What the Twitter hack says about us

We are curious, innovative and greedy.

For what much have seemed like forever on Wednesday 15 July neither Twitter nor 130 verified accounts were being controlled by their owners.

The accounts had been taken over by hackers that posted a slightly tweaked crypto scam and after about four hours once the accounts had been secured, millions had seen the hacked tweets, with hundreds having sent bitcoin resulting in over R1,5 million paid to the scammers.

Worse than the loss of money was the loss of control but rather than it being a failure of technology it was a failure of understanding how we work.

While investigations are ongoing, the statements by Twitter so far suggests that the hack managed to get support staff to allow their own tools to be used to post on behalf of the accounts, so less a hack than a con.

More often than not when security breaches happen it is thanks to someone being conned rather than something being hacked. The reason is that that is much easier to convince someone how to get access to a system than it is to actually hack it.

Passwords and probability

Consider a password that was a single digit. You are guaranteed to crack with just 10 options, adding a second digit and the options increase by 10 times, with just three and there are a thousand options Add a letter and a four-character password has over 1,5 million combinations. If you had to stop a human cracking your password 1,5 million combos would be fine, but humans don’t try crack passwords, machines do.

Using a 5 character password with number and uppercase and lower letters and you have over 60 million combinations but a computer can generate combinations at a rate of 2 billion per minute and this is why your password needs to be so long and hard not to stop humans but to stop computers.

The simple answer is to get a password manager which will generate and store unique and very tough passwords (12 character passwords using digits, upper & lower case letter and special characters will have enough combinations that will take over 7 million years for a computer to crack).

If you add a second login step, which is what two-factor authentication so besides the password you then also get an sms or enter a code generated on a separate app that confirms you are who you are.

You might get an option to identify objects in a picture, something humans are good at and machines not so much or you might even just be asked to click a square to prove you are not a machine, as odd as that may seem, we click so slowly and randomly that it is quite easy to tell the difference.

Get a password manager:

• Roboform
• Last Pass
• Dashlane

This is why hackers are more likely to target you, not your computer now.

#BusinessUnusual with @brucebusiness and @colincullis after 7 pm - how Twitter got hacked - odds are you could get hacked the same way.
Do you use a password manager?

— 702 (@Radio702) July 22, 2020

Beware the phishers, smishers and vishers

Seeing as it is now much easier to con use than our machines you need to know a little more about phishing.

It covers attempts to get you to give up information that would help hackers access your accounts.

The basic version is typically an email to get you to follow a link or reply with info that compromised your account. The emails are sent randomly to get as many positive outcomes as possible. Spear phishing is targeted at an individual so the email may be more personalised. Whaling is spearfishing business owners and those with lots of business access.

In South Africa, many phishing attempts are via SMS, this is called smishing and should you get an actual scam call that would be vishing and then there is the version that attempts to con you via a dodgy social post or online ad which is known as angler phishing.

It is difficult to be vigilant all the time so look to combine the best of a variety of strategies that allows you to be a bit more relaxed while still be covered.

Use Two-factor authentication

If you can add a separate confirmation to your login that makes it much safer from the brute force attacks that could just guess your password. Receiving an SMS code or using an authentication app means your account could not be accessed if your password was stolen. Even phishers would need to get access to your phone once you accidentally gave them access to you your details and while sim swaps remain a potential weak point an authenticator app goes a long way to protect your account and a password manager would take care of creating and remembering those impossible to crack 12 character passwords and save you from needing to use your birthday as a password for all your accounts. You would need just one good one for your password manager and you are as safe as you can be during a pandemic.

Authenticator app

• Google
• Microsoft

More from Business Unusual