Twitter spokesman Robert Weeks explained, “We are currently looking into the situation.  In the meantime, we have pushed out password resets to accounts that may have been affected.”  Twitter is investigating the security breach to find out the source of the attack.  Twitter is downplaying the incident stating that the accounts and passwords consist of more than 20,000 duplicates, spam accounts that have been suspended, and login credentials that do not be related to each other (passwords and logins do not match).

The social network claims to have over 140 million active users so the security breach would have affected about 0.02% of its user base.  Still, this is a reality check for Twitter because the security breach could have been much more widespread and could have tarnished the company’s reputation.  The question that Twitter must be asking themselves is who would have leaked the account credentials and why?  The Pastebin poster remains anonymous and no group is stepping forward to take credit for the attack, but that has yet to be concluded.

In 2009, Twitter was compromised twice and hackers had complete control over the social network.  In 2010, Twitter settled with the Federal Trade Commission (FTC) over the hacking because of customer privacy and information being at risk.  Part of the FTC settlement includes twice a year security audits, regular information security audits for 10 years, avoiding making any misleading statements about the effectiveness of their security or privacy practices for 20 years, and a dedicated person for security to be on staff at twitter to be accountable for and coordinate its information security and privacy concerns.  The FTC settlement details can be seen at http://www.ftc.gov/opa/2011/03/twitter.shtm.  The social network also agreed to put in place “reasonable safeguards” to mitigate any information security risks it identifies and also to store date securely.

Although Twitter had added almost all of the required security improvements by the time the FTC settlement was announced in 2010, they could have done more to prevent the current attack and future attacks.  Even with staff dedicated to improve security and be accountable for information security, they still got compromised.  If the staff at the social site were to incorporate new technology such as two factor authentication, the security breach might not have occurred.  For instance, two-factor authentication using a mobile device could have protected their users and the site from being accessed by authenticating users via their mobile devices when logging in.  This is technology that Google now embraces and what many major banks use to authenticate their users logging in to their services.  It’s an effective and cost effective way to implement an out-of-band authentication method while using a device that most users always have on them and own, a mobile phone.

To implement two-factor authentication, Twitter would just require users to opt-in to using their mobile phone as a security device and agree to receive a one-time password (OTP) through SMS on their mobile devices.  Once a user enters their login credentials on Twitter, an OTP is sent through an out-of-band network (their mobile carrier) and enters the password onto the site which authenticates them.  It is a cost efficient and effective way to authenticate their users because most people have mobile phones on them at all times, and it requires no additional hardware or tokens to deploy on Twitter’s end.  Two-factor authentication is a truly effective layered security solution that Twitter should be using to protect their users and maybe this current attack will make them rethink their security measures in place.  The FTC has already stepped in once to increase the social network’s security and that wasn’t enough, but maybe if they implement a two-factor authentication solution they be less susceptible to more security breaches.

Out of band authentication is a great way at authenticating users because most threats of online banking come from malware used to steal user credentials, man in the middle attacks (MITM), and through phishing attacks.  Malware is the greatest threat to online banking users today because it is so widespread.  Malware is becoming more advanced as hackers come up with new ways to infiltrate user’s computers.  Man in the middle attacks are the most common type of malware attacks and they work by mimicking a user’s online banking portal so that users enter their login credentials into the “fake” login site instead of their actual online portal.  Financial institutions are the most profitable to hackers so many of them focus on harvesting login credentials.

Users that don’t know that they have malware on their computer are fooled into entering their login credentials because man in the middle attacks mask the website used to look like the banking institutions.  Both the financial institution and the user are fooled because they think that the authenticated session is without interference.  Even if the institution allows authentication by giving out hardware tokens with one time passwords, the password is still used to authenticate the user and the hacker can freely roam the user’s account with fraudulent transactions such as wire and ACH transfers.

