AP Twitter hack prompts fresh look at cybersecurity needs

Two-step identity verification and analysis of user trends could prevent future attacks, experts say

By Zach Miners, IDG News Service |  Internet

Mark Risher, CEO at Impermium, an Internet security firm based in Redwood City, California, said he thinks Twitter already takes security seriously, but Tuesday's attack does "elevate" concerns, he said.

One strategy would be for Twitter to implement a two-step authentication system. In one common implementation, when users log into the site from their laptop, Twitter would send them a passcode to a second device, such as their mobile phone. They would then need to enter that code as well as their login and password to access the site.

Calls for Twitter to adopt such a system resurfaces whenever the site is hacked, but the AP attack could become a tipping point, said nCircle's Storms.

If Twitter doesn't want to mandate two-factor authentication for all accounts, the company could require it only for accounts that pass a certain number of followers, he suggested.

Two-step verification could be offered to big brands and other prominent accounts, agreed Jon Oberheide, cofounder and chief technology officer at Duo Security, which develops authentication software.

But accounts that employ two-step authentication may still be susceptible if those who use the accounts are subjected to an email phishing attack, said Impermium's Risher. "The hacker could fake a log-in page asking you for the code you just received," he said.

Alternatively, a phishing attack could be used to install a keystroke logger on a user's computer, recording their login and password the next time they enter it.

As an alternative, Twitter and other social networks should look more closely at how users interact with their services and watch for signals that might indicate unauthorized activity, said Risher, whose company develops algorithms to identify such activity. It might look at how users engage with content and how often they tweet and are retweeted, for example.

Twitter could also employ a risk-based authentication method, by asking users personal identification questions when they log in from an unfamiliar computer, for example.

Users could do more to safeguard their own social media accounts, however. Using stronger passwords, changing them frequently and protecting Wi-Fi networks with passwords are all recommended practices. Having a weak password may have played a role in the AP's account breach. The Syrian Electronic Army tweeted the alleged password "APm@rketing" later this afternoon.

But the onus should be on the social media sites to ensure the security of their users' accounts, Risher said. "It should be like an 80/20 split," he said, adding, "the lion's share of the work should be done by the sites."

Apple, Facebook and Google are among the companies that already offer two-step authentication as an option for users.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question