Following several recent high-profile Twitter account hacks, including of the Associated Press, Financial Times and satirical site The Onion, Twitter last week rolled out an optional two-factor login to give its users added security. But some experts say most social networkers are unlikely to bother using it.
Last month, hackers posted a tweet from the AP’s account — “Breaking: Two Explosions in the White House and Barack Obama is injured” — sending the Dow plunging 145 points. “Twitter was designed as a consumer toy to tell friends what you had for lunch,” says Johannes B. Ullrich, chief research officer for the Sans Institute, a nonprofit security research group, “not to spread news that affects stock markets.” (Twitter did not respond to requests for comment.)
The new verification system puts the security of Twitter accounts more in line with the power a tweet can wield. By registering a mobile phone number, account holders can receive a six-digit code via text message every time they log into their account. “We occasionally hear from people whose accounts have been compromised by email phishing schemes or a breach of password data elsewhere on the web,” Jim O’Leary, one of the site’s security team, wrote in a blog post. Twitter’s new system would help prevent that from happening, O’Leary wrote.
Trouble is, many consumers consider it too much of a hassle to wait for a text message to log in to their Twitter, Facebook or Google account, experts say. (Facebook and Google already have the mobile-phone log-in option and evidence suggests that few use it. If social networks made it mandatory for consumers to hand over mobile phone numbers for extra authentication, “consumers would rebel and drop them like a hot potato,” says Adrien de Beaupre, a senior information security consultant with Intru-Shun.ca, an independent IT security consulting firm in Canada. “They tend to dislike or even circumvent features intended to protect them.” To be fair, this doesn’t only apply to social networks: Only eight out of the country’s 25 largest financial institutions require a separate authentication log-in by mobile phone, according to a recent survey by Javelin Strategy & Research, a consultant for the financial services industry.
Ironically, one reason mobile-phone security measures haven’t caught on is that users don’t quite trust their social networks. While big companies and celebrities are concerned about hackers getting access to their accounts on social networks, most consumers are more concerned about how much access the social networks themselves have to their private data, studies suggest. Nearly 84% of people worry that a social networking site will steal or misuse their information, according to a 2012 survey by security firm Avira, which has a vested interest in online security. One-quarter of the 2,710 people surveyed said they fear Facebook will improperly use their data, 19% were worried about Google, although only 2% felt the same way about Twitter.
But refusing to take advantage of added security measures could be costly for consumers, experts say. Twitter, for instance, recently allowed American Express card holders to link their accounts to Twitter to make purchases using a special hashtag — meaning a hacker who gets into your Twitter account could also gain access to your credit card. “If you care about the security of your Twitter account, you should enable the mobile-phone [account-verification] function immediately,” says Chester Wisniewski, senior security adviser at Sophos, an online security consultancy. “I think the trade-off is worth making.”
One way to get more people to protect themselves, of course, would be to make the two-factor log-ins mandatory. “The primary problem with two-factor authentication is that many services make it optional,” says Mike Weber, managing director of IT security business Coalfire Labs. “Two-factor authentication has the drawback of low user-acceptance rates. Until it becomes the standard, there’s going to be user-community rejection of it.” But as sites like Twitter and Facebook ramp up their anti-hacking security efforts, consumers may have little choice. “Two-factor authentication will eventually become mandatory for sites of higher value, such as banking, credit cards, online shopping and social networking,” says Kurt Baumgartner, principle security researcher, Kaspersky Lab, an antivirus company.
In the meantime, there are simple things that consumers can do to limit their risk of getting hacked — like password-protecting the phone itself, says Adam Levin, co-founder of online security company Identity Theft 911. “Is your Twitter account linked to your AmEx? Log out and never click the box asking the app to save your user ID and password,” he says. And, Levin adds, be wary of scammers using the names of popular apps. Last year, fake software disguised as the games app Angry Birds, which was available through third-party stores for Android, infiltrated many smartphones. (Rovio Entertainment, the maker of Angry Birds, had no connection with the app; the company did not respond to requests for comment.) The rogue app quietly sent out a text in order to receive a string of premium-rate messages, costing victims around $8 per text.