to the rep, reducing the access surface to just the rep that possesses the token.
Supposedly my credit card company works this way (Chase), though you have to opt in to it when you sign up for two factor authentication. Sprint has the same thing, where they can’t get to anything on my account without passing two measures.
I can’t verify this 100% unfortunately but they are notable because of how rare it is
When I moved from the UK to the US, I left some money in my UK bank account for a bit... A few years later I called up customer service with "Hi can you please transfer all funds to this new account at another bank in another country, and close my UK account? I don't remember any passwords, don't have the 2fa fob you gave me, don't have the phone number you have on file and don't live at the address on file." They asked me when I opened the account, which branch it was at, and who my employer was, and that was all it took. The phone call was under an hour, most of which was spent on hold. All of the required "security" information could be figured out from my public LinkedIn. Scary stuff.
* > Every customer service rep that works at any of those places can pull up info on anyone at any time. *
This is simply not true. For example with banks, high-profile accounts can't be accessed by regular tellers. If someone attempts to, it is logged and someone is notified that Teller X tried to access the account.
Now that Twitter is being used for high-profile official communications, they need to re-design their employee control panels to limit, alert, and control what an employee can do with an account.
The fact that important credentials on so many high-profile verified accounts could be changed without notifying employees or locking the affected accounts until the actions are verified is unacceptable.
This was a big problem in the early days of online banking (early ‘00s). A fair number bank fraud losses were due to rogue internal employees at call centers creating or changing then selling off online banking passwords. Ran into this when I was with a startup that launched bank to bank email money transfers in Canada around 2001. Banks cleaned up their security pretty quickly though, adding deyailed audit trails for one, and variety of other security controls around their own employee access (like double sign-offs). There is a general principle that banks have understood for as long as there have been banks... not all threat actors are outside threat actors.
In this case I suspect that there is an audit trail. It will lead to a Twitter insider who was “working from home” and had remote access to the tool, but had already left the country.
Banks just don’t give support reps remote access to accounts.
> Does anyone know of customer service panels at big companies or government departments where this is the case?
E-government services in Estonia have nice features, aimed at giving more control to the owner of the data [1]. Among other: "It allows the Citizen to query who has accessed his/her records. [...] In Estonia, this feature has led to some very public cases of government officials being caught accessing private data of Citizens - without any legitimate and authorized reason for such access."
there are countermeasures. any competent org (agree with you -- probably not the majority of them) have auditing, so accesses are logged. back in the 90s we had this at my university ... it's an age-old practice. you as user would never know it.
i would bet that most of the places you are thinking about (banks, credit card, and so on) where you get on the phone with a rep, with a phone entry system ahead of the agent, the agent can only access that specific data during the call, the access is logged, and any other access (some other account) is flagged for review. by calling in you are granting access. most users simply don't care about privacy and extra hurdles are just asking for complaints. limiting access to specific accounts during live calls is a fair compromise and a tight control.
xero (they suck, so this is not an endorsement) requires you to give the rep access explicitly, as an option, when requesting tech support. of course i have zero doubt that senior reps can get access anyway (which would be audited), so the explicit control is more about signalling comfort to you about their security measures.
after google had the SRE stalker incident they implemented very tight access controls to user data.
i walked into a verizon store the other day to buy a hotspot. the rep could not get access to any info whatsoever (even billing status) until i acknowledged a message on my phone. it's clear they only had access to my specific data (ie, they don't get to enter any phone number and get access) for that specific interaction.
This is something I argue with coworkers et al to no end: differential privileges are targets for privilege escalation!
From their perspective, they want the ability to ban/kick/etc as special powers; but from my perspective that feature is an exploitation target that's vulnerable to any unknown bugs, and probably in twitter's case, social exploitation.
I would _much rather_ see all users be equally powerful and find some means by which the services can be designed such that everyone can be comfortable and safe.
AT&T claims my security PIN will prevent agents and in store associates from accessing my account. The store rep said there’s no way for him to help me doing anything until we called a special hotline to give my PIN and approval.
Doesn’t mean there isn’t a way around it for some reps with special access. If you don’t have a PIN someone can go and open up multiple new accounts separate from your primary account in your name with different addresses. AT&T won’t even bother to tell you.
Wrong! Pin is designed as legal shield against you - it was initially designed because children of parents, disgrunted employees and angry spouses would show up with a phone and wanted access or make changes on that phone account and mere possesion of said phone “authorize” them. Now the terms of service clearly state pin is extra layer to protect your data from oursiders, be it your child or spouse. Meanwhile employees have full or near full access. I know this because my sister is a store manager. They would daily print list of accounts overdue and prepare list for followuos - should would check everyone in computer, their history of payments even zip code where they live and make decision whether to bother them with phonecall now or push it for another day. The only access they dont have is your credit card info. They cant even see the last four, since its separate third party company responsible for payments.
I'm fairly sure most banks operate this way. For example, I think they can't even see your account balance until they have entered phone #, mother's maiden name, etc.
The problem is that it is all too common for these tools to not be sufficiently prioritized in these organizations. They are usually slapped together without security or much else in mind. They are barely maintained. Security concerns as they surface are addressed by tacking on auditing and authorization instead of more secure architectures.
This is also why you want to have people in IT that can defer judgement if someone posts, does or says something that you do not like. Criminal behavior is another matter of course.
But you would need to educate people with access about the importance of impartial management of user data.
Banks had a culture enforcing neutrality and most importantly discretion. That is not true for modern payment processors like paypal or mastercard though.
You certainly don't want Twitter activists in such a role, regardless of political affiliation.
The Vice article (https://news.ycombinator.com/item?id=23853786) was recently updated with a note that the Twitter insider was paid to help take over the accounts, which raises further questions on the nature of "social engineering":
> we spoke to two hackers and we were able to independently verify they were in control of hijacked accounts today. One of them said they paid the Twitter employee to help them take over accounts; not sure on the specifics here at the moment
This makes things sound even fishier. I think there has to be something else going on we don't yet know about. The amount of money this scam will actually earn the hacker is tiny compared to the potential of this hack and yet they still have enough money left over to bribe a presumably highly paid Twitter employee? Or maybe the Twitter employee is a low paid person which leads back to a question I raised elsewhere in this thread[1], how many people at Twitter have the power to take over these accounts unsupervised? Whatever the number is, this hack is probably an indication that it is too high.
Lots of uncertainty, but I could see it being relatively mundane.
