(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Moving to combat months of high-profile account takeovers, Twitter Wednesday announced the implementation of a voluntary, two-step authentication system.
"Today we're introducing a new security feature to better protect your Twitter account: login verification," said Jim O'Leary, a member of the social site's product security team, in a Twitter blog post. "This is a form of two-factor authentication. When you sign in to twitter.com, there's a second check to make sure it's really you. You'll be asked to register a verified phone number and a confirmed email address."
The new feature, which is being gradually rolled out, is designed to block account takeovers via "email phishing schemes or a breach of password data elsewhere on the Web," he said. The latter threat refers to attackers being able to access a Twitter account if a user has reused a password elsewhere.
"It's great that Twitter has released this feature, which significantly raises the bar for broad-based attacks," said Mark Risher, CEO of Impermium, via email. "As an optional feature, however, we now need to ensure that users opt-in and utilize it; two-factor does nothing if you haven't configured it in advance."
To activate the new security feature, visit Twitter's account settings page, then check "Require a verification code when I sign in." If enabled, every Twitter login will result in a six-digit PIN code being sent via SMS to the account holder's registered mobile phone. Temporary passwords can also be generated to authorize logins from Twitter-compatible applications.
[ Is there a better way to authenticate users? Read Dropbox Adopts Single Sign-On Technology. ]
Twitter's information security move comes in the wake of an ongoing campaign by the Syrian Electronic Army, which has compromised numerous news and media outlets' Twitter feeds to broadcast propaganda in support of Syrian President Bashar al-Assad. Last month, the group seized control of multiple Associated Press Twitter accounts and issued a hoax tweet that President Obama had been injured by explosions at the White House, which generated a temporary downturn in the U.S. stock market. The group's repeated takeovers of Twitter accounts -- belonging to everyone from the BBC and National Public Radio to Reuters and the Onion -- have been a security embarrassment for Twitter.
But Twitter's new two-step authentication offering has already been criticized by security experts as a half measure. "Dear @twitter, forget about SMS! Use authenticator apps," tweeted Sean Sullivan, security adviser at F-Secure Labs, referring to the apps such as Google Authenticator and Microsoft Authenticator that can be used to generate one-time passwords on Android, iOS and Windows Phone mobile devices.
Questions also remain about whether Twitter is monitoring for unusual access patterns, as Facebook now does. "We hope that Twitter has incorporated proactive monitoring in addition to this authentication feature," said Impermium's Risher. "Locking the front door is important, but without intelligent systems determining when, how and whether to allow access -- even for people with the 'key' -- account hijacking vulnerabilities will persist."
Twitter, however, said that login verification is only a first step. "This release is built on top of Twitter via SMS, so we need to be able to send a text to your phone before you can enroll in login verification (which may not work with some cellphone providers)," said O'Leary. "However, much of the server-side engineering work required to ship this feature has cleared the way for us to deliver more account security enhancements in the future. Stay tuned."
In the meantime, don't expect two-step authentication to block all account takeovers, warned "The Shadow," a member of the Syrian Electronic Army's "Special Operations Division." "It will definitely make it harder on Twitter, but this was never our primary attack vector," The Shadow told Vice magazine. "Nevertheless, there are still some security holes in Twitter's model that we hope to exploit in the future so no one should get too comfortable, we are not going to give up."
Furthermore, as demonstrated by malware such as the banking Trojan Zitmo -- short for "Zeus in the mobile" -- mobile devices can be infected with malicious software that intercepts a one-time mobile transaction authorization number (mTAN) sent via SMS. That means that if an attacker obtains a valid username and password, they can also use the on-demand mTAN to access a target's banking site or authorize an unusual transaction.
As Twitter continues to develop new security features, the business faces yet another threat: patent litigation. "Big reveal: 1 billion+ Two-Step-Authentications on the Internet weekly. I invented it. Here's proof," tweeted Mega and Megaupload founder Kim Dotcom (aka Kim Schmitz), referencing the "Method for authorizing in data transmission systems" patent that he filed in 1998 and which was published in 2000. According to the patent grant, it "relates to a method and to a device for the authorization in data transmission systems employing a transaction authorization number (TAN) or a comparable password."
"Google, Facebook, Twitter, Citibank, etc. offer two-step authentication," Dotcom tweeted. "Massive IP infringement by U.S. companies. My innovation. My patent." Given that Dotcom is currently a fugitive from justice in the United States, it's not clear if any patent infringement lawsuits he might file would be enforceable.
But Dotcom isn't the only one claiming to have invented two-step authentication. When Microsoft debuted two-factor authentication in April, authentication technology vendor StrikeForce Technologies sued Microsoft subsidiary PhoneFactor, as well as technology vendor Fiserv and financial services firm First Midwest Bancorp, claiming that it was the sole patent holder for "out-of-band authentication." According to news reports, a StrikeForce investor said that the company plans to extend its patent-infringement suit to other businesses that now offer two-factor authentication.