From: Wired
By Daniel Ingevaldson
As social media becomes an increasingly mainstream method of trusted communication, how can companies such as Twitter strike a balance between ease of use, and the need for greater security? How will users react when asked to adopt additional security related processes?
The recent breach of the Twitter account belonging to the Associated Press (AP) provides an example of the damage that a social media account can cause in the wrong hands. Based on fake news tweets shared by the hackers, which claimed that the President was hurt in a bombing of the White House, the Dow Jones Industrial Average dropped 100 points.
To prevent similar attacks in the future, Twitter recently adopted multi-factor, phone-based authentication. Although optional, and impractical for companies that assign more than one individual to manage their social media presence, it represents a willingness to take steps towards providing a more secure environment for this growing communications channel.
Protecting Social Media: A Pressing Problem
Given the Securities and Exchange Commission’s (SEC) recent announcement permitting the use of social media to share information with the public, protecting a company’s social media presence from compromise is now even more important. Consider what could happen if cybercriminals compromised a Fortune 500’s Twitter account and tweeted fake financial data that triggered movements in their stock price. Undoubtedly, the SEC would want to know how the company lost control of its Twitter account, and investors would be furious.
The form of multi-factor authentication that Twitter deployed, which links a mobile phone to an account, and sends a one-time use password each time the user logs in to their account, is somewhat convoluted, and certainly subject to compromise. In fact, hackers already have a number of tools at their disposal such as Man-in-the-browser (MITB) and Man-in-the-mobile (MITM) malware. Inevitably, Twitter will face increasingly sophisticated breaches in the future. How quickly will their approach to security evolve, and in which direction?
Security in Social Media: A Work in Progress
As Twitter matures their fraud prevention strategy beyond the current version of multi-factor authentication, there are a number of options to consider. For example, Twitter might require that corporate account users — especially those that release company news via social media — access the site using a secure browser.
This approach isolates critical data that resides on a user’s device from hackers, and turns their computer into a dedicated machine for the purposes of interacting with the social media site. The exchange of critical elements of the transaction, or tweets, take place at the server level, instead of the user’s machine. Such an approach is highly effective, and does not place an excessive compliance burden on the user. In fact, many banks already use such an approach for their online banking customers.
In addition, Twitter currently assumes that once a user successfully completes the authentication process, they can have unfettered access to their account. Without another level of security, such as transaction monitoring to detect unusual activity (or in Twitter’s case, changes in posting frequency, post content and the destination of hyperlinks shared with followers), the potential for hackers to hijack a corporate account, and send fake tweets still exists.
With a basic form of multi-factor authentication already in place, Twitter may also choose to enhance its approach with a risk-based authentication process that includes challenge questions, or device authentication that captures and analyzes the electronic “fingerprint” associated with the user’s hardware. Again, these kinds of security measures have already been put into place for many online banking customers, increasing the level of trust in online banking without turning off potential users.
As it stands, Twitter’s multi-factor authentication in its current form provides just one layer of protection. As Twitter may learn in the future, providing a layered approach does not have to overburden the user, and can still allow for increased security that can respond to a broad range of threats.
A Step in the Right Direction, but More Needed
Since Twitter currently only allows one mobile phone number for authentication per account, corporations, news agencies and government entities that assign more than one employee to manage their Twitter account will find the current security process impractical. But Twitter’s willingness to acknowledge and address this problem bodes well for a more comprehensive set of security controls down the line for those users who require it.
As threats evolve, the importance of having a multi-layered approach to security in place will increase. We all have the tendency to believe what we read. There is no exception for information shared via social media — especially if the information comes from a trusted source such as the Associated Press or a publicly-traded company’s official account. Given the number of users who rely on social media for the latest information, a multi-layered security program is a necessity if we are to prevent hackers from profiting at our expense.
Daniel Ingevaldson is CTO of Easy Solutions.
Leave a Reply