Twitter turns off SMS texting after @Jack hijacking

Following Jack Dorsey’s Twitter account getting hi-@jack(ed), Twitter has temporarily yanked the ability to tweet via SMS – one of the possible ways that the account of its founder and CEO got taken over by racist/anti-semitic/bomb-hoaxing hijackers last week.

Twitter announced on Wednesday that it’s doing so due to what it says are vulnerabilities that mobile carriers need to address, and due to its reliance on having a linked phone number for two-factor authentication (2FA) – something it says it’s working to improve.

We’ll reactivate this in markets that depend on SMS for reliable communication soon while we work on our longer-ter… twitter.com/i/web/status/1…

—
Twitter Support (@TwitterSupport) September 04, 2019

Dorsey’s account getting hijacked wasn’t the result of a system compromise, Twitter said last week. Rather, it was due to the phone number associated with his account being compromised. That suggests that Dorsey may have been the victim of a SIM swap.

How SIM swap attacks work

As we’ve explained, SIM swaps work because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network.

Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number… and your telephonic identity.

That comes in handy when you get a new phone or lose your phone: your phone carrier will be happy to sell you a new phone, with a new SIM, that has your old number.

But if a SIM-swap scammer can get enough information about you, they can just pretend they’re you and then social-engineer that swap of your phone number to a new SIM card that’s under their control.

By stealing your phone number, the crooks start receiving your text messages along with your phone calls, and if you’ve set up SMS-based 2FA, the crooks now have access to your 2FA codes – at least, until you notice that your phone has gone dead, and manage to convince your account providers that somebody else has hijacked your account.

If Dorsey uses a service that allows him to tweet via SMS messages then this may be what gave the hackers the ability to tweet in his name.

Or they may have first cracked his password and then used their access to his phone number to steal a 2FA code sent to it via SMS.

Twitter didn’t indicate how long it would disable SMS support for tweets. It did note, though, that it will “soon” reactivate it in markets that “depend on SMS for reliable communication.” In fact, as of Thursday, Twitter said that it had already turned SMS back on in a few locations that depend on it to tweet.

It was still off for the rest of the world, Twitter said, and would stay off while it works on a “longer-term strategy” for the feature. Twitter didn’t give an estimate regarding how long its longer-term strategy would take.

What to do?

Wrestling back control of a hijacked account can take a long, painful time, particularly if your name isn’t Jack Dorsey. To avoid going through that misery, read our guide to securing your Twitter account.