More on why Twitter really blew it with launching two-step authentication
Hey shortformblog, you’re mostly wrong.
Because Twitter cannot prevent the type of attack which has caused so many brands to loose their twitter account - malware (specifically keyloggers) logs the users credentials when they log into twitter.com, which the attacker then uses to make a perfectly “legitimate” login at a later time.
How do you prevent this as a user, given that its the #1 vector of attack for these big name brand hijackings? Use a computer that you know isn’t infected with MalWare. How do you ensure that a computer doesn’t have any malware? Never connect it to the internet (or if you do connect, only use twitter.com, and not browsing or emailing).
Does this make sense for the average user? Not at all. Does it make sense for a global brand or news agency who want to avoid what happened to AP? Easily. The $1200 hypothetical laptop is far cheaper than the damage to a brand from a high publicity hijacking.
The reason that I say “mostly” is that twitter could prevent this by using Google Authenticator or some other form of two-factor authentication. This would be unneeded for a normal user, but would allow big brands to add the extra security. I suspect that Twitter is probably working on this right now, and that this announcement is just until it is deployed.
You realize these accounts are used by multiple users and organizations as large as AP use third-party apps, right? And that numerous people use that single account, right? And that social media pretty much only works because you can share links? This solution is not realistic. It’s a band-aid solution until Twitter gets its stuff together.
The problem here is that large brands have been asking for that two-factor solution for at least two years (Facebook launched it two years ago, and Google has had it for years), and now, Twitter is feeling some serious pain because they only hired someone to work on the two-factor thing within the past six months.
They can’t block such attacks because they haven’t built out their system to deal with them.
If Twitter was serious about protecting its users, it would have been working on this solution before it got to this point, especially considering the seriousness of the problems being raised and the size of the brands it was courting. But instead, they’re playing catch-up. The best solution to bad security is being proactive.
The hypothetical dedicated laptop is not the problem. The fact that the hypothetical dedicated laptop was required in the first place is the problem.