Twitter Trouble: 9 Social Media Security Tips

Two-factor authentication is coming soon to Twitter, but it's not likely to happen overnight. And it won't solve the world's online security woes when it does roll out.

Phishing attacks -- like the one that may have been behind the recent Twitter AP hoax -- will persist because they work. Social engineering scams will grow more creative in their efforts to con people into coughing up bank account info, network credentials and other sensitive data. And social sites -- all of which are predicated upon words like sharing and connecting -- will be a prime breeding group for such activity, even with tighter perimeter defenses such as two-factor authentication. We're still human, after all, and therefore susceptible to making mistakes.

"Social networking sites can roll out great levels of security," said AVG senior security evangelist Tony Anscombe in an interview. "The problem is at the other end of it, you've got users."

Should you delete your social accounts, unplug your router, throw your phone in the ocean and move off the grid? Keeping your information secure doesn't necessarily require drastic action -- but it does require action. Consider these steps to better protect your social media accounts.

1. You Guessed It: Use Strong Passwords.

It's been said countless times, yet people continue to use things like birthdates or "1234" as passwords. Even worse, they often use the same password across every account they own. That's not good enough. "That is primarily the number-one thing you must do," Anscombe said. Passwords don't have to be random or impossible to remember, but they do need to be tough to crack. "Make it difficult for somebody to socially engineer what [the password] is," Anscombe said.

[ What advice have we gleaned from the recent phishing attack on the Associated Press? Read AP Twitter Hack: Lessons Learned. ]

2. Review Your Apps, Add-Ons and Other Settings.

Anscombe noted that he checked his Twitter account prior to our conversation and was reminded of just how many other applications can gain access to your Twitter account. Yet many people forget to whom else they've granted access, not just on Twitter but on any social site. Take time to review your apps and other add-ons and revoke access from any you don't use or don't remember installing.

"We all download things to try to make it simpler for us, and then we don't use it or use something else," Anscombe said. "What we don't do is ever go back and decline those privileges afterwards."

Among other potential problems: Even when Twitter and other companies roll out two-factor authentication, it doesn't mean the other sites and apps that have access to your data will, too. To review your installed apps in Twitter, just visit Settings and then Apps. The site makes it simple to revoke access from there.

3. Be More Cautious with Mobile.

"Make sure your mobile phone is secure," Anscombe advised, adding that while most PC users these have some form of anti-malware protection in place, many folks don't take the same precaution on their mobile devices. At minimum, use a free security app. (AVG and many of its competitors offer one for Android and other platforms.)

Don't let a security app fool into thinking you've eliminated all risks, though. Anscombe noted, for example, that mobile browsers may make users more susceptible to phishing sites and similar scams. One reason is that mobile screen sizes sometimes make it hard -- or impossible -- to detect irregularities in a browser's URL bar. "The Web browser does that so you get maximum screen vision of the content rather than the address bar, but you don't have the same visual protections," Anscombe said. "They're trying to make it easier for us, but in [doing so] it also loses some of its security as well."

4. Sites Update Privacy Settings -- So Should You.

Regularly review your privacy and other account settings on social sites to ensure they meet your current expectations and needs. Sites regularly revise those settings; users need to as well. Otherwise, you might find your information being used in ways that you're uncomfortable with, Anscombe said.

5. Beware "Password Check" Sites.

Scams often ride on the coattails of other scams. A common one after high-profile breaches: Password-check sites. Paul Ducklin of Sophos noted in a recent blog post that while these sites are sometimes legitimate, they're often cons built to capture your credentials in the wake of other hacks. "That sounds like phishing, doesn't it?" Ducklin wrote. "And the reason it sounds like phishing is that it IS phishing!" Treat such sites with extreme skepticism.

If you're responsible for your employer's corporate Twitter handles and other social media, you should consider tighter controls over those accounts. Anscombe noted that even companies with very restrictive policies governing data security, external communications, content management and similar areas often don't treat their social accounts with the same degree of gravity, exposing themselves to unnecessary risks as a result.

Nate Ulery, who leads the IT infrastructure and operations practice at West Monroe Partners, concurred. Two-factor authentication on Twitter and other sites definitely helps, but don't expect hackers and criminals to simply log off and call it quits.

"While two-factor authentication will help minimize social media hacking risks, companies will need to continue to be vigilant in enforcing their security policies," Ulery said via email interview. "For example, Facebook's standard two-factor authentication is only required when a login occurs on a new computer or mobile phone. Since recognized devices can still access the account without the additional security requirement, malicious software installed on a PC or mobile phone could still potentially expose the social media account."

Ulery offered the following advice for keeping tighter reins on corporate Twitter handles and other social accounts:

6. Partition Work and Personal Social Accounts.

"Insist that social media accounts are completely segregated from personal accounts so social hacking or compromised personal accounts do not put the corporate accounts at risk," Ulery said. Building that wall could help reduce the risk of social missteps, too, such as embarrassing mistakes that can occur when an employee accidentally posts a personal message to a corporate handle.

7. Limit Hardware and Account Access.

"Require that corporate Twitter users access the account only from corporate-managed workstations," Ulery said. The same rule can be applied across any and all corporate social accounts. If you really want to reduce your threat vectors, Ulery recommended taking an extra step -- one that might be tougher for social media mavens to abide: Do not enable mobile phone integration.

In terms of access, Anscombe of AVG stressed the importance of companies treating social media account credentials as sensitive data. Grant access only to select employees who actually need it for their job; the more people who know the password, the greater the potential for breaches. "Everyone in a sense is a potential repeater," Anscombe said.

8. Give IT More Control.

Here's one IT pros might especially appreciate: Give end users less control. In particular, Ulery advised making it harder for employees to reset passwords on corporate social accounts, in part as an extra precaution against external hijacking. "Consider utilizing password reset email addresses that are not accessible by the social media team without IT involvement," Ulery said.

9. Make Social Media Explicit in Security Policies.

Don't assume everyone recognizes the risks associated with social media. Clearly include social media rules in security-related policies. If you've got a high-priority user group for anti-malware updates and other security protocols, include the corporate social media team. Likewise, apply the same password rules used elsewhere in the company to social accounts. And no matter what security safeguards social sites put in place, remember that they're not foolproof.

"Use of two-factor authentication does not relieve corporate security managers from their responsibility to train users on the potential risks of social media security, especially as it relates to the corporate brand's reputation risk," Ulery said.

Protect the most fragile part of your IT infrastructure -- the endpoints and the unpredictable users who control them. Also in the new, all-digital How To Sharpen Endpoint Security special issue of Dark Reading: Some say the focus should be on education to deal with the endpoint security conundrum; some say technology. But it's not a binary choice. (Free with registration.)