We interrupt this month’s planned part two of Social Media and Online Security: Whose Pictures Are They Anyway? to focus on a more immediate, newsworthy event: last week’s hijacking of the Burger King Twitter handle (we’ll be back to our regularly scheduled column next month).
The Burger King Twitter hijacking isn’t the first instance of Twitter hijacking. But it is good to examine now because it’s part of a broader trend of sustained assaults on password protection mechanisms and account hijackings. In looking at this latest event I would argue it’s time for everyone to stop looking at two-factor authentication as optional but instead necessary for social media security.
Burger King and Twitter are both not releasing details on how the hijacking occurred but it is very reasonable to put the point of failure on the password. Whether the password was guessed, stolen or maliciously reset (using “Lost your Password” capabilities) really doesn’t matter. What does matter is that every Twitter account, no matter how prominent and important is protected by a password and only a password.
In my July 2012 column “What to Do about Passwords: 5 Tips for Password Management in a Social Media World” I talked about ways that you can improve the security around your passwords. The first thing I recommended was to enable two-factor authentication. As a reminder, two-factor authentication provides greater security by requiring something in addition to the password (typically a code sent by text message to a registered mobile device). You can think of it as a second gate that would-be attackers have to get past if they do manage to crack the password. And typically, this second gate is security by something that you have in your physical possession.
Unfortunately, Twitter does not provide two-factor authentication (unlike Facebook like I outlined in my Facebook security article from May 2012). The fact that this attack against Burger King’s online presence was contained only to Twitter and not Facebook or YouTube (which also can support two-factor authentication) is telling. We can’t know if the attackers targeted other social media platforms or not. We also can’t know if Burger King was using two-factor authentication on other social media platforms and that it successfully prevented hijackings there. But we do know that there was yet another successful attack against a high profile social media platform that doesn’t support two-factor authentication.
And it’s important to step back and note that this isn’t the first time that a company or organization has seen their Twitter handle hijacked and not their other social media channels. The rate of Twitter hijackings significantly outstrips those on other social media channels. Some of this is due to Twitter being more popular: would anyone notice if your Orkut page was hijacked (though it too supports two-factor authentication). But attackers are lazy and they go after the easy targets. Twitter’s lack of two-factor authentication makes it both an easier target and a more likely one.
And increasingly Twitter is paying the price for that. And so are its customers. Not only Burger King but within the same day Jeep saw their handle hijacked. And scores of others before them.
We’re at a point where you should use two-factor authentication where you can.
But that also means we’re at a point where you need to reassess the risks around using social media applications that don’t support two-factor authentication. Twitter is the obvious one, but also things like LinkedIn, Pinterest and Instagram: none of these currently support two-factor authentication. And so you should really look at these as representing a higher class of risk and handle them with extra caution.
One thing that you can to better protect these services and mitigate your risk is to only use email addresses that are under your control (like your work email) or web mail services that support two-factor authentication for your password reset addresses. GMail and Yahoo mail both offer two-factor authentication; Microsoft’s Outlook.com does not.
For instance, if you’re using Twitter, use a GMail account with two-factor authentication enabled as your password reset address. By doing this you’re making it harder to compromise your single-factor authentication accounts through password resets done through email through stricter control of the email.
This certainly can mitigate your risk for those social media platforms you have to use that don’t support two-factor authentication. The longer-term solution is for two-factor authentication to become the standard, at least for the major platforms like Twitter, LinkedIn, Outlook.com. But so far they have pushed back saying that people don’t want that option.
And so in addition to taking steps to mitigate your risk for these platforms that offer only single-factor authentication, another thing you can do is to start asking them for that capability and helping to educate others about the importance of two-factor authentication so they can use it and ask for it too. The sooner this becomes a standard for the major social media platforms, the sooner we won’t be able to say as Amy Rose Brown, social media manger for Wendy’s Tweeted: “My real life nightmare is playing out over on @BurgerKing”.