Hijacking of AP Twitter Account Renews Calls for Two-Factor Authentication

Twitter is facing increased pressure to beef up authentication for users after the hijacking of another high-profile account yesterday caused some temporary tremors on the stock market.

The social network has reportedly been testing two-factor authentication internally; Twitter lags behind Google, Facebook, Microsoft and Apple in implementing a two-factor authentication system. Wired claimed in a report published last night that the micro-blogging giant has developed a two-step login feature. A source told Wired that Twitter plans on incrementally rolling the authentication feature out to its users as soon as internal testing wraps up.

This comes on the heels of a series of false tweets from a hijacked Associated Press Twitter account claiming that President Barack Obama had been injured in a series of explosions near the White House. An AP reporter Mike Baker tweeted that the hijacking came less than an hour after some at the AP received an “impressively disguised phishing email.” The false report caused a temporary plunge of 143 points on the Dow Jones Industrial Average.

White House press secretary Jay Carney almost immediately dispatched any concerns by announcing in a press briefing that he had just been with President Obama and that the president was perfectly fine. Once it was clear that the tweet was a fraud, Twitter and the AP quickly suspended this and other AP accounts, and, just as rapidly as it fell, the Dow Jones returned to previous levels.

ap_tweet

The Associated Press would later confirm the compromise, saying the Syrian Electronic Army, a pro-Bashar al-Assad regime hacker group, had claimed responsibility for a hack that was preceded by a phishing attack campaign on AP networks. Contrary to what has been widely reported, the AP did not say with any degree of certainty that this account takeover resulted from the earlier phishing campaign.aptweet2

Two-factor authentication systems require users to authenticate themselves with one mechanism, usually a password, before asking them to authenticate with a second, usually a numeric code sent via SMS to a mobile device. There are variations on how two-factor systems work. Some of the better ones include a physical token or even a biometric identifier as one of the factors. The reality though is that even a rudimentary SMS-based second factor of authentication, like those used by Google and Facebook, would have made it much more difficult for any attacker to hijack AP’s Twitter account (if the AP had the feature turned on).

The Syrian Electronic Army has carved itself a niche with its Twitter takeovers. The Pro-Syria group claimed responsibility for attacks in which it wrested control of National Public Radio accounts last week and British Broadcasting Corp. account last month, according to a New York Times report.

To its credit though, the hacker collective hasn’t limited itself to hijacking Twitter accounts and publishing alarming but ultimately untrue tweets. In September 2011, the SEA allegedly hacked into and defaced a Harvard University site in an apparent, but unclear, attempt to promote the embattled Assad regime. The hacktivist group has reportedly taken credit for similar attacks targeting the Twitter accounts of Al-Jazeera English, Reuters, and CBS and may have also target the Qatar Foundation, FIFA, Human Rights Watch, and Colombia University.

Twitter account takeovers happen all the time, but usually involve low skilled hackers guessing bad passwords or using automated tools to break weak ones – as opposed to the sort of sustained phishing campaign that numerous sources have suggested enabled the AP hijack. It is probably safe to say that a Twitter account takeover has never caused the amount of grief that yesterday’s did. Fox News suffered a similar breach last summer when hackers took over their politics-specific Twitter account and announced that the President had been assassinated while campaigning in Iowa. The Fox News incident grabbed headlines, but its impact paled in comparison to the almost identical mishap that plagued the more prestigious AP yesterday.

“This latest attack shows just how devastating the impact of hacktivist groups can be as the fake news which was spread from AP’s compromised Twitter account was enough to cause panic on Wall Street for a few moments, making the Dow Jones index plummet by more than 150 points,” said a Kaspersky Lab spokesperson.

Suggested articles