An investigation by the New York Treasury Department (NYSDFS) into the Twitter hack earlier this summer resulted in a stinging reprimand for how easily Twitter can be fooled by a “simple” social engineering technique – and with a wider reputation for major social networks Media platforms are regulated for security.
In the report, as a contrasting example, the NYSDFS indicates how fast regulated Cryptocurrency companies prevented the Twitter hackers from scamming even more people. This shows that technical innovation and regulation are not mutually exclusive.
The point is that the largest social media platforms have tremendous societal power (with the associated consumer risk), but no regulated responsibilities to protect users.
The report concludes that this is an issue that US lawmakers must and must address. He recommends the establishment of a board of directors (to “determine systemically important social media companies”) and an “appropriate” regulator appointed to “oversee and monitor” the security practices of popular social media platforms.
“Social media companies have become an indispensable means of communication: More than half of Americans use social media to get messages and connect with colleagues, family members and friends. This development requires a regulatory system that reflects social media as a critical infrastructure, “writes the NYSDFS, before pointing out that there is still”
“Above all, the Twitter hack shows the risk to society when systemically important institutions have to regulate themselves,” he adds. “Protecting systemic social media from abuse is vital for all of us – consumers, voters, government and industry. The time for government action is now. “
We asked Twitter for a comment on the report
One of the key findings of the department’s investigation was that the hackers broke into Twitter’s systems by calling employees claiming they were from Twitter’s IT department. Through this simple social engineering method, they were able to get four employees to submit their credentials. From there, they were able to access the Twitter accounts of high profile politicians, celebrities and entrepreneurs, including Barack Obama, Kim Kardashian West, Jeff Bezos, Elon Musk and a number of cryptocurrency companies. A crypto scam was tweeted to millions of users via the hijacked accounts.
Twitter previously confirmed that a “phone spear phishing” attack was used to obtain credentials.
According to the report, the “Double Your Bitcoin” hacker scam, which included links to pay in bitcoins, stole more than $ 118,000 in bitcoins from Twitter users.
Although a significantly larger sum was prevented from being stolen because regulated crypto companies – namely Coinbase, Square, Gemini Trust Company and Bitstamp – quickly took action that, according to the department, blocked numerous attempted transfers by the fraudsters.
“This quick action blocked over 6,000 attempted transfers worth approximately $ 1.5 million to the hackers’ Bitcoin addresses,” the report said.
Twitter is also advised that there was no cybersecurity chief in office at the time of the hack – after it failed to replace Michael Coates, who left in March. (Last month it was announced that Rinki Sethi had been hired as CISO).
“Although Twitter is a global social media platform with an average of over 330 million monthly users in 2019, Twitter lacked adequate protection against cybersecurity,” writes the NYSDFS. “At the time of the attack, Twitter did not have a chief information security officer, adequate access controls and identity management, and adequate security oversight – some of the core measures required by the ministry’s statewide cybersecurity regulation.”
The European Union’s data protection law already includes security requirements as part of a comprehensive data protection and security framework (with significant penalties for security breaches). However, the Irish Data Protection Supervisor’s investigation into a Twitter security incident in 2018 is still pending after a draft decision was not supported by the other EU data custodians in August this year, which further delayed the EU-wide regulatory process.