Should Social Networks Do More to Stop Account Takeover?

A Twitter account can be a valuable possession, as must be obvious to Donald Trump or any of the people who successfully sued the US President because he blocked them. Some companies depend on Facebook for marketing; a change to the Facebook algorithms can force some out of business. Viral promotion became so important to one extremist that she made it a matter of life or death; last year vegan activist Nasim Aghdam went on a suicidal shooting spree after YouTube demonetized her videos. Objects of value will inevitably attract thieves, and so British freelance journalist Radhika Sanghani recently wrote about her Twitter account being taken over.

…I just hope stories like mine will encourage social media networks to do everything they can to make it harder for cyber crime to take place on their platforms. Falling prey to a hacker is a vulnerable – and frightening feeling.

But should social media networks do ‘everything they can’? That would include forcing people to use token-based two factor authentication and making people change their passwords on a regular basis. Why would they even stop at two factors, when three or four factors is safer still? Businesses like these could always do more to force users to protect themselves. That would inevitably reduce the number of users, and so reduce the value of the network to people who want to promote themselves. Social network accounts can only be valuable if there are many people using the social network, which explains why nobody ever worries about their Ello account being taken over.

Sanghani’s article nicely parlays a personal misfortune into an opportunity to make a few bucks by warning kids to be careful. Otherwise it reads like every other article which demands something must be done! without explaining the potential downsides or discussing all the possible courses of action before pointing an accusing finger at the corporations who provide the service. After learning that Sanghani was hacked, readers of her article are then presented with a mishmash of inconsistent stats. For example, we are told that UK police investigated 1,300 cases of computer and social media hacking over a twelve-month period, whilst two-thirds of American adults with social media accounts say they have been hacked. One of these numbers is relatively small, and the other is relatively large, even allowing for the difference in the population of these two countries. So if these stats are worth contemplating, why not conclude that law enforcement should be doing ‘everything they can’ to chase and punish criminals?

The article then presents insights from a typically arbitrary selection of experts; it is never clear how journalists find the people they choose to quote. What is clear is that journalists are better at finding experts whose opinions they agree with, and not at finding experts who offer contrasting points of view.

When I contacted Facebook for this article… they urged users to sign up for two-factor authentication too, and watch out for suspicious links, malware, and to make sure they have strong passwords.

But Dr [Jessica] Barker thinks it’s not enough. “People are often really frustrated it takes a long time for the platforms to verify it’s your account. It’s something I’d heard a lot from small businesses who rely on Facebook for income and marketing. I’ve heard they either don’t get access back, or because they haven’t restored the content, it’s damaged their operations.”

She hopes that social platforms will follow in the footsteps of other online platforms, like Gmail, who have looked into the pattern of how criminals operate, and have been able to improve security measures with their research. “If these social media platforms are asking people to use a service, and they get a benefit from us sharing our data, they need to take action on it,” she says.

In other words: something must be done! What is conspicuously absent from this article is any useful examination of what users did, or did not do, before their accounts were taken over. Sanghani tells us she has since made her “passwords stronger than ever” but neglects to tell us how strong her Twitter password was before. The account has already been hacked; she has no reason not to divulge this information. If she is anything like most people, her Twitter password used to be ‘123456’, ‘password’, or another embarrassing entry from the list of the world’s most popular passwords. Did she use the same password for multiple accounts? She does not divulge. We do learn that Sanghani has now “set up two-factor authentication on everything” but she obviously had not bothered to use 2FA to protect her Twitter account before she was hacked.

I suppose if people left their homes unlocked they would argue builders should have installed door locks that know how to turn the key for themselves. Meanwhile, as Sanghani tells people to adopt two factor authentication, sophisticated criminals are using SIM swaps to take control of Twitter accounts, as happened to security guru John McAfee a year ago. And some not-so-ethical hackers are reminding us that Twitter allows hijackers to publish tweets to UK accounts by spoofing SMS messages which appear to come from the genuine user’s 2FA telephone number. So more could be done, including doing some research and presenting some information about the security weaknesses caused by using 2FA on Twitter. But that would inevitably lead to a tl;dr article, which is the one thing that journalists and experts never demand when asserting that everything must be done to improve security.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.