It wouldn't surprise me if a lot of Twitter support people had access to these tools and that they often worked with larger (more valuable) accounts.
It also wouldn't surprise me if some employee had a bad 1:1 and then responded to a spear fish just because they were disgruntled. To take payment for it is particularly stupid.
Of course, could also be something more serious - but if it's really just the BTC piece and the people are dumb enough to talk to the press, it may not be a group of criminal masterminds.
I hope for the employee's sake they have communication that can help the feds catch the BTC group. Either way, an incredibly stupid thing to do on their part and I don't see a good ending for them.
If this turns out to be true, they'd be lucky not to go to prison.
Weird that they didn't require any MFA from a second support // Admin account when dealing with account security settings for prominent accounts. That's not that hard to set up and makes these sort of things harder to pull off. Not to mention severe rate limitation on internal accounts. How many prominent accounts does one support person need to reset password or email per day? Not that many, I'd wager.
Imagine the potential damage if an attacker tweeted something on behalf of the US President (let's say Biden in 2022), that China or Iran or Russia ships could be sunk at any moment if they didn't withdraw (due to some ongoing real incident)... The other side might fire on US ships before the tweet could be corrected.
As you say, it would probably not work on foreign governments, but would be very effective on the general population. They could have used that to cause political turmoil (hopefully not enough to change something like elections results?) or influence stock prices etc. This just looks so uninspired...
It would surprise me if a lot of Twitter support people had access to tools that allowed them to post tweets as another user. That's not functionality that should be available to a Twitter support person.
Having worked at large tech companies - it would not surprise me at all if many did. ...at least through unofficial channels or not-entirely-secure processes.
People's accounts get hacked all the time. To help them recover is often a manual process, because the true owner of the account can become unclear. To be able to do that a support worker must be able to change the email address on an account, undo 2FA settings and make other changes because hackers will typically change the email address and add 2FA of their own phone as the first step in an account takeover.
They way I understand it based on the article is that they were only able to change the email address, then used that to reset the password and log in.
It seems to generally be a crime to access a computer system you aren't supposed to, regardless of how you came by the login info (phishing, guessing passwords, etc).
I'm no lawyer either, but I imagine that the definition of authorisation is key here.
If you're a sysadmin on a company email system, then you do technically have access to everyone's data on that system.
However, you're generally limited by company policy that you are not permitted to access/modify that data without direct authorisation, say from the employee themselves or from HR.
So, therefore, if you go and read the email of your boss, you're still in breach because you didn't have the authorisation.
The CFAA makes it a federal crime to access a computer in excess of authorization. The employee was unlikely to be authorized to use Twitter's customers' accounts to collect money from their followers, so it sounds like an open and shut case.
I know HN doesn't believe in laws, but the rest of the world does, and they're the ones with prosecutors.
But surely they didn't access the system and post these messages themselves.
They could argue, with the advent of remote working getting more and more predominant, that they simply left their computer unattended for a second while logged in.
Beyond that, they could argue they simply clicked on a link and something might have happened they aren't aware of. Or that they didn't know what running that one executable would do.
They don’t sound like a criminal mastermind, it’s very likely they left some trace either locally or in Twitter’s system that will contradict that story.
The most logical conclusion is that this probably wasn't about money. Plenty of better ways to make money than telling people to give you BTC. I'm expecting a huge data drop on wikileaks/pastebin/wherever of private DMs, images, who knows what else.
Plus there was no way they knew beforehand they'd only make 12BTC. People always overestimate the value of twitter and conversion rates when an actual action is required - even with targeted audiences like cryptocurrency people in this case.
People seem to assume everyone takes tweets at face value and won't do a double take when it doesn't sound like something they would normally say.
Even here there was plenty of people on HN who were claiming outlandish possibilities while it was happening.
Not really, when you factor in inflation, unless you're planning on living in abject poverty your whole life or not planning on living very long.
e.g., Vietnam is a livable place and GDP per capita is ~$2600. That'd get you a very modest living. GDP/capita is also up 2x from 10 years ago and 10x from 20 years ago. You could maybe squeak out 20 years with very modest living and few unplanned expenses and assuming the economy and thus cost of living doesn't grow tremendously (like it likely will).
Somalia would give you a little more value for your money. But I think if someone suddenly had that much money in Somalia, they'd probably be getting out of Somalia or hoping nobody found out.
$110k for the rest of your life? $500/month for 18 years? That wouldn’t cover health insurance plus rent (even though I’m sharing rent with a partner) here in Berlin, and Berlin is cheap compared to the UK or the bits of the USA I’ve visited.
I can't help but make the obvious observation here. It's bitcoin... The space has a prior for people who are willing to rush head first into something they don't understand in order to attempt to make a quick buck. I'm surprised it was only 12 BTC.
But there's also a precedent of scams like this being posted on twitter, esp. from accounts impersonating e.g. Elon Musk. Just because it's tweeted by an official account doesn't suddenly make it less scammy - sure some people clearly fell for it, but I reckon most people using twitter with an interest in cryptocurrency would immediately recognise these tweets as a scam, regardless of the source
I am struggling to think of any better system than BTC.
Almost anything else I can think of would require either (a) substansal amount of starting cash (for example trying to crash Tesla's stock price), or (b) be almost impossible to pull off without getting caught (blackmail, or again stock manipulation if you do it in a big enough way to make some decent money).
In terms of risk/reward, assuming someone found some easy trick and wanted to cash out ASAP, this feels like the best option.
I don’t think it would take very much starting cash at all to make money off a Tesla crash. Options can be pretty cheap for moonshots.
Alternatively, is it possible they bought options on twitter itself? It’s down 4% in after-hours (which is less than I expected, but still enough delta to make some cash).
The most reasonable explanation might be that they’re lying to sound cool. Bribery is a thing, but any twitter employee would know that their employment (and future career prospects) would be terminated.
On the other hand, $1M in BTC might do the trick. Interesting thought experiment...
You're thinking of an engineer, not a low paid worker in the tech company equivalent of a call center working on repetitive tasks for low pay in India or some other country where labor is cheap.
And you're also making the assumption that the accomplice thought about it rationally. All the attacker has to do is find someone who doesn't realize that they will get caught.
There’s bribery but I think blackmail is even likelier. This is such a huge breach that no one should think they could get away with leaking their credentials or opening a backdoor. Plus Twitter employees are really well paid. Now some life-ruining online behavior material is another type of a motivator.
