Twitter Security Update Too Little, Too Late – What the Experts Say
While saying it's a step in the right direction, most security experts see Twitter's two-factor authentication as too little, too late.
Following months, if not years of waiting, users of Twitter finally have the option of increasing the security of their accounts. Seemingly prompted by a spate of high profile breaches in recent weeks and months, the company has rolled out two-factor authentication for all account holders - though the security measure is opt-in rather than compulsory, meaning a lot of people will still be at risk.
The way the system works is pretty straight forward. First you will need to associate your mobile phone with your account. Having done so, you can switch on two-factor authentication on your account settings page and from then on, every time you sign into Twitter.com you will get a verification code sent to your phone - even if you're using the same PC as normal.
If you already use the Twitter app on your smartphone or tablet, or a client like TweetDeck on your desktop, nothing will change, they willcontinue to work as normal.
While the move is certainly a positive one from Twitter, many people have been pointing out failing in the system as implemented by the micro-blogging site. So we've canvass the security industry for their thoughts on the new system:
Sean Sullivan, security researcher with F-Secure
One of the first to query the set-up, Sullivan has been questioning (via Twitter) the validity of the system, initially asking why Twitter was using SMS as the method of authentication rather than an authenticator app which are available on all major platforms.
Sullivan tweeted: "Dear @twitter, forget about SMS! Use authenticator apps." His point was that SMS messages are easily hijacked by compromised smartphones. While Sullivan conceded that not all people have smartphones and therefore may not be able to use authenticator apps, he pointed out that these authenticator apps didn't necessarily have to be mobile.
Sullivan also pointed out that there is currently no recovery method if you break your phone after implementing two-factor authentication.
Graham Cluely, Sophos
Cluely pointed out on the Naked Security blog another problem of having the authentication code sent via SMS to a single phone:
"So, the big question is this... is this going to help media organisations such as The Guardian, NPR, the Financial Times, and others who have found their Twitter accounts hijacked by the likes of the Syrian Electronic Army? Sadly, I don't think it's going to help them at all.
"Media organisations who share breaking news via social media typically have many staff, around the globe, who share the same Twitter accounts.
"2FA isn't going to help these companies, because they can't all access the same phone at the same time. Either those people will have to leave themselves permanently logged into Twitter (which is itself unwise from the security perspective), or one central trusted person will have to "own" the phone - and share the six-digit code with journalists as they try to log in to share breaking news stories."
Orla Cox, Security Operations Manager, Symantec
Cox is a little more optimistic, saying this is a step in the right direction at least:
"While it may not stop determined hackers, two-factor authentication certainly makes it more difficult as the victim's password would no longer be enough to give an intruder access to a system."
However she also points out the problem for shared accounts:
"Something to consider, is that it will be difficult for group or shared accounts as all individuals who manage the account would need to be able to access the device which is configured to receive the SMS."
Jaime Blasco, Labs Director at AlienVault:
Blasco believes the company took too long to implement this security measure:
"Twitter is doing the right thing. The problem is that they are late. They should have implemented two-factor authentication months and even years ago and it would have helped to prevent some of the security incidents we have seen in the last few months."
Blasco says hackers will simply become more inventive when trying to hack Twitter accounts:
"I think this new service will force attackers to perform more social engineering attacks in order to trick the user to install a mobile app that will help the attacker to steal the authentication token."
David Emm, Senior Security Researcher, Kaspersky Lab
Emm is far-and-away the most enthusiastic about the new security measures from Twitter:
"Twitter's use of two-factor authentication should be welcomed with open arms. Two- factor authentication makes it difficult for someone to hijack an account, by adding another method of validation. To-date a static password has been the only thing securing Twitter accounts, and all too often these are easy to guess."
Emm also says it's easy to see why Twitter has chosen to use SMS as the second authentication method.
"Nearly everyone today has a mobile phone, so this method doesn't require people to carry around an extra token or device that generates the one-time passcode. Additionally, the cost of rolling out this technology is miniscule in comparison to investing in tokens and shipping them to its customers."
Emm does concede however there are potential problems:
"However, there are some potential pitfalls with using SMS as an authentication method. Many people log into their Twitter account from their smartphone via the Twitter app which doesn't require login credentials to be entered each time. This means that the same device is being used for both authentication factors and if this device is lost or stolen, whoever finds (or has stolen) it will be able to access the account. Therefore, in effect, there is no longer two-factor authentication."
Amar Singh, CISO of News International
Singh says another issue is that if accounts have already been compromised, this feature won't help:
"These are good baby steps, however according to Twitter existing applications will continue to work without the need to reset them. So, it appears, that any accounts that may have been compromised, would continue to work. Twitter should also strongly consider enabling other options other than SMS and even consider allowing enterprises the option to enable location and or IP based log-in options."
Dan Holden, Director of Research at Arbor Networks
Holden says this feature has been starnard practice for many other services for a while:
"It's not revolutionary, as two-factor authentication is a standard practice used by many services, such as Gmail, banking, Wi-Fi services and mobile carriers around the world, but the likelihood of a potential attack is far smaller than what the threat is with only one method of authentication. While there are other types of two-factor authentication, SMS verification is certainly one of the fastest and most convenient and it's a great step towards securing any type of online account."
However, overall it's bad news for the likes of the Syrian Electronic Army:
"While it's still possible to gain access to online account information and the code used for this type of authentication to work, it's far more unlikely that the Syrian Electronic Army would be successful taking over an account with two factor authentication"
© Copyright IBTimes 2024. All rights reserved.