On July 4, a hacker took control of one of the Twitter accounts of US broadcaster FoxNews.com and sent out several tweets announcing President Obama had been shot.
Because it was a national holiday and nobody was available at Twitter to help, Fox News only regained control of the account some hours later and by that time the original tweets had spread around the world.
Even though the original posts were eventually removed, the hashtag #ObamaDead continued, with people still resending the original message six days later.
This act was followed by another Twitter account being hacked in the UK when someone took over the account of PayPal UK and posted offensive tweets aimed at embarrassing the company.
Identity theft is increasingly common, but the hacking of a news organisation and the tastelessness of the messages sent has brought into question the perceived lack of security of Twitter. This has led several security analysts to suggest Twitter is lagging behind other services in robust security options.
Stepping it up
They have also argued that Twitter should make all access to the website secure by default and should also implement what is called two-step verification.
Secure connections are the easy part: you simply replace “http” with “https” in the address. Twitter doesn’t make this the default, but you can personally change this in your settings.
Two-step verification is more sophisticated. It involves logging into a service using a password and a temporary number that is provided as a phone text message or from an application running on your phone. So even if a hacker got hold of the password, it would not be possible for them to get access to the number.
Or would it?
Nobody really knows how the hackers got access to the accounts of Fox News or PayPal UK. The most likely explanation is a lack of process in handling the accounts and their passwords at both Fox News and PayPal UK, making it relatively easy to get the password details through phishing.
In 2002, the famous hacker Kevin Mitnick revealed his techniques in a book called The Art of Deception. He recounted how most of his hacks were carried out by using passwords and codes obtained through “social engineering”.
In some cases this was just by phoning a user and asking them what their password was!
Phishing is an extension of social engineering and simply involves getting users who know the password to reveal it. By pretending that you need to update account details and asking the user to fill out their security information on a fake web site, for example.
Bruce Schneier, a well-known security expert, blogged in 2005 about the limitations of two-step verification as a means of protecting access on the internet. Although more secure than a single password, two-step verification is not immune to phishing.
It would be possible to fake a login page for Twitter and get the details of both the password and the temporary number. Schneier also described another weakness, from a so-called “Trojan-attack” – installing software on a user’s PC that is able to intercept usernames and passwords.
People are insecure
The main point that Schneier made, though, is that no security mechanism is completely secure, as people always remain the weak point in any security scheme. There is also a balance between ease-of-use and the level of security.
Google, for example, will allow a computer to remember the verification code for 30 days because of the inconvenience of having to enter the code each time you log in. Obviously this weakens the overall security offered by two-step verification.
In any organisation where an account is shared, two-step verification may be seen as too restrictive as multiple people will need to share the mechanism that generates the verification number.
Security is as much about the perception of being secure as it is about the reality of being secure. What security analysts are asking Twitter to do is to fit an alarm system, put bars on their windows and a deadlock on their door.
They are ignoring the fact that hackers can still find the front door keys under the mat.
While services such as Twitter can find ways of improving the range of security mechanisms they offer, the most effective security strategy is always going to be about how individuals deal with their personal information, including passwords.
There are basic security principles that everyone should always adopt (antivirus software, strong passwords, secure connections, etc.). But the single most important thing is to not reveal your password to anyone – nobody needs to know it – even the company whose service you are using.