If they wanted to get as much money as possible without being caught what else could they have done?
If that was the case they could only deal with bitcoin. Blackmailing with bitcoin may be smarter but maybe they figured that would be investigated more or treated more harshly? They could have released fake financial tweets and shorted the market - but that still would be investigated much faster.
I'm sure the 100k or whatever they got isn't as much as it could be - but for a random dude who paid 10k to a disgruntled employee it is pretty good.
Buy shares in a small publicly traded company. Pump/dump shares. One tweet from musk stating he was adding such and such to all Teslas would send the target company through the roof.
The post you're replying to is suggesting that manipulating the market like that draws the attention of some very powerful organizations. It'll likely be investigated swiftly and they'll come down on you harshly when compared to the consequences of some Bitcoin scamming.
US federal agencies actually investigate market activity around big events like 9/11. Very likely to be caught doing that unless you have some way of shuffling money in and out of the market anonymously.
Though I was the one who suggested this would be easily catchable - Tesla is probably the one company where you could get away with this. There is no shortage of random Robin Hood users making pretty big plays on it constantly.
Is this really true though? If you ramp up multiple short positions under a few weeks from a lot of different accounts, how would you tell? I'm assuming TWTR is a pretty busy stock.
To be honest, there's a study out there that says the average employee will their out their employer for $500... I wonder what the skew would be on tech companies.... 10k? 30k?
Here[0] are the supposed pics of the admin panel the hackers accessed. Assuming their legit, it seems like Twitter has some blacklist features. Can't find any info detailing how they exactly work, but it seems an admin can blacklist a user from the trending page or from search results. Pretty interesting.
Oddly enough, posting the screenshots resulted in some users getting their account suspended or Twitter pulling the picture down.
This could end up being a big deal in the days to come if legitimate. Twitter has made strong public statements that they don't have shadow banning tools[0].
Apparently sworn statements have been made about this.
> You are always able to see the tweets from accounts you follow (although you may have to do more work to find them, like go directly to their profile).
This doesn't seem to contradict what's shown in the screenshot (which only shows blocking from the search and trends page).
To be fair, the linked article states that they do not shadow ban, not that they don’t have the capability/tools to shadow ban.
Also what do people consider as a shadow ban?
- Removing the tweets from people’s feeds, and only showing them if you browse/go to the offending users profile ? (Personally I don’t think this counts as a shadow ban)
- The offending user is the only person who can see their tweets, even if other users look at their profile (This is shadow banning imo)
I'm sure they've publicly spoken about also having search and trending blacklisting, I've heard about it before. So these statements are not incompatible.
This makes a lot more sense. I can't imagine Twitter isn't using some sort of phsyical 2FA like yubikeys which are virtually Phish proof if implemented well.
That being said, what was the employee's endgame here?
Especially if the real motivation is not the BTC scam, but the access to who knows how many DMs for possibly blackmail/propaganda down the line. (And not necessarily just DMs from the known compromised accounts, either.)
Sometimes people behave very irrationally. In the most sensational cases that manifests as violence, but I think it might also manifest as acts of sabotage.
authentication cannot be protected against rouge actors, but such broad write access and no approval over so many rapid writes to customer data which is supposed to be tamper proof is just poor opsec.
Such social media platforms have to be tamper proof even from the CTO, the reddit incident proved that years ago.
This is going to hurt their credibility hard in the run up to the election.
The tool in question is likely used by low level support/abuse control workers. The huge pressure put on social media firms by liberals in recent years to crack down on "abuse", "hate" etc means they need a vast army of people to review complaints about harassment, "fake news", account hijacking etc. Those employees aren't all sitting in expensive San Francisco on a corp VPN, are they? They're probably going to be in places like India.
From the mention of BeyondCorp, it feels like there are a lot of Googlers in this thread who aren't really familiar with how Google handled the same problem, or at least, used to. For example back when Orkut was big there were huge numbers of people in Brazil who had the power to censor content, ban users, handle victims of phishing and so on. It was the only way to scale the moderation users and governments there demanded.
An ideal user admin tool is very fine grained. But once account hijacking entered the picture, it gets hard to truly restrict takeover permissions to a tiny number of people, because accounts are constantly being taken over by third parties and need to be reset back to the true owner via manual intervention. Attempts to automatically handle that are very hard, I know from experience. Hackers like to abuse any system put in place to stop them taking over accounts (like 2FA) to stop the true owner taking it back once captured.
If true, then what Twitter officially posted makes more sense.
Without this bit of information from Vice it would make what Twitter officially posted downright scary and not add any comfort factor to what the heck is really going on.
The term "social engineering hack" is doubtful.
This is the social engineering hack: "I am very important Twitter board member, give me an access to the internal tool."
To gain access by bribe, coerce or persuade the frustrated low paid worker is not.
It is so important to critically examine and limit the blast radius of administrative actions. This is both from a vulnerability perspective as well as honest human mistakes.
For certain actions like taking over an account and impersonation there should be rate limits all around. Overriding them requires a break glass process where multiple people may have to approve (or even just acknowledge that it is happening).
Social engineering happens. It can happen to the best of us who hold the keys to the kingdom. The goal is that no one individual can completely break all the barriers. They need a bit of help, time, or both.
Really Qualitty suggestion. Do you have any recommended document / link where one could study how to do this? (blast radius in production). Would be really glad.
Twitter can probably afford to have all account actions to verified accounts be behind break-glass procedures and hire dedicated people to do nothing but watch and audit that.
I'd assume one closer to crypto, probably Elon Musk or Coinbase.
Because the audience needs to know how to quickly send BTC.
In addition, it's a running joke on Elon Musk's feed anyway where people constantly to do this using fake accounts of his.
So, maybe some thought today Musk is having it and finally doing it for real! If there is a person to run such a campaign for real, it would be him - so it could even be plausible.
They don't, but the spammers have become more sophisticated over time. They use Cyrillic letters that look like Latin letters, they hack old unused accounts (sometimes verified ones), they post the spam as a second-level answer, they use images instead of tweeting text, they have started adding noise and various transforms to the images to make them harder to automatically classify as spam, and they probably have many more tricks up their sleeves. Fighting against spam is hard.
Oh wow that would have bee interesting. My guess would be Elon (or Kanye).
I know one person who actually sent money to Elon – "it seemed like something he'd do". Seems likely Elon's followers have the highest rate of people who understand crypto, combined with the fact that he's more likely to do something like this than, say, Joe Biden.
