Twitter CEO's hacked account shows dangers of 'SIM swop' fraud

WASHINGTON • Even with considerable security precautions in place, Twitter chief executive Jack Dorsey became the victim of an embarrassing compromise when attackers took control of his account on the platform by hijacking his phone number.

Mr Dorsey became the latest target of so-called "SIM swop" fraud, which enables a fraudster to trick a mobile carrier into transferring a number - potentially causing people to lose control not only of social media but also bank accounts and other sensitive information.

This type of attack targets a weakness in "two-factor authentication" via text message to validate access to an account, which has become a popular break-in method in recent years.

Twitter said last Friday the account was restored after a brief time in which the attackers posted a series of offensive tweets.

But Mr Ori Eisen, founder of Arizona-based security firm Trusona, which specialises in authentication without passwords, said the rapid fix should not be seen as an answer to the broad problem of SIM swop fraud.

"The problem is not over," Mr Eisen said, noting that these kinds of attacks have been used to take over other high-profile social media accounts and for various kinds of fraud schemes.

Mr Eisen said it is not clear how many people are attacked in this manner, but that automated technology can create billions of calls that lure people into giving up information or passwords.


Some analysts say hackers have found ways to easily get enough information to get a telecommunications carrier to transfer a number to a fraudster's account, especially after hacks of large databases that result in personal data sold on the so-called Dark Web.

"Mobile accounts' text messages can be hijacked by sophisticated hardware techniques, but also by so-called 'social engineering' - convincing a mobile provider to migrate your account to another, unauthorised phone," said Mr R. David Edelman, a former White House adviser who heads a cyber security research centre at the Massachusetts Institute of Technology.

"It only takes a few minutes of confusion to make mischief like Dorsey experienced."

Thousands of these attacks have been reported in countries where mobile payments are common, including Brazil, Mozambique, India and Spain.

Researchers at security firm Kaspersky say security systems of many mobile operators "are weak and leave customers open to SIM swop attacks", especially if the attackers are able to gather information such as birth dates.

A version of this article appeared in the print edition of The Straits Times on September 05, 2019, with the headline 'Twitter CEO's hacked account shows dangers of 'SIM swop' fraud'. Print Edition | Subscribe