Recently, we have seen a rash of high-profile takeover attacks on Twitter accounts. These Twitter attacks are targeting Western news organizations, but some organizations outside of the news realm (e.g., Burger King) have also come under attack.
Most of the takeovers are a result of classic social engineering and involve no actual malware. While this in no way takes away from malware being the most insidious of attack vectors, it does mean social engineering is alive and well.
Let’s walk through the steps of how social engineering attacks are able to takeover Twitter accounts:
This seriously begs the question, “What is Twitter doing about protecting its users?”According to Mat Honan of Wired, "Twitter has a working two-step security solution undergoing internal testing before incrementally rolling it out to users, something it hopes to begin doing shortly."
And as an Entrust product manager said in a post last week on the Associated Press Twitter account compromise, these Twitter IDs are extremely important and require authentication on par with online banking.According to the BBC, Twitter sent emails to news organizations with some tips for staying secure.
“Advice included making sure passwords were more than 20 characters long and made up of random strings of letters and numbers.”
“The social network also advised having just ‘one computer to use for Twitter. This helps keep your Twitter password from being spread around,’ the site added.”
“Don't use this computer to read email or surf the Web, to reduce the chances of malware infection.”
While showing some initiative, Twitter still missed the mark —for security as well as marketing and news usage of social networking. Many other social media and Web-based email clients have implemented a form of second-factor authentication or identity verification.
In my opinion, the fact that Twitter hasn’t done the same is somewhat irresponsible. I understand the user experience angle and the need to balance security and usability. However, organizations can deploy measures that are transparent to users the majority of the time. And it’s typically only noticed when something abnormal occurs and the user is presented with a security challenge.
All accounts — whether for basic users, politicians, news organizations or corporate social media managers — would greatly benefit from a form of second-factor authentication such as mobile application-based one-time passcodes (OTP). These applications — Google Authenticator of Entrust IdentityGuard Mobile, for example — generate soft tokens on the device and are not sent via the insecure SMS channel, which is another alternative, though not as advisable.
That said, these attacks are proving that not all accounts are created equal. For high-profile accounts — the BBC, Associated Press or the White House, for example —there is a need for more and stronger security measures.
To be clear, even a higher level of authentication may not stop something like an advanced session-riding attack. To get to that level of authentication, organizations need more advanced identity-assurance capabilities where each tweet is approved individually in an out-of-band, uninfected desktop channel.
This is highly unlikely to ever be the case as it is inhibitive to the standard Twitter experience. Each one of us has something at stake in cyberspace. And as we are seeing with recent lawsuits between victims and banks, both service providers and consumers have a responsibility to better protect digital identities.