> Seems likely Elon's followers have the highest rate of people who understand crypto
Even worse, I'd say his followers probably have enough understanding of crypto to be able to send him money, but not enough understanding or skepticism to realize it's a scam.
RE: social engineering, as long as a human is involved somewhere, the system can be compromised. IT security is a very depressing field because of this fact.
I also hope these incidents remind people of how little control you really have over your online identity. We're all just IDs in a database somewhere, waiting to be impersonated.
Decentralization is the only solution for this IMO.
Often, what people think is "good customer service" really means "allowing me to socially engineer you".
I don't think there is any solution to this. "Decentralization" in this context seems equivalent to a centralized system that simply gives up on any ability to recover accounts. Whoever owns the authentication details of an account is the owner, period. If you lose the password or the account gets hacked and stolen from you, tough shit. Start a new account.
I think the real solution is that social media should simply be valued lower. No one should care if their Twitter account gets hacked. The fact that politicians and important people use it in an official capacity is the problem that needs fixing.
I don't think a replacement is needed. If your communication is important to a lot of people, it shouldn't be just immediately jammed into 280 characters using your thumbs while sitting on the toilet or whatever.
Post it on congress.gov using some inefficient boring process or whatever the official communication method of your role is.
Pass regulation that puts in a place a federated messaging infrastructure, so that Twitter users can subscribe to messaging from Government official that sends out messages via an external system.
My father recently had an issue getting into his Southwest Airlines account so he called customer service. All he had to do was give them the email address attached to the account, and they read off a temporary password that he entered to get logged in.
As far as I’m aware they didn’t even make him create a new one and he thought everything was totally fine.
It was the moment where I realized I want nothing to do with IT Management/Security in the future and am actively working to distance myself from that aspect.
Honest question, how do I recover a lost identity?
The reason why this attack worked is primarily because of a recovery system. I agree this is a significant vector, but I can't see how decentralized solves this?
At the moment with blockchain wallets, once you've lost your private key, you're screwed. There is no recovery.
So, I'm all for decentralized but if it is truly my identity, I need a way back if I lose it. Not sure how to solve that vector even in a decentralized case.
Do I need to upload my identity to specific 'verifiers'?
You need to stop thinking identity singular, and identity as valuable. Have many and treat them as disposable. Of course you can't do this on the 2020 web that consists of four websites filled with screenshots of each other, but that's just one of the many reasons to burn those websites to the ground and resist any attempts to remake them. And it turns out your parents were right about not using your real name on the Internet. Social media and their consequences have been a disaster for the human race.
But that's not really identity then right? That just becomes my hnews/reddit username that's unverified.
I read @elonmusk because I trust it's him and I'm interested in what he says. Personally, I genuinely like Starship + Starlink updates... I ignore most the other stuff. But still, I want to see those awesome rocket tweets!
So, I want to know what he says.
He can change his username because it got hacked/whatever... but then I personally have to see what he changed it to... how do I know that he is the one who changed it? how do i know it's not some rando dude impersonating him?
Your hnews username is an identity. A small, weak, and reasonably disposable one, that you can have many of. Why do you want to use your God damn real name on the Internet unless you are a public person already? What do you have to gain? Hate mail, Death threats and calls for your firing? I've always wanted more of those. You do not WANT to be verified. Verified is a euphemism for doxxed.
You could trust it was Elon because it's published on his own website instead of on the worst thing to happen to human communication since writing was invented (I.e., Twitter)
For other cases we can evaluate merit based on previous performance and character of published material instead of "identity". I do not care who is behind a pseudonymous blog if the blog is good.
The most natural solution for most people is to give shards of your key to various friends/family that you trust not to collude and reconstitute your key (or be socially engineered -- make them talk with you on video chat or something). Require 5 out of the 9 shards to reconstitute it.
Obviously you can scale up your security according to the value of your account and your threat model.
That's a great method for preventing loss as opposed to allowing recovery.
We need to keep the conversation in recovery because eventually it'll happen. Your 5/9 people could have n+1 unwilling parties where n is the losable amount.
It is unrealistic to say it will _never_ happen.
When my identity is lost... is it lost for good? how do i recover?
If it's lost for good, and i make a new 'identity' then what is my 'identity'... is it just... my reddit username?
Which shows that Twitter probably doesn't properly employ 2FA and two-person-principle when dealing with high-profile accounts. Otherwise, social engineering would have been almost impossible.
The mechanism isn't relevant because the admin tool has a reset function. It is needed of course, because people loose their phones, keys and whatnot. No security mechanism is safe against an administrative reset for services like Twatter.
SMS is seen as less safe because the transport layer is not encrypted. But there isn't much difference in the practical security of the average user.
> SMS is seen as less safe because the transport layer is not encrypted.
Lack of encryption is only part of the problem. Lack of proper authentication is more important. Mobile networks are vulnerable to SS7 redirects, SIM-Jacking and plain old social engineering.
The 2FA reset function is also a part of doing 2FA properly. Your reset needs to be at least as secure as the regular 2FA flow. Meaning that "just phoning support" isn't an option. Yes, resets will be cumbersome and might involve stuff like physical presence, showing a government ID and maybe being vouched for by a third party. Most companies fail badly at this.
That and many users wouldn't do that for online accounts. Blue checkmarks are the exception while ignoring conventional internet wisdom... which came at a steep price.
Edit to the topic: As I said, the transport layer of SMS isn't safe, but I don't think it has practical merit. How often were SMS redirected or spied upon? In high profile cases? Even that would be difficult to determine, but the occurrence is probably very low.
And for a twitter account? Seriously? Depends on the account but assessment of threats is the first step of an honest security review. My reddit pwd has been 'reddit' for years. That wouldn't fly if I were Madonna and if I had any attachment to it.
It's way harder to get a device stolen, and impossible to have a trojan installed, even simple apps can read sms. If the device has a 5-6 digit pin on top being stolen, it would require the pin.
>"We used a rep that literally done all the work for us," one of the sources told Motherboard. The second source added they paid the Twitter insider. …
If it’s really a social engineering attack then I think it happened because everyone is working remotely and it is easier to perform social engineering attacks. Maybe this incident will have impact on their long term remote work plans.
I wouldn't be too surprised to learn that some people that are working from home are actually working from a coffee shop (in countries where they have re-opened obviously) or other public places with little to none protection against social engineering attack.
