Twitter sprouting an authentication liability issue
Twitter's recent appeal to media outlets to head for cover as it predicts more hacks and phishing scams, points to the fact that the social network has an authentication problem that subjects users to major risks.
Simple user names and passwords have been exposed as woeful protection for high-profile accounts, such as those that feed real-time news streams to the public.
Recent hacks of Twitter accounts belonging to Jeep, Burger King, CBS News, and the National Public Radio have brought the issue to light. But it was last week's hack of the Associated Press, and the subsequent stock market plunge, that forced Twitter to put high-profile accounts on alert, in essence, admitting that Twitter's authentication system in its current form is a risk to users.
And to accentuate the point, the Guardian newspaper in the UK was hacked over the weekend by the Syrian Electronic Army, the same group that hacked the AP.
"Anyone with hard dollars riding on such credentials [user name and password] gets what's coming to them," said Ian Glazer. "And that is exactly the funny thing about AP — there were no dollars flowing. But what was flowing was credibility and trust. When trust is flowing, regardless if that flow is actually money or perceived value, you've got to assess risk and protect accordingly."
In this situation, Glazer said that a good assessment should have made the true risks clear to the AP.
Twitter's current authentication system is considered a Level 1 credential in terms of the National Institute of Standards and Technology (NIST) rating because there is no identity verification of the user creating the account. The NIST rating has four levels. A multi-factor credential would be considered a Level 3 credential, which requires proof of possession of a second factor credential. For sake of comparison, Level 4 requires in-person identity proofing.
In addition to Twitter, the AP incident has commanded the attention of the financial and legal community. The FBI, the Securities and Exchange Commission, and the Commodity Futures Trading Commission (CFTC) are investigating the AP hack.
Bart Chilton, a commissioner with the CFTC, is calling for cybersecurity rules for companies that have social media accounts, however those rules would not cover media outlets like the AP.
In a memo sent on Monday, Twitter asked for help in protecting high-profile accounts, asking media members to take certain steps to protect themselves in ways Twitter cannot on its own. "Please help us keep your accounts secure...," the memo began.
Twitter suggested that users create long passwords, of at least 20 characters, and to change their passwords often. It also suggested keeping email accounts secure with strong passwords, not to reuse passwords, and to review Twitter applications authorized to access their accounts.
Twitter also made the highly unusual step of suggesting media members on Twitter use the social networking site on a dedicated computer that is not used for email or web surfing so as to negate malware and phishing.
But no amount of password configuration policy or changing of passwords on short intervals can do much to thwart phishing scams. That strategy is akin to "run for your life".
"The attacks are social engineering, so what is the point of long passwords that are easy to capture," said Mark Diodati, a long-time identity and access management analyst, and now a member of the CTO office at Ping Identity. "The risk level has changed so much for Twitter that it must adapt."
So why is Twitter relying more on pleas for users to change their behavior than on engineering for its authentication system?
The company is said to be exploring two-factor authentication, but there are several issues that may be holding it back. One being that while two-factor authentication is a step up, it is not a cure-all.
While it does improve security, it raises other security and usability issues. Phishing websites can conceivably capture both authentication factors and multi-factor authentication fails with accounts that are shared among users. Sharing most often happens with branded Twitter feeds, like those of media outlets and major companies. Forrester analyst Eve Maler explained the issue earlier this month in a blog post about "consensual impersonation".
Glazer said that Twitter could use geo-location data to calculate the likelihood that a tweeter is authentic. If there is a question, a one-time passcode, the second factor, could be sent to a registered device. But there are major drawbacks.
"False positives can be a total pain here," Glazer said. "Consider that companies outsource access to the Twitter account. What happens when someone on the company's marketing team wants to get a tweet out there and they are in a different city than the PR team? Whose device should get the OTP? What is the user experience like?"
In the interim, Twitter is left to appeal to its users to alter their habits and take unusual steps to protect their accounts. And companies will have to balance their reputations on a thin line knowing they have marginal defenses against hackers who have Twitter in their sites.
Twitter had not responded to ZDNet's questions at the time of writing.
Disclosure: Mark Diodati and John Fontana both work for the same employer.