Reconsidering Twitter After AP Hack

April 25, 2013

The Dow Jones Industrial Average fell precipitously Tuesday after a group of pro-Syrian hackers took control of an Associated Press Twitter account and tweeted that U.S. President Barack Obama had been injured in a series of explosions near the White House.

dow jones

Many Americans view the Dow Jones as a sort of scoreboard for the U.S. economy. Whether or not the incredibly simple and, some argue, deeply flawed industrial average is an accurate indicator for the health of the U.S. economy is completely up for debate. It was created in 1896 and can be calculated by any 13 year old with a calculator and an elementary school education, but, good benchmark or bad, the idea that a tweet, and a fraudulent one at that, could cause such a stir on the New York Stock Exchange is alarming to say the least.

This is, without question, the most impactful Twitter account hijack in the history of humankind (feel free to comment away if you disagree). Think about it, has any other Twitter takeover even come close? The world barely blinked when the Fox News’s politics-specific Twitter handle announced last summer the President Obama had been assassinated on the campaign trail in Iowa. Similar episodes have taken place at other news sources and any number of widely-followed Twitterers have sat nervously by as an attacker takes control of and spreads misinformation using their account. In general, account hijacks lead to embarrassment and nobody likes to be humiliated, but in the grand scheme, embarrassment is not too big a deal.

Yesterday something altogether different happened, because when the Dow drops, people lose money. Worse yet, in the current Wall Street environment, with all its high-frequency trading, when the Dow goes back up, people lose money again, and the people that lost money when the Dow dropped, don’t necessarily get that money back when Dow rises again. Thus is the nature of Wall Street in the 21st century. In fact, we we’re lucky yesterday that the AP and Twitter were so quick to announce that the tweet was a fake. A sharp, slightly longer drop-off for the Dow could have devastating effects on the global economy.

Twitter can be dangerous even in a world where account takeovers do not exist, which is why it is increasingly important that you check your facts.

Twitter can be dangerous even in a world where account takeovers do not exist, which is why it is increasingly important that you check your facts. Many a news source has gotten egg on its face by reporting false information via Twitter. CNN and other prominent media companies practically put up a clinic on the dangers of twitter (and bad journalism) as they repeatedly posted incorrect information in the week that followed the tragic marathon bombings in Boston, Massachusetts.

Still don’t believe Twitter can do serious damage? Ask former U.S. Representative Anthony Weiner. The once-promising young Democrat derailed his career in politics after using Twitter’s private, direct messaging service to send inappropriate pictures of himself to a number of women that weren’t his wife. Weiner hilariously tried to claim that his account had been hijacked. It hadn’t been.

Another large problem is that Twitter, unlike Google, Facebook, and even Apple, does not yet offer two-factor authentication (though Wired reported last night they soon will). Two-factor authentication systems do exactly what it sounds like they do: require users to authenticate themselves with one mechanism, usually a password, before asking them to authenticate themselves again with a second mechanism, usually a numeric code sent via SMS to a pre-established mobile device. There are variations on how two-factor systems work. Some of the better ones include a physical token or even a biometric identifier as one of the factors. The reality though is that even a rudimentary SMS-based second factor of authentication, like those used by Google and Facebook, would have made it much more difficult for any attacker to hijack AP’s Twitter account (if the AP had the feature turned on).

Don’t get me wrong: I love twitter and believe that it is one of the truly great things ushered in by the Internet age, but, like most great tools, it is potentially destructive in the wrong hands or when used improperly.

Another large problem is that Twitter does not yet offer two-factor authentication.

By all means, keep tweeting, but be careful. Thankfully, the super-smart Kaspersky Lab researchers at Securelist were kind enough to give us list of precautionary measures to consider before signing into Twitter.

Users should run a trusted internet security solution that includes a firewall, anti-malware protection and advanced detection technologies such as heuristic analysis and exploit prevention. They should keep their operating system, browsers, and software up-to-date. Always use an encrypted connection (HTTPS) when sending any confidential data. Do store passwords in a file on your computer or in your browser. Remember to use strong, unique passwords and change them frequently. Don’t login to anything when connected over public WiFi. Never give your password(s) to someone else, especially if that someone is asking for them online (as opposed to in person).

For what it’s worth, the group that claimed credit for this attack, known as the Syrian Electronic Army, are also believed to have been responsible for number of other similar attacks at National Public Radio, Reuters, FIFA, the Qatar Foundation, Harvard University and others. They are a pro-Bashar al-Assad regime Hacktivist group, and I am certain that you’ll be hearing more from them in the coming months.