BOSTON/NEW YORK (Reuters) - The fast-growing microblogging site Twitter has fallen behind some other Internet services in introducing tools to help secure the accounts of users, security experts say.
Weaknesses in Twitter’s security became apparent on the U.S. July 4 Independence holiday as an unknown hacker took control of a Fox News Twitter account and sent out messages falsely claiming that U.S. President Barack Obama was dead.
While the hijacking of Twitter accounts is not new, the false Tweets about Obama generated headlines around the world.
The Secret Service is investigating the matter. Fox News has said it is unsure how the attacker gained control of its account, but complained that it took Twitter more than five hours to return control of the account to Fox.
“What Twitter needs to do now is to commit to a thorough review of their security practices,” said Daniel Diermeier, a professor at Northwestern University’s Kellogg School of Management. “For Twitter this is a very serious problem.”
Security experts said the attack might have been prevented if Twitter had offered two-factor authentication technology to secure its accounts.
In two-factor authentication systems, a user must enter a second code in addition to a fixed password to access its account. The code changes every minute or so and is sent to a cell phone or other electronic device.
Google Inc and FaceBook already offer two-factor authentication to confirm the identity of users.
Security experts said Twitter could soon come under pressure to do so as well, particularly from influential users such as politicians, major corporations or news outlets.
“They won’t have a choice. I think if they want to stay viable they’ll have to,” said San Diego State University professor Murray Jennex, who teaches information security.
He warned that Twitter would be “flirting with disaster” if it did not proactively add two-factor authentication, and that more high-profile attacks could harm the company’s reputation.
In addition to the Fox News heist, PayPal’s Twitter account in the United Kingdom was also hijacked this week and followers urged to visit the website www.paypalsucks.com.
Twitter allows its users to communicate with the site using an ordinary, unscrambled connection, which makes it easier for potential hackers to steal passwords.
The site does offer the option of scrambling that traffic, but users must type “https” before entering the Twitter URL into the Web browser to call up an encrypted connection, or change their options to request https as a default.
Chris Palmer, technology director for the privacy-promoting Electronic Frontier Foundation, said Twitter should use https by default because not all users are aware of the option or care to use it. Google uses https encryption by default for many of its services.
“Basically, if nothing bad happens, it’s because no attacker cared to attack,” Palmer said of Twitter.
Twitter spokeswoman Lynn Fox declined to say whether the company intended to add two-factor authentication. The company has said in a blog that it hopes to make https encryption the default for all users.
“We take security very seriously and we’re always looking for ways to help users make their accounts more secure,” she said.
Yet she added that Twitter’s users are responsible for securing their own passwords.
“We can’t anticipate compromises that occur offsite,” she said. “That’s one of the reasons we very clearly recommend to users that they be extremely careful with the security of their passwords.”
Reporting by Jim Finkle in Boston, Roy Strom in New York and Diane Bartz in Washington; Editing by Matthew Lewis and Richard Chang