I dunno why you're getting downvoted. I think this idea makes some sense.
If you're doing something shady to your employer, it seems to me that it would feel a lot safer to do so while working from your home office by yourself then when sitting right in the middle of an office pod with other coworkers.
I agree, also remote employees might not have the same layers of security as they do if they were in the office. For example, there could be a firewall that blocks malicious code at the office or someone is logging into the VPN on their home computer that is infected with malware.
To me, this raises the likelihood that the attack was about something else. The BTC scam just doesn't seem anywhere near worth it compared to other things you could do - selling or using insider information, blackmail, shorting Tesla, taking out politicians, etc.
If the attack had been something like an exploit in the new API, I'd think, maybe some kid found it and was acting fast and reckless. If this was a sophisticated attack on multiple employees via social engineering, I have to think the attackers thought about it. And if they thought about it, they weren't just after 150k of BTC.
I think there are three possible explanations here:
1- (Tinfoil hats please) This is a state owned attack, which is a retaliation from US Government to ruin Twitter's credibility and introduce social media regulations.
2- The hackers are gray hat hackers, who know that reporting this vulnerability will not make them any money and they want to get what they think they deserve, so they make it public and get some good amount of cash.
3- The hackers had realized they had a massive vulnerability in their hands by accident and did not know what to do with it.
I find second and third option plausible, which also reminds me of the npm hack, where a very, very popular library was compromised and installed on a huge amount of developer machines, but only thing they did was to try to get hold of some bitcoin accounts.
I do not condone any type of crime but in both cases, it feels like a huge opportunity was missed by both hackers.
Another option is that the BTC was nothing but proof that they compromised those accounts. They had full access to the compromised accounts including any private messages. Now there is public proof that they compromised those accounts and a BTC account they can send funds from to prove it is the same group. This allows them to sell those private DMs along with proof of authenticity.
This possibility makes quite a bit of sense to me. It explains why the attackers went to so much trouble, given that world leader and major CEO DMs could be quite valuable, while also explaining why they bothered with the seemingly trivial crypto scam.
They also don't even need incriminating DMs, they can release fake DMs and use the BTC address to prove "authenticity" to the media. Released at the right time that could be quiet valuable to certain people.
Regarding #1, my thinking was this is China or their allied nations (North Korea, Iran etc). The US has taken extremely forceful steps on China in the last couple of days. This could be their response; discrediting a huge piece of the American crown jewels (big tech companies) and making it a laughing stock.
Just the massive blast radius of the hack reminded me of the NK Sony hack and release of documents. Big up yours to Hollywood from Kim Jong.
I would expect state actors to have gone for a lot more damage than "make Twitter look stupid". Also, all the high-profile state actor hacks I'm aware of were a lot more clandestine - it was months before they were discovered. State actors are highly professional, they're in it for the long haul, and they do serious damage.
The "massive blast radius" of this hack lies more in the damage it could have done, rather than the damage it actually did. This amateur execution makes me think it was some small-time cyber criminal who happened to have the bright idea of bribing a Twitter employee, but didn't have the know-how/creativity/patience to reap its full benefits.
Interesting. I assume those accounts are not used by actual people but managed by social media companies, so the DMs should not be anything personal anyways.
nothing but pure speculation, but i came to conclusion #1 more or less independently.
the obvious qui bono is not twitter. and twitters biggest opponent at the moment is?
the pound of salt for that is just that once clandestine motives are introduced theres no bottom to the subversion one would introduce to make attribution difficult.
> selling or using insider information, blackmail, shorting Tesla, taking out politicians, etc.
Can't it just be that they're not that knowledgeable about stuff outside their domain? The things you mentioned require knowledge of stocks and politics. If I, personally, woke up tomorrow with access to a Twitter backdoor and the desire to exploit it, I wouldn't know how to do any of those things, because I also don't know anything about stocks or politics.
It would be pretty easy. You could just post on reddit or 4chan and ask "If you could make anyone on Twitter post anything, what's the most you could earn?" And people who know a lot about a lot of things would give you ideas. It's just not smart to use the hack for just this.
Example: Contact Trump's kids. Demonstrate your power. Tell them you'll make Joe Biden tweet "8 year old girl nude hair" at a time of their choosing, in exchange for 5 million BTC held in escrow. This doesn't require anything more than knowing that Trump is rich and corrupt and that Biden is his opponent.
A variation of this is that you demonstrate the power to rich public figures and tell them that unless they pay you X, you'll do it to them to make them look bad. Then you don't even need to use your exploit.
I think this was probably worth tens of millions, and they blew it on 100k.
> Example: Contact Trump's kids. Demonstrate your power. Tell them you'll make Joe Biden tweet "8 year old girl nude hair" at a time of their choosing, in exchange for 5 million BTC held in escrow. This doesn't require anything more than knowing that Trump is rich and corrupt and that Biden is his opponent.
And then you get tracked down and killed by a three-letter agency. I think people underestimate how risk-free receiving small amounts of btc from random schmucks is, and how risk-averse these hackers may be.
> I think people underestimate how risk-free receiving small amounts of btc from random schmucks is,
I agree with this
> and how risk-averse these hackers may be.
And I agree with this statement in most cases, but not in this particular one. The wide spread and super high profile nature of this attack makes it a high risk play no matter what. Being cautious when it comes time to collecting the loot seems like too little too late for them to get away easily.
I don't understand this angle because typically admin panels only let you manage the account; deactivate, manage email address, etc. As shown in the screenshots.
Tweeting on behalf of another user seems like an unnecessary feature to give admins.
Some suggested the admin panel can initiate a password reset, and that, coupled with email management would allow account takeover, effectively (without allowing 'tweet as user' functionality).
All the hacked accounts seem to have had the associated email changed. I think the attack goes admin panel -> change email -> reset PW -> tweet bitcoin scams.
if this were true, youd think itd be trivial to review changelog for two affected users and deactivate the in-common admin account. not sure why this would take hours to solve.
Given the number of accounts that were taken over, there must have been many people conducting the hack. Also considering that tweets were being deleted then re-tweeted, others must have been monitoring the tweets. Seems somewhat well coordinated.
The feature wouldn't be tweeting per-se but acting on behalf of the user, which can prove useful for support or debugging. The side-effect is that obviously it also allows tweeting if you wanted to.
