(Photo : REUTERS/Regis Duvignau)
Twitter has finally enabled a two-step verification feature for Twitter users' accounts, though it's not automatic and needs to be manually enabled by users themselves.
Two-step verification is a common account protection measure that makes it harder for hackers to take over accounts and user names - a problem which Twitter has been rife with, especially over the last few months. Instead of requiring just a password and username, two-step verification sends a special one-time generated code to a user, usually on their phone or email, and the user must input this code along with their password in order to log in. The code changes every time a user tries to log in, eliminating user error and so-called "social engineering" hacks, which trick a user into giving up their password and losing access to their account.
But the new change doesn't take effect automatically: users must enable this feature themselves. To do so, go to your account settings page on Twitter.com and select "Require a verification code when I sign in." Follow the prompts after clicking "add a phone" and enter your phone number. From then on, you'll get a prompt asking for a six digit code when you log in to Twitter, which they will send in a text message (or email). Here's Twitter's instructional video on how to enable two-factor verification.
It looks like Twitter isn't stopping here with security (which is a good thing, because two-step verification can still be manipulated) and Jim O'Leary of Twitter's Product Security Team promises that the "server-side engineering work required to ship this feature has cleared the way for us to deliver more account security enhancements in the future." The new change to Twitter comes after several accounts - some very influential and important - have been hijacked by hackers over the last few months.
Here's a recap of the most notable and/or worst Twitter hacks that have occurred in recent months.
- Early February: 250,000 Twitter Accounts Hacked
While this massive hack attack was far too sophisticated to be preventable with two-step verification, it showed how vulnerable Twitter was from a security standpoint and could possibly be related to some later account hijackings that occurred throughout the coming months.
- Late February: Burger King and Jeep Verified Accounts Hacked
The official Twitter accounts @BurgerKing and @Jeep were hacked, with jeering messages encouraging people to shop at their competitors being posted. Account photos were changed, in Burger King's case, to McDonalds, and in Jeep's case, to Cadillac. It appeared to be the work of the "Defonic Team Screen Name Club," from the #DFNCTSC hashtag which appeared on some tweets. While not a major issue - it was just for the "lulz", the hacking was embarrassing for the companies, although the @BurgerKing actually picked up more followers.
- Early March: Amanda Bynes' Account Hacked? No One Can Tell
Another high profile but "no big deal" hacking on Twitter was suspected when Amanda Bynes' verified account @AmandaBynes said some raunchy things about her former co-star Drake Bell, later disavowing and deleting them. No one really can tell though, as the troubled star could have tweeted those messages herself and just been messed up at the time.
The BBC's weather service @bbcweather and the website and Twitter feed of Human Rights Watch @hwr are hacked by the so-called Syrian Electronic Army, a pro-Assad group which is behind several denial of service attacks and phishing-based hacks on organizations which publicize aspects of the Syrian civil war which appear unfavorable to Assad. The accounts are used to publish pro-Assad propaganda and accusations that Human Rights Watch lies - this will not be the last major media hack by the SEA.
- Late April: The Associated Press's Twitter Account Hijacked, False Report Causes Stock Market Flash Crash. Guardian Accounts Hacked Days Later
Perhaps the most serious breach of Twitter security, @ap was hijacked by the Syrian Electronic Army and sent a false message stating that the White House had been bombed and that President Obama was injured. While the AP suspended the accounts and quickly reported the security breach and the White House spokesperson Jay Carney told reporters that President Obama was fine, US stock markets still dropped temporarily by $200 billion. Days later, several Twitter accounts of the Guardian were hijacked by the SEA, with more pro-Assad propaganda spread. Soon after, Twitter announced it was working towards a two-factor authentication system.
- Early May: The Onion's Twitter Account Hacked by the Syrian Electronic Army, Becomes Temporarily Unfunny
A less scary and damaging hack attack, the hijacking of the Onion account showed that even satirical news sites were on the SEA's target list and further demonstrated the need for a more secure Twitter authentication system.