* Needs to boost technology to verify passwords -experts
* High-profile attacks could hurt Twitter's reputation
By Jim Finkle and Roy Strom
BOSTON/NEW YORK, July 7 The fast-growing
microblogging site Twitter has fallen behind some other
Internet services in introducing tools to help secure the
accounts of users, security experts say.
Weaknesses in Twitter's security became apparent on the
U.S. July 4 Independence holiday as an unknown hacker took
control of a Fox News Twitter account and sent out messages
falsely claiming that U.S. President Barack Obama was dead.
While the hijacking of Twitter accounts is not new, the
false Tweets about Obama generated headlines around the world.
The Secret Service is investigating the matter. Fox News
has said it is unsure how the attacker gained control of its
account, but complained that it took Twitter more than five
hours to return control of the account to Fox.
"What Twitter needs to do now is to commit to a thorough
review of their security practices," said Daniel Diermeier, a
professor at Northwestern University's Kellogg School of
Management. "For Twitter this is a very serious problem."
Security experts said that the attack may have been
prevented if Twitter had offered two-factor authentication
technology to secure its accounts.
In two-factor authentication systems, a user must enter a
second code in addition to a fixed password to access its
account. The code changes every minute or so and is sent to a
cell phone or other electronic device.
Google Inc (GOOG.O) and FaceBook already offer two-factor
authentication to confirm the identity of users.
Security experts said that Twitter could soon come under
pressure to do so as well, particularly from influential users
such as politicians, major corporations or news outlets.
"They won't have a choice. I think if they want to stay
viable they'll have to," said San Diego State University
professor Murray Jennex, who teaches information security.
He warned that Twitter would be "flirting with disaster" if
it did not proactively add two-factor authentication, and that
more high-profile attacks could harm the company's reputation.
In addition to the Fox News heist, PayPal's Twitter account
in the United Kingdom was also hijacked this week and followers
urged to visit the website www.paypalsucks.com.
Twitter allows its users to communicate with the site using
an ordinary, unscrambled connection, which makes it easier for
potential hackers to steal passwords.
The site does offer the option of scrambling that traffic,
but users must type "https" before entering the Twitter URL
into the Web browser to call up an encrypted connection.
Chris Palmer, technology director for the privacy-promoting
Electronic Frontier Foundation, said Twitter should use https
by default because not all users are aware of the option or
care to use it. Google uses https encryption by default for
many of its services.
"Basically, if nothing bad happens, it's because no
attacker cared to attack," Palmer said of Twitter.
Twitter spokeswoman Lynn Fox declined to say whether the
company intended to add two-factor authentication or make https
encryption a default.
"We take security very seriously and we're always looking
for ways to help users make their accounts more secure," she
Yet she added that Twitter's users are responsible for
securing their own passwords.
"We can't anticipate compromises that occur offsite," she
said. "That's one of the reasons we very clearly recommend to
users that they be extremely careful with the security of their
(Reporting by Jim Finkle in Boston, Roy Strom in New York and
Diane Bartz in Washington, editing by Matthew Lewis)