Twitter hacking raises credibility issue

After a week in which people questioned Twitter's value as a reliable source of news following the Boston Marathon bombings, Twitter became the news Tuesday.

The Associated Press' Twitter account, which counts nearly 2 million followers, tweeted an alarming bulletin at 10:07 a.m. PDT:

"Breaking: Two Explosions in the White House and Barack Obama is injured."

The tweet, of course, was false - it was posted by hackers who had gained access to the AP's account. Within minutes, Twitter had suspended the account, but not before at least 4,300 others retweeted the faulty message to other users of the San Francisco social media service.

And not before the fake news sent the Dow Jones Industrial Average plunging 140 points, about 1 percent, and briefly wiped $136 billion in value off the Standard & Poor's 500 Index. Both quickly recovered, but the implications of a more complicated catastrophe are obvious.

That one of the most trusted Twitter accounts was hacked turns the spotlight from concerns about Twitter's users moving too quickly with spotty information - as happened in the Boston aftermath - and toward Twitter's security measures.

When a tool allows one person to misinform millions of people with the click of a button, protection of that tool is paramount.

Twitter is no stranger to hacked accounts. The company has repeatedly come under scrutiny from the public and regulators - especially while releasing advances, like a music discovery feature and stronger embedded media in tweets, that have little to do with security. In 2010, after numerous complaints, the Federal Trade Commission issued an order that Twitter strengthen its privacy and security practices.

The government already regulates other industries' data-handling practices. The health care industry, for instance, is subject to the privacy restrictions of the Health Information Portability and Accountability Act when handling sensitive patient information.

Lower standard?

However, Mark Jaycox, an activist at digital rights advocate the Electronic Frontier Foundation, doesn't think security credentials for websites are as serious a concern.

"I don't know if it (should be) an issue of the government inserting itself into mandated practices," he said.

Exactly how the hackers managed to commandeer the AP's account is not known, and Twitter spokesman Jim Prosser says the company doesn't comment on individual accounts for privacy and security reasons.

The AP reported that it had been the target of a large e-mail phishing attack just before the Twitter hacking.

Later Tuesday, the Syrian Electronic Army, supporters of Syrian President Bashar Assad, took credit for the hacking. The same group has claimed credit for hacking the Twitter accounts of CBS, its newsmagazine "60 Minutes" and the international soccer governing body, FIFA, the previous weekend.

Accounts for Burger King and Jeep were hacked in February, but by hackers without overt political motivations. Some hackers just "do it for the lulz," as the expression goes - for the fun of it.

No large brands or organizations have decided to stop using Twitter because of security concerns. Those with popular accounts would find it difficult to give up access to the millions who use the service.

Doing more to help

But that could change if companies start investing more in advertising on Twitter. Hacks like Tuesday's are not necessarily Twitter's fault, but the company could do more to help users prevent them - beyond urging "good password hygiene," as the company calls its advice.

One of the biggest security criticisms of the service is that Twitter lacks "two-factor authentication," a practice that tech giants like Apple and Google employ for their users' accounts. Microsoft began deploying it last week. The technique is considered one of the most practical security practices for Web applications.

Using data supplied by a Web browser, Internet companies can detect the particular device accessing a website. When, say, a Gmail user accesses the service from an unrecognized device - a new tablet or a coffee shop computer - Google asks for a user's standard password.

If that is entered correctly, Google then sends a text message to the user's phone with a new, unique personal identification number. Once the user enters the PIN, he is granted access to the account from that device from then on.

As Google explains, "Bad guys would have to not only get your password and your user name, they'd have to get ahold of your phone."

Gone phishing

The majority of hackings still happen via "phishing," where a hacker sends a fake e-mail asking an employee for security details, or by cleverly searching around the Internet for clues on what someone may use for a username and password.

And two-factor authentication is not perfect. A user's smartphone or computer could simply fall into the wrong hands.

Users of Twitter, like other Web services, are also subject to malware attacks - software that quietly gathers data on a computer. As recently as Monday, security researcher Trusteer identified malicious software that injects computer code into a user's Twitter page and collects the data used to verify the user's identity.

While Twitter did not respond to a request for comment, a job posting on its website indicates the company is considering two-factor authentication. The ad is for a software engineer with experience in "multifactor authentication and fraudulent login detection."

Meantime, maybe the best security advice can be found on a snarky but helpful website called "Is My Twitter Password Secure?"

As soon as anyone tries to enter a password to find out, the site turns bright red and tells the user, "Don't ever type your login and password (for) Twitter on a site that isn't Twitter.com. Same with Facebook. And LinkedIn. I guess what I'm trying to say here is, don't be an idiot."

Caleb Garling is a San Francisco Chronicle staff writer. E-mail: cgarling@sfchronicle.com