“Breaking News: Two explosions at the White House and Barack Obama is injured.” On April 23, 2013, that tweet was sent out to the Associated Press’ thousands of Twitter followers, creating confusion and fear. Although the tweet was quickly confirmed as a fake, the attack, one of a recent spate of attacks on the popular micro-blogging site, highlights the need for increased security measures to protect both users and their followers. The fact that hackers were able to access the AP account and announce — falsely — that the White House was under attack, and that other major corporations had their feeds taken over by pranksters was a wake up call to both Twitter and its users that security is a major concern.
In the case of the AP hack, the fake tweet was only up for a few moments, but that was long enough to cause widespread concern. That concern has led to some new developments in Twitter’s security protocols that are designed to protect users from unauthorized access to their accounts. Twitter has added the option to use a two factor authentication, or 2FA, process for recovering lost passwords, following the lead of other large websites like Google and Facebook. While 2FA is a growing trend in cybersecurity and a proven way to thwart would-be attacks, Twitter’s execution of the process has a few flaws that lessen the effectiveness of this powerful security measure.If you want to have your data protected, visit Safenet
Twitter’s New Process
Like many other websites, when Twitter users lose or forget login information, they can request to have the password sent to them via email. They click on the link, reset the credential and go on with their tweeting.
The problem? Anyone with unauthorized access to a user’s email can request passwords from Twitter, Facebook and any other number of sites and change them. And once someone has access to your passwords, he or she can post on your behalf and wreak all sorts of havoc. You won’t know until it’s too late.
Twitter’s new security protocols attempt to thwart would-be hackers by requiring those who want to log in or reset their passwords to provide additional information. Under the new system, users can opt to enable the security feature, which sends a unique six-digit code via text message any time you log in or attempt to change your password; to access your account, you’ll have to enter this code when prompted.
Technically, Twitter’s new security features meet the 2FA criteria: to change a password or log in, you must provide something you know (your password) and something you have (your phone.) Unfortunately, the flaws in Twitter’s process — flaws that other sites do not have — mean that not every user is completely protected by the extra measure of security.
Are You Who You Say You Are?
The first major issue with Twitter’s new process is that it’s voluntary. Users can decide whether or not to link a phone number to their accounts and use 2FA. If they choose not to enroll in the security protocol, they do not have the same level of protection as those who do.
Second, the security features embedded in the new system do not take into account the possibility of a stolen or compromised device. In order to sign up for the two-factor process, which can only be done on a computer, Twitter sends the user a text message verifying that texts can be sent and asks for the user to confirm that the text was received. The user simply needs to click “yes” to indicate that the text was received; no further information is required aside from a simple “yes.” This is in addition to the fact that if a criminal has the Twitter user’s phone, he or she can easily get into the Twitter account simply by requesting an access code via text. In fact, if a criminal has the user’s login name and password, he or she can easily associate a prepaid cell phone number with the victim’s account without the victim’s knowledge — and still gain access even if the activities have been detected and the password changed.
The Solution
While Twitter’s new process will undoubtedly reduce the number of accounts that are compromised, it needs some adjustments to work as effectively as other 2FA protocols.
First, it needs to be mandatory for all users. While some users may balk at the extra step, security is too important to be optional. In fact, many companies that use two-factor authentication, like banks, don’t give users a choice. If you want to get money from the ATM, you must provide something you have (your ATM card) and something you know (your password.) If you don’t have one of those things, you can’t get cash from the machine, no exceptions.
Second, an email confirmation should be sent to the user to confirm enrollment in the 2FA process. The user will then be required to enter personal information to activate the service. This will lessen the possibility of someone using a stolen or disposable device to change a password and gain access to the account.
Two-factor authentication is the future of security, and it is becoming more commonplace every day. As more and more websites, banks and retailers are moving toward the 2FA model to protect users’ personal information, it’s important to ensure that the system is as secure as possible. Twitter can easily make these adjustments and provide users with peace of mind that their accounts will not be compromised.
