Shortly after 1 p.m. ET on Tuesday, the world just about ended as far as Wall Street was concerned, when The Associated Press tweeted that President Obama had been injured by explosions at the White House. Within minutes, the Dow Jones Industrial Average dropped 145 points. Shortly afterward, the AP issued a statement that its Twitter account had been hacked.
The markets quickly settled back into their normal rhythm of buying and trending, but the event left its mark: The financial system is vulnerable not only to trending news and events reported on social media, but also to false events and rumors broadcast on these networks.
This is a particularly disturbing considering just how easy it is to hack into these accounts.
The AP is not the only media outlet to experience an unauthorized intrusion this week: Both CBS News and NPR reported similar incidents. The problem isn’t limited to one type of hack attack, either.
The Many Ways Twitter Is Vulnerable
Much is being made of the lack of two-step authentication in the hijacking of these and other websites.
However, breaches of Twitter accounts are often due to weak passwords, noted Johannes B. Ullrich, director of the Internet Storm Center at SANS Technology Institute.
Another potential culprit is the authentication of third-party applications.
“There is a whole generation of apps built to tie into Twitter that require users to authenticate with their account, which allows the app to act on behalf of the user,” said Ali Reza Manouchehri, CEO of MetroStar Systems.
“The more apps that are authenticated on an account, the more avenues and vulnerabilities a hacker has to gain access,” he told the E-Commerce Times.
A heavy reliance on cloud services by many of these providers is also a point of concern, suggested Lev Lesokhin, executive vice president at CAST.
Cloud services are vulnerable in part due to their rapid pace of development and change, he maintained.
“In fact, Twitter, Google, and Amazon are updating their platforms as often as every 30 minutes,” Lesokhin told the E-Commerce Times. “If an update immediately fails, they roll back the changes. But when they don’t fail, it doesn’t necessarily mean that there aren’t risks or issues that are lurking. Some of these companies are not known to be using best-in-class tools for structural oversight.”
There are also some general factors — that is, not specific to Twitter or social media — that are driving hack attacks.
Hacking has become much easier with the easy accessibility of email accounts, for example.
“I know I use Web mail quite a bit, and it frustrates me that there’s no indication of how many login attempts have failed on my account since the last time I logged in,” Robert Johnson, CEO and founder of TeamSupport, told the E-Commerce Times. “Someone could be attempting to hack my account right now, and I would have no idea.”
Also, social engineering is still a tried-and-true favorite for hackers to gain access to accounts and information, said MetroStar’s Manouchehri.
The Perils of Not Protecting Your Accounts
None of this is any comfort to AP, which no doubt is still smarting from the episode.
A hacked twitter account can affect an organization’s reputation, SANS’ Ullrich told the E-Commerce Times, “and the false news spread via a breach like this can — at least in the short term, until the breach is discovered — lead to changes in the stock price or other financial decisions based on the bad information.”
Most of the time, the fake messages are pretty obvious, he said, but in some cases — like the AP breach — these messages are taken seriously.
“Someone who wishes to contaminate the news and tank the market for arbitrage can now do so, knowing that if a tweet comes from a seemingly reliable source such as the AP, it can alter reality — even just briefly — as the market crash showed,” Rich Hanley, director of the graduate journalism program at Quinnipiac University, told the E-Commerce Times.
“A simple tweet,” he pointed out, “can cause the market to move, create a political scandal or misdirect reporters.”