To prevent these types of online fraud attacks, additional security needs to be added such as out of band authentication for financial transactions.  For example, if a user was to use their debit card online or transfer money from one account to another, they would be alerted by a message being sent to their cell phone via SMS with a one-time password.  If they did make the said purchase or transfer, they would enter in their one time password in the OTP prompt within the allowed time frame to confirm it and authorize it.  Using this verification method, an unauthorized user attempting to make a wire transfer, purchase, or transaction they would not be able to authorize it because they would not have access to the user’s mobile device.  Not many security companies offer a product that verifies transactions, but DynaPass, located in Orange County, California does.  DynaPay by DynaPass.com is a two factor authentication solution for users to verify their online transactions and is the additional layer of security that users need to stay protected against hackers and online attacks.

More and more users are using online banking, making financial transactions, purchasing things online on their tablets, and putting sensitive information on the web.  Ordinary passwords just aren’t as secure enough to protect users against malware and hackers.  With all these sites and logins that we have, it gets harder and harder to remember all these usernames and passwords.  It’s not only the security that is of question, but also the costs associated with it.  We rarely think about how much it costs to reset a password if it’s lost, stolen, or forgotten, but someone or some company is always responsible to reset passwords and send users a new one.  Industry reports show that an average cost of resetting a password is $30.

One time passwords are a great way to protect users from fraud and malware, especially if combined with an out of band authentication method.  Banking and financial institutions use one time passwords to secure their user logins using an out of band authentication method.  How it works is a user enters in their login credentials and their mobile phone is sent a one-time password from an outside server.  Once the user receives the password on their mobile phone, they enter it into the website they are trying to gain access to and access is granted if the one time password is correct.  This is one of the best ways to authenticate a user because the password is sent to a user’s mobile phone.  This is type of authentication method doesn’t require a user to carry additional hardware or even install additional software on their cell phone to use which makes it more convenient than hardware tokens.  It’s also a great way to authenticate a user because most users have their cell phones on them all the time.

Google also uses one-time passwords and sends them to their users if a user is logging in from a separate IP address than the one usually used if the user requests for this service.  One time passwords aren’t just as secure as they used to be even though they’re still widely used and one time passwords are going to be the future of authentication and securing user’s sensitive data.

To retain the trust and ensure that user’s information is safe, Google invests in security and tools for users such as 2-step verification (also called two factor authentication) and encryption.  Their security efforts help thwart unauthorized access to user’s information and also increases trust with Google and their users.  Google also recently changed their privacy policies, which gained a lot of interest from users, but ultimately changes were made so that Google can create a more intuitive experience across their products and create a better user experience for its users.  Larry Page’s update within Google’s privacy policy was to create a more seamless experience across its services and products.  A way to create a more seamless experience is for users to stay logged in while using Google products such as Google Chrome, Google Docs, Gmail, Youtube.com, Google+, and Google Play.

Google’s implementation of security features like two factor authentication help improve the user experience by decreasing the likelihood of information and accounts being compromised.  One way a user can be verified using two factor authentication is by logging into their account using their login credentials and at the same time a one-time password is be sent to their mobile phone to be entered into the website where access is being granted to verify them.  This is a powerful way to authenticate users because not only do they use their login credentials to login (using a login and password), they are sent a one-time password to their mobile device which let’s Google know that they are who they say they are.  The great thing about this two factor authentication method is that most users always have their cell phone on them so verifying them doesn’t require the users to carry any additional hardware or software to install.  Users just need to be able to receive text messages through their mobile devices and they can receive a one-time password that hackers and intruders won’t even be able to access even if their logins are compromised.  With over 100 million users active on Google+ and over 3 billion searches on Google’s search engine per day, security is a concern for users and implementing 2 step verification is a great way to ensure that user’s information remains safe and Google can continue improving the experience for us all with all their products and services.

• about one third of BYOD devices have encryption for company data
• less than 10% of people currently using their own tablets for work have auto-locking enabled (25% of smartphones auto-lock, 33% of laptop users auto-lock)
• less than half of laptop users use both auto-locking and password protection. The numbers decrease for smartphone & tablet users.