Twitter has suffered two major security breaches that have exposed the login credentials of hundreds of thousands of its users. In response to the incident, a number of additional security controls have been considered. The best solution was deemed to be the addition of a two-step authentication process.
This will not guarantee another data breach will be prevented, but it will make sure that it becomes a lot harder for hackers to gain access to login credentials. The new controls are likely to put off all but the most skilled and determined cybercriminals from attacking Twitter in the future. There will be much easier targets they can attack.
Two-step authentication is an important security control. In order to create an account, a user must sign up and create a login name and a password. The second step in the process, which will shortly be added to Twitter, is the requirement to have a code sent to an email address, mobile phone or the Twitter app.
The additional control will log the user’s device. If another device is used to login, another code will be sent to the app, phone or email account used to register. If the code is not entered, access to the account will not be permitted.
Wired.com has recently reported that Twitter is in the process of testing the new security measure before making it live. Once testing has been completed it will be rolled out to all accounts. This will not come a moment too soon. Cybercriminals are targeting social media networks, and if security measures are inadequate, data breaches will be suffered.
Social Media Networks are an Attractive Target for Cybercriminals
The networks are a big target for hackers and cybercriminals. The data stored in user accounts can be considerable. The data can be used to conduct highly effective spear phishing campaigns. With detailed information about each user, those campaigns can be very convincing.
Criminals can use stolen data to craft emails that the user is likely to respond to. They can find out who their contacts are, and make an email appear that it has been sent by a friend. That makes it far more likely that the target will click a phishing link or open an infected attachment.
Not only that, passwords are often shared across websites. Many people use the same password for Twitter as they do for their online banking and for work. One single password could potentially give a criminal access to much more than a social media account.
Phishing emails are being sent with increasing regularity
In the first half of 2012, phishing attacks are estimated to have increased by 19%. Many criminals still use email as the vector of choice, but many are now targeting social media networks. Criminals are finding it is easier to use Facebook and Twitter to get users to click on links to phishing websites. People even unwittingly share phishing links with their friends, helping the attacker infect more machines and steal more passwords.
Phishers are targeting individuals, but many are after a much bigger prize. If a user’s work computer is compromised, it can allow access to be gained to a corporate network. In fact, businesses are now being increasingly targeted using phishing campaigns.
These campaigns are far more sophisticated than in years gone by. The emails and social media posts are much harder to identify, and many employees are convinced to (unwittingly) download malware and viruses.
Unfortunately, many businesses are still not addressing the risk and have failed to implement adequate security controls. Some employees have not even been trained how to identity a phishing email!
Unless greater investment goes on improving security protections, and further training is provided to the staff, it will only be a matter of time before a network is compromised, customer data is stolen, and corporate secrets sold to the highest bidder.