What part of it's administration? For example, if it's a windows machine, you control it (or it's AD PDC) with a PAW (privileged access workstation), which has to connect from a specific interface, which is not on the internet (that is, you connect via a hard line, usually via a pair of dedicated encryption devices over a point to point telco link, like ISDN/MPLS etc).
If you mean "log onto the machine and change the config" then it isn't really an air gap anymore. Usually it's a group of VMs, you change the image master (via Chef, docker etc) and boot a new instance. Ideally it's architected so most admin tasks go through an API, with auth, access control, logging, change control, etc. If you have a standardised message bus for your API you can used a Trusted Guard, aka CDS, which is a carefully designed (for high assurance, formally verified) protocol inspector designed to only allow correct protocol messages to transit. If the guard and it's ruleset pass independent analysis it is considered airgap equivalent under govt rules.
IP restrict the admin console at the application or (better) firewall layer. This means you need to VPN in to use it offsite. Put MFA on your VPN. None of this will save you from a malicious internal actor.
It's painful (although I suppose all airgap solutions are) but remote access protocols like RDP or SSH tunneling to a jump host which has access to the administration portal is one common(?) solution.
That's only safer from attacks that bypass the public admin portal authentication. Any social engineering attack that steals credentials directly won't be impacted.
It’s another layer of defense. Someone has to not only know your credentials but also know how to use them to get to the jump host, and from the jump host know what to do next (although unless it’s ephemeral, there are probably enough bread crumbs to find the proper url).
I don't know... I've seen a lot of forums that just put a login form in /admin and I just kind of assumed a site like Twitter would use a VPN or ssh or a custom app with its own secret sauce protocol or something... better than I could have whipped up in my PHP monkey days.
Anyone else unimpressed with Twitter's U2F/FIDO token support?
They support a total of 1 (one) U2F token on an account :( The only other company I know that does that is AWS and one U2F token. Every other site I use allows multiples, usually at least 5 or more.
I setup U2F on Twitter but then got rid of it after realizing they only allow one.
> if they didn't validate the damn key type then it would probably just work out of the box
That thought makes it so much for frustrating. ed25519 is the future anyway, it’s hilarious how many cling to RSA (I’ve got nothing against RSA but at some point we’ll have to switch anyway)
AWS has a simple workaround though as you can create as many users as you want, each with its own unique token. Combined with roles it’s straightforward to set up a backup user / device.
It makes sense technically to have a single token anyway. Otherwise you either need to include then identifier of the auth token (in addition to the secret) or have the verification step try out all N options.
> It makes sense technically to have a single token anyway. Otherwise you either need to include then identifier of the auth token (in addition to the secret) or have the verification step try out all N options.
I'm not sure if that is true. Most sites support multiple tokens. Off the top of my head I can think of Google, Facebook, Github, Gitlab, and more that support multiple. So it seems like the normal method is to support multiple.
One one site I have over 5 auth tokens configured. And tested with four of them connected to my PC at the same time. I could tap on any one of them to authenticate. This is on a Windows 10 PC.
With the info we have it looks like hackers changed the email id of the accounts and then used forgot password to reset the password. What’s concerning is that they were able to do it for accounts with 2FA enabled. I think disabling 2FA should be extremely privileged actions and should not accessible to most employees.
Didn't Twitter buy "Moxie Marlinspike"'s company specifically to get him to fix their security? I guess they didn't really get much out of that. Now I'm starting to get nervous about the security of Signal.
According to some images, Twitter low level employees can see email address of all accounts (and I guess phone numbers). I know some celebrities have their real email address and phone numbers on those accounts. Isn't that something bad?
The management of individual accounts is generally performed by low-level employees at companies like this. It's operational work that is thought to scale poorly and the costs of it are looked upon unfavorably by public market investors. Hence, there is constant pressure to push it to as low of a level as possible.
Perhaps a higher tier of user support personnel handles verified accounts (or accounts somehow flagged for extra review in a non-public fashion), but I'd still be surprised if anyone particularly high-level is doing the grunt work of using this tool.
Having access to some is not the same as having access to all. Rate limiting , or restricting to ones I am managing and approval processes are pretty easy . It does not like Twitter is doing any of that .
In this thread some people shared screenshots of the dashboards. I said low-level because some reports said that the hacker paid 2k to the employee to have access. I dont think a high-level employee would sell the credentials for that amount of money.
Although I could be wrong if the reports are wrong too.
Accounts of the employees. There was a statements somewhere else, that this might be close to the token system. Token have a validity which expires in hours.
All assumptions on my behalf bit it explains your question.
In the screenshots of the admin panel, it looks like they have blacklists of things that shouldn't show up in searches or on trending. It's not clear if it's accounts, or some other criteria that's blacklisted though.
The account tagged with "trends blacklist" and "search blacklist" was also tagged with "compromised", which suggests that the account was known to be hacked by a malicious actor so it was set to not show up in discovery flows to stop attackers from exploiting it for visibility.
Does confirm past claims that they shadowban accounts (which does hide them from search, among other things) at the very least, even if the exact criteria are unknown.
If this is the true story. Is it a standard practice on social networks to give to an administrator the right to post anything in your name without any distinguishable marker? There is a enormous trust issue here. I expect an administrator to be able to moderate a post or disable an account, not to impersonate it from a admin dashboard.
From reading HN comments, it is more likely that the attacker changed the account email from the admin panel and took over the account (even accounts with 2FA enabled), which seem more likely to me.
To prevent this kind of mess, Twitter should add more restrictions do disable 2FA on an account (multiple admin authorizations, email notification, add delay before the action is performed) and also change the account state to unverified and add to the feed a "email changed" or "identity changed" status. I also think that changing the email should not be immediate and that the old email should be notified of the change.
Not the same , he modified SQL dB directly and he was the CTO and one of primary architects of the system.
This is admin UI given to operations staff , far more trivial to have writes protected ,I cannot imagine anyone need to write to customer data that often in this kind of app.
They spent an hour or two deleting tweets on Elon Musk's account, with new tweets appearing soon after. So it seemed like they were aware of his account being compromised but did not immediately [successfully] lock his account.
It’s possible they didn’t understand the scope of the issue for a good amount of time. Elon’s account was the first to drop and was famous in the past for being faked for crypto scams. It’s entirely possible that they assumed it was a single account hijack and avoided notifying the correct people until it was too late. They might not have realized that the account info was changed as well until it was too late.
I don't know about twitter, but a lot of companies are trying to drop VPNs entirely going no-vpn/boyond-corp/"zero trust", so it's not terribly surprising to me.
