Twitter Hack Makes the Final Case to Ditch Passwords

Yesterday, Twitter revealed that its high-profile hack that occurred on July 15, 2020 was the result of a phone spear phishing attack. Attackers targeted a small number of employees to steal their credentials and gain access to Twitter’s internal support tools.

This attack is a reminder that in order to create a truly secure organization, employees and IT organizations need to completely liberate themselves from passwords. While no technology can detect voice phishing/vishing social engineering attacks, organizations can eliminate passwords, which are the primary point of compromise in phishing attacks. MobileIron’s zero sign-on (ZSO) solution deploys passwordless multi-factor authentication to make your device your identity and remove passwords from the threat landscape entirely.

By using a smartphone for security, MobileIron combines a variety of factors such as identity certificates, biometrics, QRcodes, OTP, and push notifications to provide a customizable authentication experience that matches the security risk of a user’s access environment. MobileIron’s ZSO solution integrates with MobileIron’s unified endpoint management (UEM) solution to incorporate additional signals such as device posture and app version to create a better risk score for access control.

ZSO delivers a consumer-like experience for the enterprise, keeping the user in mind always. Unlike single sign-on, which still requires a password, ZSO eliminates the need for passwords altogether. ZSO delivers a secure and seamless user authentication experience from all devices without the hassle of remembering and typing in passwords; users simply leverage their live scan biometrics and possession of the device as authentication factors.

In the Twitter hack, the vulnerability was the log-in and password combination. Were Twitter using our zero sign-on approach, the only means to access the service would be through a verified device that had performed biometric verification and confirmed that the right person with the right app in the right location is trying to access the information. Given that, we are confident our zero sign-on capability could have stopped this attack as there is no ability to share log-in credentials.

The Twitter hack is also a reminder that every organization needs to make defending against phishing attacks a top priority. The attackers used the credentials of employees with access to Twitter’s internal support tools to target 130 Twitter accounts to launch a phishing campaign, ultimately Tweeting from 45. The fake tweets that were sent included links to a phishing site, earning the attackers $120,000 of Bitcoin in just a few hours.

With the phishing protection in our threat defense solution, we again are confident we could have mitigated this aspect of the attack. MobileIron Threat Defense (MTD) offers on-device and cloud-based phishing URL database lookup to detect and remediate phishing attacks across mobile threat vectors, including text and SMS messages, instant messages, social media and other modes of communication, beyond just corporate email.

In conclusion, organizations need to take a multi-layered approach to cybersecurity to secure their digital workplaces and reduce the risk of breaches. To find out more about how MobileIron can provide a comprehensive solution that fits your needs, contact a MobileIron sales representative.

Brian Foster

Senior Vice President of Product Management

About the author

As SVP of Product Management, Brian is responsible for overseeing product direction and innovation. Brian brings more than 25 years of experience to his role. Prior to MobileIron, Brian founded a startup in the identity management space. Before that, he was SVP of information services at Neustar, the leader in identity resolution. At Neustar, Brian’s teams were responsible for solutions in marketing services, risk and fraud, registries, and security services. He also oversaw the product development and go-to-market operations. Prior to that, Brian was CTO at Damballa, a private company that discovered advanced threats running in enterprises and large internet service providers. As CTO, Brian was responsible for the advanced research, product strategy, and engineering operations.

Before Damballa, Brian was SVP of product management at McAfee. He oversaw McAfee's global product management functions and was responsible for over 80  enterprise and consumer products, generating more than $2B in revenue. Prior to joining McAfee, Brian was VP of product management at Symantec, where he oversaw product innovation for the enterprise endpoint. Brian has a BA in Economics from UCLA and completed the executive program in management from UCLA’s Anderson School of Management.