The Twitter logo is reflected on a pillar in the New York Stock Exchange. A CPJ poll of the site's users found many did not know how to secure their accounts. (AP/Richard Drew, File)
The Twitter logo is reflected on a pillar in the New York Stock Exchange. A CPJ poll of the site's users found many did not know how to secure their accounts. (AP/Richard Drew, File)

‘What’s two-factor?’ How journalists can protect themselves from Twitter hacks

When The Associated Press’s verified @AP account was hacked three years ago, CPJ’s senior security adviser Frank Smyth and I noted that for individuals faced with that situation, the best course of action is to request a password reset, tweet at Twitter staff, and pray. The best advice is still to not get hacked in the first place.

More on this issue

While it may have been expected that a high-profile hack like the one on the @AP account would have driven journalists and news outlets to better protect social media accounts, making use of the Twitter’s security features does not appear to be a priority for many of them.

Last month, I had more than 1,000 responses to a poll asking journalists if they use two-factor authentication to protect their Twitter accounts. I shared the poll with international journalists to ensure it wasn’t answered only by those in North America and Western Europe.

While it wasn’t a scientific poll, it was suggestive. I expected many respondents to say they don’t use two-factor authentication. I was not prepared for over half to say they had never heard of it. For their benefit, Wired describes the process as:

“Two-step (also known as two-factor or multifactor) authentication can prevent a hacker from gaining access to an account far more effectively than a password alone. When logging in from a new location, it requires users to enter a password and a randomly generated code sent to a device, typically via a text message or smartphone application. In other words, accessing an account requires having two things: something you know (the password) and something you have (a previously registered device).”

In short, passwords alone are no longer sufficient to protect online accounts. Even if you follow the guidance in CPJ’s Journalist Security Guide to choose a strong password–and you should–a hacker can still find ways to obtain it. In the case of the AP hack, the agency reported that the attack on its Twitter account was preceded by a phishing expedition–an attempt to extract usernames and passwords–against its corporate network.

Two-factor authentication adds an essential layer of protection. All journalists and media companies should enable it immediately on their Twitter accounts. The process is not limited to Twitter. Many online services including Facebook, Google, and Microsoft offer it. Instagram confirmed last month that it is rolling two-factor out as well. It would be wise to use it for all of your accounts. (You can find a list of services that support two-factor authentication here.)

While CPJ’s focus is on journalists and news outlets, any “at-risk” groups such as human rights defenders and activists should also follow this advice. Consider who could be at risk if a hacker were to obtain access to your Twitter account. Who do you send direct messages to? Could access to your Twitter account put your contacts in danger?

Back to the Twitter poll. While the responses were anonymous, a number of journalists responded to me both publicly and privately. It was remarkable that some journalists with hundreds of thousands of followers asked what two-factor authentication is. One, who has around a million followers, asked if it would involve giving Twitter a phone number. Based on these interactions, journalists in North America and Western Europe seemed more likely to at least be aware of two-factor authentication. Journalists from other regions fared worse. For example, journalists in South Asia confided that, in general, there is little awareness of two-factor authentication in their region. They also said they have a lot of issues with accounts being hacked.

It’s not all bad news though. For those journalists who understand the value of two-factor authentication, they really get it.

Some implored their followers to deal with this problem: CPJ agrees. Two-factor authentication can be enabled in the “security and privacy” section of Twitter settings. You’ll need to add a mobile number first. After enabling it, be sure to generate a backup code. That code is the only way to get into a Twitter account if your phone is lost or stolen. Also remember that as long as you have two-factor authentication turned on, you must have access to that phone number. If you change numbers, you will need to first update the settings in your Twitter account before you lose access to the original number. If you don’t have access to your phone and forgot to generate a backup code, even a password reset won’t help you get back in.

For Twitter users concerned about SMS being intercepted, a Google Voice number should be used to set up two-factor authentication. When using this method, ensure two-factor authentication is also set up on the Google account. More advice on cellphone security can be found in CPJ’s Journalist Security Guide.

After enabling two-factor authentication for your Twitter account, be sure to secure the rest of your online accounts in the same way.

[EDITOR’S NOTE: This blog post has been updated to include details on using Google Voice to set up two-factor authentication.]