Brands on Twitter: donât hand hijackers the keys to your account

Twitter has launched two-step authentication to much fanfare, but the jury is out on how effective it will be.

In April a group calling itself the Syrian Electronic Army (SEA) hacked the Associated Press Twitter account. The subsequent spoof messages caused a stock market blip, giving pause for thought on just how easy it can be to take control of VIP social media profiles and a sudden panic about crisis planning if a company Twitter account is hacked. Twitter has now given users the option to sign up for two-step authentication when they log in.

There’s been no shortage of tech bloggers lambasting the new two-step process, largely because it wouldn’t have stopped the SEA from hacking the @AP account. It’s also been pointed out that the ‘security’ offered by Twitter’s two-step authentication just isn’t a sufficient trade-off for the loss of speed and agility required by news organisations and other power users. We take a closer look at the process to see whether it does all it needs to.

How does it work and is it really secure?
Basically you add a mobile number to your Twitter account. When you enter your username and password on Twitter a code is sent by SMS to your phone which you then enter on Twitter to complete the login. However, this offers limited protection against even basic attacks like email phishing scams, particularly given that they often use ‘man-in-the-middle attacks’.

So called ‘man-in-the-middle’ attacks are still possible on Twitter. That’s where an intermediary impersonates Twitter to harvest login information. This can be done by sending users a malicious email containing a link, to what appears to be a Twitter login page. The spoof login page informs users that they have been logged out and need to log back in.

If the user falls for the trick, they enter their login details (which are passed on to Twitter by the man in the middle), Twitter then generates and sends the SMS code to the user and the user (thinking everything must be legitimate) enters the SMS code into the intermediary login field. This is promptly harvested by the man in the middle. And hey presto, someone else now controls your Twitter account, and you can’t get it back.

Will everyone start using Twitter’s two-step authentication?
Probably not. News agencies will still rely upon the kind of speed and responsiveness which two-step authentication suppresses. Agencies and large teams will find the need for a phone being passed between several people extremely cumbersome. What we should expect to see is increased training and education to help people recognise scams.

There are also a number of password managers and single sign-on solutions so users never need to know the actual password to the profile. Third party Twitter clients like Hootsuite, make it even easier to deploy access securely with a variety of permission levels and granular control baked in.

In a previous role, I was tasked with procuring and deploying a social media management tool for the Metropolitan Police Service and I found that Hootsuite’s secure access and team mapping really fit the bill. The ability to add and remove team members remotely, without the password ever being shared, gave a level of security that two-step authentication never will.

At eModeration I advise and support on the best choice of tool or solution for organisations looking to increase or improve security in their social media profiles. Get in touch, if you have a social media question or problem that needs solving.

What developments can we expect to see with better security?
Personally I think Twitter is missing a trick by not taking security more seriously, but that doesn’t mean there isn’t a more powerful solution in the pipeline. The opportunities made possible with better security could really reap rewards. And since Twitter is increasingly focused on monetisation here is a look at where things are going.

Given Twitter’s appeal on devices and pioneering use of OAuth and OpenID, the leap from mobile app to mobile wallet looks highly likely. Indeed Twitter entered into a partnership with American Express in February whereby users who link their Twitter and Amex accounts can accept offers from merchants by tweeting a hastag and replying to a follow-up message.

With contactless payments coming to smart phones it shouldn’t be a great leap to integrate transactions with activity on Twitter. And the ubiquitous nature of RFID tags means pretty much any environment can be transformed into an interactive one. Yes, Minority Report, here we come.

But what about Twitter cards?
That’s why the introduction of Twitter Lead Generation cards is the next step in a bigger game to get retailers and customers forming relationships. Think of it as a ‘register your interest’ button. Clicking on the button shares the user’s name, email address and Twitter handle with the participating brand. The business then emails the prospective customer with essential follow-up information.

This allows businesses more opportunities to discover customers while shortening the length of time it takes to find an offer or pay online. This could work particularly well with pre-orders, offers and promotions. So if you think of your phone making contactless payments in the real world, virtual payments on Twitter and signing up with vendors too the e-wallet has already arrived!

This blog first appeared on www.emoderation.com

By DMA guest blogger Alex Cowley, Technical Strategist for eModeration