The UK’s Leader of the Opposition is Jeremy Corbyn MP, head of the Labour Party, and we think we can say, while remaining entirely objective, that he’s controversial.
From his republican leanings (in the UK, that doesn’t mean he’s politically conservative, but that he disagrees with constitutional monarchy), through his criticism of Australia’s refugee policy, to his recent and public opposition to the UK’s Trident missile programme…
…he has some strong opinions.
But he’s not known for swearing in public.
Which is why a short sequence of tweets that came from his account last night, at around 9pm UK time, didn’t quite add up.
One was yobbishly rude, you might say; a second was outright offensive (at least if you’re an Aussie); the third was intriguing (what exactly does it mean to call your Prime Minister “a pie”?); and the last was, well, it suggested that the writer didn’t like Trident either.
According to a BBC report, Corbyn’s team quickly “regained control of his account” and calm was restored.
Apparently, the offending tweets were up for only a few minutes before they were deleted, yet racked up more than 1000 retweets between them.
For the Labour leader, this is not much of a setback; indeed, it’s unlikely to have any negative effect on his standing as a politician, or his perceived trustworthiness as a public servant.
But for a business Twitter account, or a Twitter “hack” where the fake tweeter was careful to make the fraudulent tweets seem legitimate, the results could be very different.
Bogus earnings warnings, for example; fake notifications of a bigger hack inside the company; untrue claims about mergers and acquisitions: these could not only affect the share price, but also cause trouble with the regulators.
So, how did Jeremy Corbyn MP’s account get pwned?
We don’t know for sure, but high-profile social accounts of this sort are often accessible to many people, and the individual named as the account holder may, in fact, rarely be the one who actually types in a post and clicks the [Tweet] button.
Loosely speaking, if 20 people can authenticate to access one account, there are 20 times as many opportunities for a crook to hack it, for example:
- By phishing for passwords wth fake login pages, until one of the 20 users types in the right password on the wrong site.
- By using malware that tracks keystrokes, and thus potential passwords, and infecting one of the 20 users’ computers.
- By guessing the weakest password of all 20 people.
- By social engineering, such as calling each of the 20 people in turn and trying to trick one of them into giving away their login data.
- By cracking the email account of one of the 20, and doing a password reset to take over their login.
So, shared accounts need even more love and attention from a security perspective, especially when they’re pretending to be the personal account of an individual.
WHAT TO DO?
Try these tips:
• Use a tool such as HootSuite, or Twitter’s own TweetDeck, that make managing multiple users of one Twitter account much safer.
• Use two-factor authentication for all authorised tweeters. Then, a crook would need the weakest password and that user’s mobile phone (or some other login token) in order to access the account.
• Consider an on-line password manager that allows users to connect to a Twitter account without ever seeing the password for that account. (But make sure all users protect their password manager account strongly.)
• Take the trouble to pick a proper password whenever you are called upon to create one of your own, for example as the password for your password manager.
Social media is a fun and useful way to promote yourself and your business, but only if you are the one doing the promoting, rather than a crook, a delinquent competitor, or a misguided friend who’s had a skinful, gets lucky with your password and decides to have some “fun” at your expense…