Twitch User Security Guide, Pt. II:
You’re gonna have to change your dog’s name again.
After reading Part 1 of this series and our whitepaper on recent Twitch account hacks, one thing should be extremely clear: you and only you are ultimately responsible for your personal privacy and security on Twitch. While Twitch does do an immense amount on their backend to ensure their computers, websites etc. are as secure as possible, there are clearly security aspects we’ve discussed that MUST involve you, such as password, your 2FA app, etc. Twitch does not have the manpower to give each user a telephone call and personally walk them through securing themselves. Nor should they; nothing we’ve told you here is something you haven’t been already told by 100 other websites, and likely even the company you work for.
We spoke with quite a number of “hacked” Twitch users during the writing of this guide, and this fact was abundantly clear: you know what “2-Factor Authentication” is, you know what a good password is, and you know not to reuse it, but...you skip all of these things in favor of saving a couple extra seconds once in a while. It seems the overall disrespect for these measures relates to a lack of understanding as to WHY these things are so effective at stopping break-ins. We won’t go into the details of what makes 2FA or complex passwords so effective, but you can check those links for some good synopses.
There is literally no end of Twitch users mysteriously losing access to their accounts for “unknown” reasons. A quick search of Google, YouTube, or Twitter turns up an ocean of the same situation: users attempt to log in as usual, and for some reason, their password just isn’t accepted anymore. Reddit’s /r/twitch has near-daily posts containing this exact complaint. In Part 1 we discussed several reasons why this happens, how it works, and how your “piddly, nothing Twitch account” IS actually a target for these attacks. Here, we’re going to discuss a more complex but nonetheless extremely common method of account takeover: Security Questions.
One definite shortcoming in Twitch’s user security is a lack of personal verification during the Password Reset process. All you need is access to the associated email account, and Twitch will happily send a password reset link right to its inbox. So, you have your email locked up with a 128-character password that you don’t use anywhere else. You keep it in a password manager with a long password you have memorized. You don’t enable 2FA because of that, which nets you an extra 7 seconds of free time once a month (woah!). You’re a steel wall that would rival Trump’s wettest dreams. You’re all set, right?
I think we all know the answer to that.
That’s right, it’s “NO.” Why? Because you’ve been handing out the combination to your vault to everyone you’ve ever hung out with for half your life, your social media, and your viewers. There’s a soft spot in your steel wall, and it’s pretty huge, but for some reason, it’s rarely discussed: the Security Questions you answered when you first set your email account up. You know, the email account you need to get into when you need to reset your Twitch password.
Here’s a fun bit of redundancy we never thought we’d have to explain: because this method of access recovery is designed to be used by persons who do not have access to an account, it can be used by...persons who don’t have access to an account. That includes nefarious persons.
Let’s talk a bit about how this has historically been an issue, and then we’ll give you an insanely easy way to make sure you never accidentally do this ever again:
The Fappening
On August 31, 2014, nearly 500 private photos of celebrities, mostly women and mostly nude, were posted to the famous 4chan imageboard, and from there quickly made their way around The Internet (SFW Wikipedia link). Affected celebrities began commenting on the matter, initially claiming their Apple iCloud accounts (where the photos were stored) had been “hacked.” Apple responded swiftly, investigating the individuals’ issues. Apple discovered the accounts were accessed by way of the “forgot password” method, or even directly calling Apple Support, both of which requires the supplying of answers to the users’ Security Questions. Doing so does not raise any security alerts, as it is not an unusual occurrence, and the same goes for answering the questions properly within a few tries; to them, this all simply looks like a valid user typo-ing their password a few times. The attackers logged into the celebrity accounts using answers to their questions they had divulged answers to, dumped the photos, and publicly posted them.
But how did the attacker know the answers to all these celebrities’ personal security questions? Security Questions were originally designed to be personal things that only we would know about ourselves, right? That’s the whole point — to prove we are us! However, especially in the case of those who livestream or enjoy the use of various social media platforms, we often accidentally hand out the answers to those security questions via mundane banter. We absent-mindedly tell an anecdote about playing Cops and Robbers on the street we grew up on, or about the make and model our first car while playing GTA. We post pictures of our pets on Instagram complete with their names (which, incidentally are also often the basis for our passwords). We’re literally handing out the answers on the daily without even realizing it.
“Great, so I’m Screwed?”
Not in the least. In fact, the solution is quite simple. Remember that the system that is asking you for your answers isn’t verifying that they’re true, it’s just remembering your answer for later. So…make something up! Some systems/sites even let you choose which questions you use, or even write your own! What’s your dog’s name, now? IT’S WHATEVER YOU WANT: “Mr. Whizzleteats,” “Jeremiah Q. Farquar,” “Mike,” “Hand Sanitizer.” IT DOESN’T MATTER. All that matters is that it’s NOT true. (mindblown.gif)
Here’s a great vid of Chance Morris / Sodapoppin33 messing this perfect opportunity up to an extreme extent. He brushes off the “Name of the first person you kissed” question because he’s never kissed anyone, but THAT’S WHAT MAKES IT THE BEST QUESTION TO USE!
Using invalid questions and fake answers is a pretty solid guarantee that you’ll never, ever accidentally divulge a single one of them ever again.
But how are you supposed to remember all of these if they’re not true? That’s like having to memorize multiple passwords per account! Again, the answer is simple: The same way you memorize all of those passwords. That’s right, your password manager. Nearly every password manager has a spot for you to add “notes.” Use it:
Account security, on any platform, is a complex scenario that requires both sides of the deal to do their part. If you’re the cause of the failure, there is often nothing Twitch can do to help you. The cavalry isn’t coming. We need to stop placing the blame on the platform/company where the breach occurred when we failed to hold up our end of the deal. At best, Twitch can attempt to verify you are in fact the rightful owner of the account. However, if a malicious person has used a stolen or guessed password to legitimately log into your account and then changed the answers to your Security Questions, you’re likely going to lose that account forever. All those followers, all of those subs, all of those VODs, gone. Reset to zero. Do not pass Go, do not collect $200.
Johnny Xmas is a professional hacker-for-hire, currently fighting the Internet robot uprising at https://kasada.io . You can follow his exploits and ask him questions on Twitter @j0hnnyxmas
