Lessons Learned from the Twitter Hack 2020
The Twitter hack of 15th of July 2020 proofs that Hackers go targeted for service desk employees.
Is there anything for you to learn from the Twitter hack? We know the outcome: Criminals got access to important people’s twitter accounts and asked for bitcoins.
How hackers turn their hacks into profit depends on their target and the situation. The important question is how they got in!!
According to a tweet from Twitter support the 31st of July then:
The key phrases here are:
- Small number of employees
- Phone spear phishing
- Mislead certain employees
- Exploit human vulnerabilities
To know more about Voice-based Hacking, click here.
Combine this with another tweet in the stream:
The key phrases are:
- Obtaining employee credentials
- Specific employees with access to account support tools
From the key phrases the hackers’ actions are obvious:
They knew the names of Twitter employees in an internal support function with privileged credentials to access support tools. They phoned the supporters and tricked them to give away passwords. Then they had access and could carry out the criminal activities.
Twitter found that the hackers have mislead and exploited human vulnerabilities. This means that the supporters thought that they talked to other Twitter employees, so it was OK to give away credentials. Twitter might even have great procedures, but when the Hackers through social engineering bring emotions in action it is simply not enough. This might be the same for your service desk.
The only way to protect the service desk is a secure workflow for identity verification, which will take emotions out of identity verification.
Awareness training and documentation of procedures are all very well, but when the hackers phone in, they can get the supporters to deviate away from the procedures and the training. Service desk employees are asked to give good service, treat the callers as customers, so it is not that hard for a hacker to convince the supporter to give him what he asks for.
If the Twitter supporters were prevented from deciding who to give access, and the decision was given to a secure workflow, then Twitter would probably have avoided the hack!
We can expect more of this type of direct and targeted phone-based hacking also known as vishing. The hackers know that social engineering works, now we now it works – will we act now or wait until we have been hit?
Everyone in the organization is responsible for security. Empower your employees and strengthen security through Identity Verification.