By Jamie Haggett
I’m sure you’ve watched the news in the last few months and have seen a ton of high profile hacks on Twitter, including big brands such as Jeep, Burger King, and most recently the Associated Press (AP). I think the average person outside of the computer world is left wondering a few things:
- How and why are these accounts being hacked? I would assume these organizations would have nice long, complex passwords to protect their accounts, wouldn’t you?
- If they can’t keep themselves safe, how am I expected to?
- What is this two-factor authentication thing I keep hearing about and will it keep me safe?
Reasons why Twitter accounts are routinely hacked
There are many reasons why Twitter accounts are routinely hacked. It could be something as simple as someone wanting to spread misinformation for amusement, or it could be something as nefarious as a smear campaign on a particular individual or company. This can be not only damaging to the organization or individual, but, in some cases like the AP account compromise, it actually sends the US stock market into a temporary tail spin. As you can imagine, a temporary dip in the stock market is a huge opportunity for profit.
Twitter hacks highlight a much bigger problem around password security. You could have the longest, most complicated password ever, but if you click on a malicious URL or a web address crafted to mislead you into thinking you are logging into Twitter and then you enter your password, you’ve essentially bypassed any security that you had around your password – just by simply giving your password to a bad guy.
Common social engineering tactic
This is an incredibly common social engineering tactic used today on Twitter. By sending you a “Direct Message” from an account that may already be compromised by someone you are following, a cybercriminal can hack your account. The message can mask itself by something as simple as: “Hey, I saw this hilarious picture of you!” Then it will have link to a malicious website. This tactic was widely successful with email viruses back in the day and continues to be successful on social media today.
Another common way to capture your password is to compromise a website or service that doesn’t have the same security controls as Twitter. If you have the same password across multiple services, this will quickly be exploited by automated software designed to quickly try the stolen username/password combinations across multiple websites and social media services.
So how can we protect ourselves against this?
There are multiple ways we can help prevent our social media accounts from being compromised. A simple first step to take is to use a different password on every service you use. You’re probably thinking, “Awesome, but, there is no way I can remember all of these passwords. It’s not realistic!” And I totally agree with you. There is a beautiful technology that solves this problem called a password manager. I am going to a bit biased here – Trend Micro offers a great consumer product called DirectPass to manage your passwords across devices. It is inexpensive and designed to manage your passwords so that you don’t have to.
There are multiple high-quality password managers that are on the market today that are both easy to use and understand, and are very affordable. Investing in one is the probably the second best security investment you can make on your computer outside of a well known, trusted Internet security product.
The other solution big social media outlets are rolling out right now is something called two-factor authentication. While the security nerds out there are well versed in this technology, the average computer user has likely heard of it, but has no clue how it works or how to set it up. I’m going to attempt to clear the muddy waters here…
Two-factor authentication (also known as multi-factor authentication) is a method in which you need to provide two or more known things to log into a service. The most common implementation we see of this today is where you would have to provide both your password and perhaps answer a question or two that should only be known to you, such as, your first grade teacher’s name.
While this seems great in theory, any half decent social engineer could learn this information about you and circumvent it. Another implementation of two-factor authentication and, in my opinion the easiest, is using something you have on you at all times to send you a unique number. A good example of something most of us have on us at all times these days is a trusty mobile phone!
It works like this…
When you log into your account, you would type your username and password, but a second password would then be sent to you via a text message that you would have to enter as well. This is uniquely generated each time you log in from a new browser, device, or PC. Unless you have both your password and this unique #, you will not be able to log in. The beauty is that even if your password is stolen, the bad guys still can’t log in unless they have your mobile phone!
This is a security technology that Google and Facebook have both rolled out that I highly recommend you setup. Following quite a few high profile hacks on Twitter, they have also announced that they will be rolling out two-factor authentication very soon.
Be skeptical online. If it seems too good to be true, it likely is. If you get a direct message from someone that is vague and unexpected, put on your skeptic hat and maybe give the person a call to see if they actually sent you a bizarre link pointing to a photo of you.
Keep safe out there.
I work for Trend Micro and the opinions expressed here are my own.