Fresh from taking control of the social media accounts of popular YouTubers, the SIM swappers who call themselves ChucklingSquad have tweeted rude messages from the Twitter account of Jack Dorsey, founder and CEO of Twitter (pictured). As you might expect, Twitter later ‘resolved’ the issue by blaming a telco.
The phone number associated with the account was compromised due to a security oversight by the mobile provider. This allowed an unauthorized person to compose and send tweets via text message from the phone number. That issue is now resolved.
— Twitter Comms (@TwitterComms) August 31, 2019
Forbes and many other sources have stated that AT&T provides Dorsey’s mobile phone service. That would be consistent with ChucklingSquad’s modus operandi, though it is unclear why the hacker has not swapped SIMs on other networks. But instead of pointing fingers immediately at AT&T, why are none of these journalists asking why everybody seemingly knows Dorsey’s network provider and phone number? More importantly, why is a tech billionaire ranked 343rd richest in the world incapable of employing someone in his own business to enhance security?
It should come as no surprise that Twitter behaves like they are literally incapable of doing anything to improve the security and privacy of their own service. They epitomize the woeful security culture that dominates most consumer technology businesses. More and more services were launched where passwords were the only way to authenticate users. Then business leaders were shocked – SHOCKED! – to discover that some people had passwords like 12345 or PASSWORD. There have been so many data breaches that having a password is almost pointless, because hackers do a better job of maintaining a list of all your old passwords than you ever can. Unable to rely on passwords any more, tech businesses took the next most laziest approach to authenticating customers. They assumed a mobile phone number is the same as a person, and decided that everything they offer – social media, OTT comms, online banking, cryptocurrency wallets – should be accessible to the person who controls that number. What could possibly go wrong?
I almost wish that American telcos would impose the blindly simplistic solution that so many are demanding, by making it harder for anyone – including ordinary customers – to replace a lost or stolen SIM. The USA is a country with such low expectations that many politicians seriously argue it is too much of a burden to expect citizens to present photo ID before they vote. So how should telcos verify customers? Should they impose a higher standard than voting laws? The American Civil Liberties Union says that asking for photo ID “disproportionately” affects “low-income, racial and ethnic minorities, the elderly, and people with disabilities”. Should phone companies be disproportionately denying their services to these individuals as well? And how would we feel about black, poor and old people being locked out of every online service because they were denied a new SIM?
SMS messages were never designed to be the key that unlocked every service that tech firms wanted to throw at customers over the internet. But that is how SMS messages are now being used and abused. Instead of bowing to public pressure, telcos should let the SIM swap scandals keep flowing. Eventually customers will ask why tech billionaires like Dorsey are too cheap and too slapdash to implement security that does not disproportionately rely on businesses they do not control.