This was my first thought as well. It must have been an oversight on someone’s part. Maybe infrastructure changes due to the shift to work remotely made it possible to access.
How would a VPN help in this case though? They social-engineered some employees to gain privileged access to the admin UI. If a VPN was in the way they'd do the same thing to get access to the VPN first.
I've seen some solutions where the VPN only works on the company machine. In this case, the social engineered employee would at least have to hand over their laptop.
That's indeed often the case, how it works is that the machine itself has a client certificate it uses to authenticate with the VPN.
There's no reason that certificate can't be used directly for the HTTPS connection to the admin UI, providing the same security benefits without actually requiring a VPN.
Furthermore depending on how "deep" the social engineering attack goes, a local user with administrator privileges can typically export those certificates unless they are stored on a hardware module (either a smartcard or an internal TPM/secure element).
If the details about how these accounts were taken over are true, that an employee changed email addresses of these accounts to email accounts controlled by the attackers, this is going to turn out to be a massive breach.
I'm thinking specifically of direct messages that could have been scooped up before they went public and started tweeting on these accounts.
Based on what we know, it does sound like the attackers had full access to the accounts. That's a really interesting point about direct messages. It makes it all the more interesting that Obama and Biden and were both targets with the upcoming election. Wonder if those will start showing up on WikiLeaks again.
Does anybody on Hacker news seriously believe that the account of Biden or Obama actually send messages privately on Twitter?
They most certainly don't. I have no idea why that fact is not obvious to some.
Trump had two liked tweets for all of time back from like, 2012. Around 2017 or so a group realized this and bought or otherwise messed with the site the liked tweets linked to and made them have pictures making jokes about trump. It took more than a year for anybody to give a shit enough to take down. They don't use the site for anything more than direct statements/retweets.
It is not required for them to send , people could have sent to them sensitive stuff.
A potential whistleblower , somebody having dirt on opposition .
It could be worse , even if you didn’t respond the fact that someone let’s say a foreign government or a spy or terrorist reached out to you can played in media they way your opponents want it
Agreed. I don't think it would turn up any skeletons, more of the implication if this breach was in any way politically motivated given our recent election meddling.
I definitely don't think Obama/Biden/others would DM.
But Elon? Some of these bitcoin exchanges? Maybe. How about accounts that were accessed (if any) that never blasted out the bitcoin tweet, but had their messages harvested?
Also, I really hope there’s a set of users whose accounts cannot have new devices connected without special authorization, and if so, you’d have Biden, Obama and Trump on that list.
Edit: 5 minutes after posting, I saw Obama and Biden were on the list of people hit, and I missed it in the early reports. Unbelievable.
Wait a second...they were hacked in a way that makes it so we can't trust any tweets. Does it make sense, then, for them to use tweets to report their progress on addressing this?
They have easy access to out-of-band signalling. Jack Dorsey can literally call up a news channel and say "They've got everything. Don't believe anything from Twitter.com" and you'd know it in fifteen minutes because it would be pushed out to everything after a Twitter SRE pulled the Red Lever that reactivates the failwhale.
Because Jack Dorsey is a real human and a powerful real human and he hasn't done that, we don't have to envision the cyberpunk PURDAH identity scenario for proof from him and we don't have to think this is a secondary Moab run. At least now that it's been up for a few minutes.
Because for all we know , it is not them posting this tweet and is the attackers . How can you trust it is them when the attack clearly showed any account can be manipulated.
This kind of compromised messaging is not unknown while being attacked , when browserstack got hacked few years back, the attackers send official email to all customers whose emails they got in the leak saying the company was shutting down.
Absolutely amazing. A friend and I just tested this and it's true. It makes me think this is a little more than the "rogue employee" story they're peddling.
Seems like a huge liability. They are still disseminating these messages under the identities of major public figures, 8 hours after they became aware of it.
Twitter is removing those because it's of their own internal backend, not because they're necessarily connected to the hack. Huge leap from Mboard on this
Why would a screenshot of their tools warrant a content takedown? People have posted far worse things that have been allowed to stay up. It's not like there's any personal information visible in the screenshots.
Its pretty amazing that realdonaldtrump@ was not a part of this. I guess the controls on that account are at an even higher level than elon musk/obama.
It might also be that impersonating a government official is a serious crime.
Sure, the hackers here have committed a crime, but this was more of an embarrassment for Twitter than anything else. If they had posted from Trump's account though...
It is also that many people will not think it is a hack . Trump does post all sorts of things . There is no tweet from his acc will surprise me that he actually posted it
So if people are less likely to think it is a hack, then they're more likely to send bitcoin in response to a tweet from his account. They'd hack Trump's twitter first if they could.
> Hawley said "please reach out immediately to the Department of Justice and the Federal Bureau of Investigation and take any necessary measures to secure the site before this breach expands
It's kind of bizarre when you have the highest levels of government doing their critical communication on a free social media service to the point where they are critically dependent on it, then begging for support when things go wrong.
Maybe you shouldn't use a free service that is not under your control or any proper regulatory or quality constraints for your most important messaging to the public then?
"Maybe government should embrace popular communication media instead of spending billions on custom IT infrastructure to post a message on a custom page that everyone screenshots and copies to their timeline anyway."
(Also if they don't create an "official account", someone else will do it for them)
The government could put it's decisions and publications on a website, official, verified, more or less controlled by them. There's no reason that has to be done with consultant scams - oppositely, posting on Twitter doesn't guarantee consultants aren't raking in money for adding or removing periods or whatever.
I don't know, it'd probably take 18F like a month to add a page to whitehouse.gov called "Things the President said", add 2FA and whatever else it needs to be installed on his government phone, and a little bot that listens for whenever he writes something on there and tweets it on Twitter. Then you have a source of truth that we know wasn't modified between the government and the reader, and it doesn't break the social following.
But I guess its easier to just complain about Twitter.
They don't have to convince any verifier. They don't have to be verified. If there's no official account and you create an account with a reasonable name, reposting every post from the official feed, you can get significant following. A lot of the followers will not care whether it's official or not and may not question an extra information appearing on the feed one day.
> Also if they don't create an "official account", someone else will do it for them
Yes, but this account will still not have the same legitimacy. Right now, if Trump tweeted a declaration of war, it would have been reasonable to assume that it was real, because, for all we know, it's an official channel. Previously at lot of people would've at least checked back with the official channel before taking it for granted.
