If a user is tricked into revealing login credentials to a false landing page, 2-factor authentication will only limit the time the hacker has access to the account. Attackers would need to collect the 2nd factor of authentication, but the underlying tactics would remain the same. Even if a session cookie expires every few hours (which for Twitter would be days – not hours or minutes), then the attackers would still be able to cause the kind of mayhem we saw today. As we saw, it only took minutes for a tweet to make stock trading algorithms go bonkers. The following graphic provides a visual of the process a hacker would follow to get past 2-factor authentication (note that this isn’t how the AP was hacked, it’s how a hacker would attack Twitter if it had 2-factor authentication):
For an organization like the AP, which likely has multiple users accessing its Twitter account, security measures would have to extend to whatever platform it uses to perform group tweeting. At PhishMe, we have struggled to find an effective way to share tweeting privileges, as Twitter itself doesn’t offer a way to do this; we’ve been forced to use 3rd party platforms. Any additional security Twitter implements won’t be very valuable for organizations if it doesn’t also roll out an ability to have multiple users tweet from an account. This is not to say Twitter shouldn’t implement a more robust layer of authentication, but it also begs the question of how far should it go? Twitter wasn’t designed for group use. If it adds layers of security, will it solve the group use problem? The fact is, if the AP employees had recognized the phishing email, and never surrendered login information in the first place, this all may have been avoided. As long as users fall for these tactics, adversaries will develop tactics to trick users into leading them around technical security layers. –Aaron @higbee