UPDATE 17 June 2013: Wordpress now provides 2 factor authentication – enable it if you blog at wordpress.com OR have a self-hosted wordpress blog and want to protect your stats.
UPDATE 23 May 2013: Twitter has just enabled 2-step (also called 2-factor) authentication.
You can read more about it on their blog. and as per my recommendations below, I suggest you go and turn this feature on NOW!
Quick steps to enable this for your twitter account
- Visit your account settings page.
Scroll down towards the bottom and select “Require a verification code when I sign in.”
3. Click on the link to “add a phone” and follow the prompts (you will need your phone with you during sign-up)
4. After you enroll in login verification, you’ll be asked to enter a six-digit code Twitter will send to your phone via SMS each time you sign in to twitter.com.
Importantly. the account you prevent from being hacked may be your own or the one you run for your company.
This post was originally written following the amazing news that the Associated Press Twitter feed was hacked in April 2013, driving a 143-point fall in the Dow Jones industrial average from a single (false) tweet.
There was also some discussion that automated trading platforms that take signals from Twitter feeds such as AP’s had “mini crashes” as they were programmed to react to bad news like this from trusted and verified sources.
The AP later clarified the hack via an alternate account, and the White House confirmed the President was unharmed.
What this points to is that now Twitter feeds of news organisations, and in fact any company have become mission critical.
This attack is a timely reminder to review what security processes you have in place for your personal and corporate social media accounts.
TechCrunch reported that the hack was preceded by a Phishing attack on AP reporters. This is a simple “social engineering” trick which asks someone to click on a link, and in this case the person who clicked on the link may have unwittingly given the AP main twitter account password to the hackers.
What is needed to stop simple hacking exploits such as this is better login and account security on social media platforms.
Facebook already offers this, and I have the feature turned on (they call it login approvals) for my personal account.
You should read how do to this, and I recommend you enable it today.
Google also offers this feature (called 2-step), and this can be applied to all Google products, including your Google account, Gmail, YouTube and Google+. If you don’t want to get hacked, turn this on today – read how on the 2-step site.
If you run a WordPress blog, you should also turn on this feature. I have it enabled on all of my personal blogs.
I use a plugin and service provided by Duo Security. They have a sophisticated mobile app for most platforms (including Blackberry 10) which allows you to authenticate your access via SMS, phone call or “Duo Push” which is unique to Duo.
In fact I suggest you start with your WordPress blog, as you can then add the 3rd party codes to the same app and run almost every service via Duo.
By adding this plugin, it has also thwarted the latest WordPress bonet attack, as without the right code, you can’t get in.
Personally, I have 2-factor enabled on all services that allow it, including Cloudflare, Amazon S3, Apple and Dropbox (the links take you to instructions on how to enable on each platform) – and you can use the Duo app above to enroll all of these services – even Facebook. Read how to do this on the Duo 3rd party page.
It gives me some extra piece of mind that my accounts will be harder to hack, and if someone does get my password through a smart phishing attack, they will still have to pass the 2-factor authentication test. Furthermore, unless they have access to my mobile phone which generates these one-time codes, just like a banking “dongle” or RSA SecurID token, my accounts are probably pretty safe.
If you run the social media accounts for your company, or personally, consider switching to 2-factor authentication today.
As soon as Twitter offers 2-factor, I am turning this feature on. I just hope they end up using the Google Authenticator option so I can keep most of my 2-factor codes in the one place.
There is the slight inconvenience when I log in, but the 10 extra seconds it takes to grab the code from my phone (which is always with me) is much less than the reputation damage and clean-up I would need to go through if someone hacked one of my social media accounts and started tweeting nasty things a me.