Twitter: Maybe Now’s a Good Time for 2-Factor Authentication?
Crazy day in the stock market today. The Dow dipped about 150 points in a few minutes, then quickly recovered, after a fake news report was sent from the Associated Press’s @AP Twitter account.
“That is a bogus @AP tweet,” the AP’s corporate communications group tweeted shortly after, and @APStylebook followed up saying the @AP account “has been suspended after it was hacked. The tweet about an attack on the White House was false.”
As Twitter rolls out new features, like cards and music discovery, it should take a minute to consider its awesome power to shape world opinion, if only for seconds at a time, and do something about its awful security.
Hacked Twitter accounts aren’t exactly news. The string of victims runs from celebrities to Burger King to NPR. Easy-to-guess passwords and lax user security are usually blamed in such incidents. The problem is so bad, Twitter has been under a consent decree with the FTC in regard to its security practices since 2010.
In this case, @AP may have been targeted by a spear-phishing attack — in which an email is spoofed so as to appear to come from a trusted source, for example, the recipient’s boss. (“The attack on AP's Twitter account and the AP Mobile Twitter account was preceded by phishing attempts on AP's corporate network,” the AP reported.)
Twitter can’t do much to protect against tactics like that, which basically fool end users into handing over passwords to hackers. But Twitter could do more than it has.
For starters, it has dragged its heels on offering 2-factor authentication, a security protocol that — in addition to prompting for a password —requires a special security code, usually sent to mobile phone number, to unlock an account.
This is a voluntary setting, and it would not prevent all attacks. But it has become standard Web security best practice for a reason, as Wired’s Mat Honan learned last August. (In a poignant and prescient post just shortly before the AP hack, Honan pointed to a different failing, calling for Twitter to invent an efficient method for “reeling bad information back in” in the wake of the Boston bombings.)
2-factor is available on many Web-based services. Google has supported it for some time and Microsoft just adopted it last week.
Forget that 2-factor might not have stopped this attack, or that millions of people won’t turn it on even if it becomes available; under the consent decree, Twitter agreed to protect people using its network with “appropriate” methods, including “the design and implementation of reasonable safeguards,” to mitigate all known risks.
Given Twitter’s track record, and the persistent attacks against its customers, it should make a priority of improving security and educating users any way it can. The company has reportedly been considering it. About time.