Twitter accounts being hacked by cybecriminals looking for value

The reason for the value - to criminals - of Twitter accounts is the sheer potential they offer for fraud, both directly and indirectly.

In fact, says Imperva, the data security specialist, just five years ago, the illegal trade in credit card details was a rising problem for the financial services industry, as well as their customers, with platinum and corporate cards being highly prized by the fraudsters.

But today, said Amichai Shulman, the firm's chief technology officer, Web 2.0 credentials can fetch a high sum that depends on both the popularity of the application, and the `popularity' of the account in question.

This, he explained, is clearly illustrated by the `going rate' of $1.50 for a Hotmail account, and $80.00-plus for a Gmail account.

As a service, Hotmail has fallen out of favour of serious internet users, while Gmail's all-round flexibility means it is central service for business users, he went on to say.

According to the Imperva CTO, this means that Gmail credentials can also give access to a range of Google cloud services, including Google Docs and Adword accounts.

Google Docs, he said, can contain valuable additional information on the legitimate owner, while an Adwords account can allow criminals to manipulate existing and trusted search engine results.

And it's a similar story with Twitter accounts, but with the added dimension of the immediacy of a rapid-fire social networking connection, said Shulman.

"Twitter accounts are valuable to criminals that they will use almost any technique to harvest user credentials, including targeted phishing attacks. Once a fraudster gains access to a Twitter account, they can misuse it in a variety of ways to further their fraudulent activities," he said.

"If this isn't a wake-up call to anyone with multiple IDs that use the same password, I don't know what is. Internet users - especially those with business accounts - need to use different passwords for different services, or they could face the disastrous consequences of taking a slack approach to their credentials," he added.

Stephen Howes, CEO of Gridsure, the pictorial password specialist, was equally incisive, noting that the Twitter hacking case is yet another demonstration of the inherent weakness of fixed passwords.

"Not only are they easy to break, but the same password is often used across a number of consumer and business accounts because they are not easy to remember ` clearly shown by the `forgot my password' feature present on the password login screen", he said.

According to Howes, every day millions of people log in to a variety of internet sites, from banks and social networks to on-line shopping portals, using a username and password combination.

The owners of these sites, he says, have chosen this method of authentication in the misguided view that it is cheap and offers a good level of security.

"In reality, it is neither. As we've seen, passwords can be compromised through various forms of attack, including shoulder-surfing, key-logging and screen-scraping", he said.

"In order to genuinely improve security, organisations need to abandon login systems based on fixed passwords and PINs and replace this flawed method of authentication with a one-time passcode method", he added.

By making this change, Howes argues that organisations will reduce cases of data loss and identity theft while also saving money - and improving customer satisfaction to boot.

 

What’s Hot on Infosecurity Magazine?