Social Media and Security: Have it Your Way – What the Burger King Twitter Hack Tells Us

Social-Media-and-Security-Have-it-Your-Way-What-the-Burger-King-Twitter-Hack-Tells-Us-V1 copy

We interrupt this month’s planned part two of Social Media and Online Security: Whose Pictures Are They Anyway? to focus on a more immediate, newsworthy event: last week’s hijacking of the Burger King Twitter handle (we’ll be back to our regularly scheduled column next month).

The Burger King Twitter hijacking isn’t the first instance of Twitter hijacking. But it is good to examine now because it’s part of a broader trend of sustained assaults on password protection mechanisms and account hijackings. In looking at this latest event I would argue it’s time for everyone to stop looking at two-factor authentication as optional but instead necessary for social media security.

Burger King and Twitter are both not releasing details on how the hijacking occurred but it is very reasonable to put the point of failure on the password.  Whether the password was guessed, stolen or maliciously reset (using “Lost your Password” capabilities) really doesn’t matter. What does matter is that every Twitter account, no matter how prominent and important is protected by a password and only a password.

In my July 2012 column “What to Do about Passwords: 5 Tips for Password Management in a Social Media World” I talked about ways that you can improve the security around your passwords. The first thing I recommended was to enable two-factor authentication. As a reminder, two-factor authentication provides greater security by requiring something in addition to the password (typically a code sent by text message to a registered mobile device). You can think of it as a second gate that would-be attackers have to get past if they do manage to crack the password. And typically, this second gate is security by something that you have in your physical possession.

Unfortunately, Twitter does not provide two-factor authentication (unlike Facebook like I outlined in my Facebook security article from May 2012). The fact that this attack against Burger King’s online presence was contained only to Twitter and not Facebook or YouTube (which also can support two-factor authentication) is telling. We can’t know if the attackers targeted other social media platforms or not. We also can’t know if Burger King was using two-factor authentication on other social media platforms and that it successfully prevented hijackings there. But we do know that there was yet another successful attack against a high profile social media platform that doesn’t support two-factor authentication.

And it’s important to step back and note that this isn’t the first time that a company or organization has seen their Twitter handle hijacked and not their other social media channels. The rate of Twitter hijackings significantly outstrips those on other social media channels. Some of this is due to Twitter being more popular: would anyone notice if your Orkut page was hijacked (though it too supports two-factor authentication). But attackers are lazy and they go after the easy targets. Twitter’s lack of two-factor authentication makes it both an easier target and a more likely one.

And increasingly Twitter is paying the price for that. And so are its customers. Not only Burger King but within the same day Jeep saw their handle hijacked. And scores of others before them.

We’re at a point where you should use two-factor authentication where you can.

But that also means we’re at a point where you need to reassess the risks around using social media applications that don’t support two-factor authentication. Twitter is the obvious one, but also things like LinkedIn, Pinterest and Instagram: none of these currently support two-factor authentication. And so you should really look at these as representing a higher class of risk and handle them with extra caution.

One thing that you can to better protect these services and mitigate your risk is to only use email addresses that are under your control (like your work email) or web mail services that support two-factor authentication for your password reset addresses. GMail and Yahoo mail both offer two-factor authentication; Microsoft’s Outlook.com does not.

For instance, if you’re using Twitter, use a GMail account with two-factor authentication enabled as your password reset address. By doing this you’re making it harder to compromise your single-factor authentication accounts through password resets done through email through stricter control of the email.

This certainly can mitigate your risk for those social media platforms you have to use that don’t support two-factor authentication. The longer-term solution is for two-factor authentication to become the standard, at least for the major platforms like Twitter, LinkedIn, Outlook.com. But so far they have pushed back saying that people don’t want that option.

And so in addition to taking steps to mitigate your risk for these platforms that offer only single-factor authentication, another thing you can do is to start asking them for that capability and helping to educate others about the importance of two-factor authentication so they can use it and ask for it too. The sooner this becomes a standard for the major social media platforms, the sooner we won’t be able to say as Amy Rose Brown, social media manger for Wendy’s Tweeted: “My real life nightmare is playing out over on @BurgerKing”.

Christopher Budd
This monthly Social Media & Online Security column is contributed by Christopher Budd. Christopher works for Trend Micro, an Internet security company, and is an expert on communications, online security, and privacy. Christopher combines a former career as an Internet security engineer with his current career in communications to help people bridge the gap between the technical and communications realms and “make awful news just bad.” Before Trend Micro, he worked as an independent communications consultant and, prior to that, as a ten-year veteran of the security response group at the Microsoft Corporation. +Christopher Budd
Christopher Budd

@ChristopherBudd

Communications professional focused on online security/privacy, technology, social media and crisis communications.Also, volunteer firefighter trainee.
RT @BvueFD: The word is out. Please join us for our Open House October 4th from 10 to 4pm. http://t.co/y4o5bTG8Os - 3 weeks ago
Christopher Budd
Social Media Marketing World - Save $550

Comments

  1. says

    I see your point and it is a good one, but I also see a different angle on this issue. It shows just how much venues like Twitter have evened the playing field for world communication and influence. A generation ago, who could have imagined that single hackers could cause corporate giants so much trouble so routinely? We have also seen China, Belarus, The Catholic Church and many other powerful entities quite unable to suppress unwanted dissent, as never before in history. While these tools have also helped rioters, terrorists and plain old criminals, they remain exciting. Any tool can be misused. Our heirarchical world, with its rapidly concentrating wealth and growing corporate and governement power/ambition to dominate people, has also produced these Social Media tools. Hurray for the little folks!

  2. says

    I am disappointed that corporate culture wasn’t mentioned at all. The fact that corporate leaders / management do not regard social media accounts as worthy of better protection, indicates the more pressing issue is corporate culture. An organization’s security stance is a great indicator of its culture.

    Consider these 2 quotes that show a direct correlation between social media ROI and culture

    • 80 %: internal social business efforts fail to achieve intended benefits due to Inadequate Leadership and Overemphasis on Technology. Gartner 2013

    • Just 12 % planned social media strategies + 1 year; just 34 % say companies developed clear metrics to connect their social media activity to goals like profit growth. Only 52 % agreed “Top executives are informed, engaged, and aligned with our social strategy.” Altimeter 2013

    Connect social to business goals or reconsider why your company has a social presence.

Please Leave a Comment!