And, to make matters worse, having Twitter as an official channel now gives everyone at Twitter the possibility to make official announcements - hardly a good state of affairs.
The FBI is very commonly involved in cyber crimes and the other departments have a role to play as well. Calling the FBI during a major security incident is not unusual at all, I’ve done it a number of times.
In the early days of the internet the FBI was kind enough to call my employer and inform us that we had left open an anonymous FTP server, and it was serving up Disney movies. Those were good times.
>Maybe you shouldn't use a free service that is not under your control or any proper regulatory or quality constraints for your most important messaging to the public then?
But we hate it when governments spend money on things. And no one would trust a word that came from any service the government controlled or regulated.
If the goal is to simply publish statements, the press already exists for that. The value of a platform like Twitter is in the network and communication. Twitter already has politicians and official accounts from around the world, and millions of users. I don't know how a particular state-owned platform could replicate that... and let's not get into the technical acumen that government contracts lead to. Remember the debacle that was the Obamacare website right after launch.
And on top of all of that, people will still complain that their tax dollars are being used rather than existing public platforms (Twitter, Facebook, etc.) Whichever administration puts it up, the next administration of the opposing party will call it waste and propaganda and burn it down.
An RSS feed is not expensive. As one example it'd be great to have RSS feeds for e.g. the US Forest Service or Bureau of Land Management about camping/hiking conditions, wildfires, etc.
Let's not forget the ongoing breach is being used to con people. Maybe that was the representative's concern.
> Maybe you shouldn't use a free service that is not under your control or any proper regulatory or quality constraints for your most important messaging to the public then?
What are you referring to exactly? I thought the govt had their own IT and websites across the board, and only used things like twitter to aid in communicating to the public.
> Maybe you shouldn't use a free service that is not under your control or any proper regulatory or quality constraints for your most important messaging to the public then?
No, I think they should use best-in-class media and Twitter is exemplary for that. Twitter is only dangerous for this because it is very effective at being a communication medium.
Yeah no one is going to fall for the 5th ColdFusion site with an admin backend left open on sqolkla7.info.gov.us/press-releases but that's because no one is reading that site.
I suspected some sort of internal tool was used to target prominent users but I’m still curious why there were thousands of unverified accounts tweeting the same scam. Searching for that bitcoin address pulled up tons of accounts tweeting it shortly before that term was blocked. Are there really that many trolls out there, or was a very large set of accounts hacked?
If the screenshot is real, I'm pretty sure that Scott Adams (the cartoonist) has that Search Blacklist button applied to him. I recently tried to search for users with his name, and he wouldn't appear at all (while unverified names with 0 followers would show up).
A user called '@viennacat921' joined in August 2019 with 0 tweets and is shown in the screenshot. '@b' is pernamently suspended and '@arceus' is protected and locked with all of this being reflected in the admin dashboard.
I was surprised because I searched for users with the name "Scott Adams" and it was promoting users with 0 followers and not showing his verified account at all. This was through Tweetbot iOS.
Because filtering trends and search is not the same as banning accounts. These are unique features that affect all users, not just the ones who misbehave.
Practically every "trending" algorithm involves some degree of manual tweaking. Otherwise, they end up prone to identifying uninteresting trends (like the current day of the week, or other time-sensitive trends like "lunch" showing up around local noon), or are easily manipulated by groups of users.
Besides, one of the features of Twitter's Trends is a prose description of what the keyword references -- there's no way that could be generated automatically.
Please stop posting unsubstantive and/or flamebait comments. It's not what this site is for, it destroys what it is for, and we ban account that do it.
At least the GP comment contained actual information, however little.
The fact that everyone accepts the level of centralization for a platform like Twitter is crazy. It should be a decentralised platform, and nobody else, besides the owner of the account, should hold the keys to it.
I wonder if this is related to Twitter easing some security restrictions to enable wfh for Covid. As in for example get rid of an IP whitelist which would have been too cumbersome to maintain with everyone wfh.
There's always someone, usually many people, with abilities like this for any service that's automated enough. Even for banks, as much as they might try to separate portions and mitigate access. The solution is not making it impossible, it's making it easy to find out if it was done and being very careful who you put in those roles. That's just the nature of the world.
Was thinking about that. So one scenario, that depends on an API end-point for the internal tool, would immediately and quietly takeover and change account passwords for targetted accounts. After that, start messages from individual accounts. While security is chasing around individual incidents it would take them a while to realize the breach is more systemic. That's probably when they threw the kill switch for verified accounts.
Apparently admins could post only on behalf of bluechecks. I still can't think of a reason why they would need to create posts. Edit maybe, but create? Why? Of course with access to the database anything at all can be done, but this was apparently an explicit feature of the admin dashboard.
I find it hard to believe this was a Social Engineering based attack. Elon Musk’s account was accessed multiple times after their tweets being deleted and it seemed to last forever, account by account being taken over.
The account was fully hijacked, email and password changed, 2FA was disabled. At that point the account basically belonged to someone else. I don’t think they realized the scope and angle of the attack.
>We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
I wonder the size of the population of employees that have access to these internal tools. How many people can independently fire off a Tweet from Jeff Bezos or Elon Musk and erase billions from the stock market? How many people can seize the account of Joe Biden (or presumably Donald Trump) and cause a huge international incident?
Elaborate? This is as trivial as it gets. Convincing a Twitter employee to change a few email addresses is not elaborate. It's not hard to find employees disgruntled enough to take a bribe, or with a political axe to grind.
>A little over ten years ago: Twitter settled with the FTC as a result of an internal tools breach. Their internal tooling was available directly over the web and accessed through an employee account protected by the password "happiness"
This is why the privacy and security guarantees of almost all companies, credit bureaus, banks, the IRS, the department of motor vehicles, etc., are worthless. Every customer service rep that works at any of those places -- all 500 or 5000 or 50,000 of them -- can pull up info on anyone at any time. The only thing that prevents that is rules. There are no technical countermeasures.
I'd like to see a system where it is physically impossible for a customer service rep to discover any info about me until I authenticate and authorize it. Or to at least offer me the option to lock my account such that I need to authenticate and authorize before any access is given to the customer service rep.
Does anyone know of customer service panels at big companies or government departments where this is the case? I.e., it is literally impossible for a rep to browse random customer information even if they are willing to break the rules? If it's been done somewhere, it would be interesting to hear how it was implemented.