Can you feel the two-factor fever?
Following in the footsteps of Microsoft this month, Apple in March, and Facebook and Google before them, Twitter is now testing a two-factor authentication system to make it more difficult for attackers to hijack people's accounts.
That's welcome news in the wake of Twitter account takeovers of Burger King and Jeep, not to mention the Syrian Electronic Army's media-focused takeover campaign, which to date has compromised everyone from the BBC and Reuters to National Public Radio and the Associated Press. Indeed, one fake tweet -- this week's hoax AP report that the president was injured in a White House bomb blast -- led to a temporary downturn in both the stock market and AP's Twitter-following base. It also led many social media watchers to ask: Why has Twitter been so slow to offer information security improvements?
Adding two-factor authentication to Twitter is long overdue. By the time it arrives, however, it still won't be enough to block the type of phishing attack that the Syrian Electronic Army reportedly used to compromise AP, among other types of attacks. "In the case of a phishing message, two-factor authentication would not eliminate the problem," Mark Risher, CEO of social media security startup Impermium, told The New York Times. "There are ways to circumvent this. I could create a fake Web page for Twitter and ask you to enter your user credentials." Then an attacker could use the real username, password and one-time code to access the targeted account.
[ Privacy and security issues are becoming more important. Read Education Data: Privacy Backlash Begins. }
Twitter's current security posture -- or lack thereof -- may reflect its less-is-more approach to collecting information about its users or sharing it. "To its credit, the data privacy advocates like it because it doesn't track much," said Sean Sullivan, security advisor at F-Secure Labs, speaking by phone. But this lightweight approach has downsides, for example when it comes to repelling account takeover artists. "It doesn't say, we've never seen Syrian IP addressees used to log into this account before, so we're going to block it," Sullivan said.
For comparison's sake, Facebook offers hierarchical admin roles -- so not everyone able to access a Facebook account has the right to add or change other accounts or passwords -- and it also watches for log-ins from unknown locations, based on IP address ranges. Try to log in from Syria for the first time, and even if you get the password right, certain aspects of account administration, such as being able to see your security question settings, may be disabled, so long as you're using a machine that hasn't yet been verified via an email to the address you have on file. Account holders can view active sessions -- including devices that have been used to log into the account, and log-in times -- and disable any of these sessions.
Why hasn't Twitter added similar features? "Honestly, if they created something like Twitter Pro, AP would pay for that, and they'd opt into that logging, and their accounts would be protected," said Sullivan. "And of course you don't scale that to all users, because they don't all need that."
For many people, Twitter's just a bit of fun -- a free service for channeling wit and wisdom in 140 characters or less. But then again, this isn't some local, dial-up BBS used by a few thousand people, with members inclined to laugh off defacements and hoaxes. Instead, it's become a global communications system for disseminating information about everything from Boston bombing lockdowns and disaster warnings to reporting customer service issues and public emergencies.
As more people come to rely on this system, it's time for Twitter to secure accordingly.