The Public Eye with Eric Chabrow

Social Media Needs 2-Factor Authentication Moving Beyond Password, Username for Social Media Accounts
Social Media Needs 2-Factor Authentication

A 143-point drop in the Dow Jones Industrial Average proves the power of social media and the havoc it can cause when an account gets hacked.

See Also: Vulnerability Management with Analytics and Intelligence

Hackers compromised an Associated Press Twitter account on April 23, falsely tweeting about 1 p.m. EDT that two explosions at the White House injured President Obama. That news caused the Dow index to sink by nearly 1 percent in minutes. When word surfaced that the tweet was a fake, the stock market quickly rebounded.

This small tweet created some chaos in the United States in addition to a decline in some U.S. stocks. 

A group called the Syrian Electronic Army, which seems sympathetic to the Syrian government, took credit for the attack, which on its English-language website lists the AP hack under the label "Latest Penetrations." Here's how the Syrian Electronic Army characterizes the tweet:

"AP Twitter feed was hacked today by the Syrian Electronic Army. SEA published a false news about an explosion in the White House and Obama got injured. This small tweet created some chaos in the United States in addition to a decline in some U.S. stocks."

The group also has taken credit for attacks against the Twitter accounts of CBS and NPR as well as NPR's online news site.

On the hijacking of the Associated Press Twitter account, AP spokesman Paul Colford issued the following statement: "Out of a sense of caution, we have suspended other AP Twitter feeds. We are working with Twitter to sort this out."

A White House official expressed concern over the incident. "Obviously, it's an example of how the public and private sector must continue to work together to promote norms of behavior in cyberspace and to protect ourselves against malicious actions," the official said.

Time to Act is Now

One of those "norms of behavior" is authentication. And, it doesn't require government-private sector collaboration. What's needed is for social media companies to tighten authentication procedures.

Social media companies, as well as many consumer-oriented websites, have been hesitant to offer authentication that goes beyond username and password. By toughening authentication procedures, they fret that they'll drive away users. That may have been the case in the past, but not necessarily today.

A survey conducted of consumers in the United States, Britain and Germany by the Ponemon Institute for Nok Nok Labs reveals a willingness among consumers to accept other authentication factors beyond username and password [see Users Favor New Forms of Authentication]. Nearly half the surveyed consumers in the United States and Britain say they don't trust systems or websites that rely only on passwords; that number soars to nearly three-quarters among German respondents.

The same survey suggests that weak authentication won't keep users away from these websites, at least for now. But as fake tweets proliferate, confidence in social networks will diminish, creating more distrust of valued institutions such as the Associated Press.

It's time that social media companies - which millions upon millions of people rely on to get and share information - offer, if not require, multi-factor authentication.



About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.




Around the Network