There are a few best practices to protect your company or yourself from being compromised on Twitter. Most of these are basic good judgement for the internet, but many people don’t think about protecting a valuable asset like Twitter like they do for, say, their credit cards. Which is odd, considering that it’s usually much easier to get your money back from credit card companies than to re-earn the trust of your social audiences.
1) Use secure passwords.
Odds are, if your Twitter account gets hacked, it’s your fault more so than Twitter’s. It’s highly unlikely that anyone is going to compromise their security and be able to just read everyone’s passwords from a database table or gain access to accounts through a back door somewhere. Again, while we tend to think of hackers as using sophisticated “brute-force” programs that try millions of character permutations looking for the right password, many hackers are able to compromise accounts by simply guessing common passwords.
What makes a password secure might surprise you. Although you might be tempted to use some convoluted combination like HuB&p07 for your password, a password like “blogging-is-like-jogging” is actually significantly more secure — and far easier to remember. You can read more about balancing password complexity and usability in this blog article.
I know that it’s tempting, especially for sites like Twitter where people frequently use a mobile device to log in, to have a simple password that’s easy to type with your thumb instead of using special characters or a longer string of words — but the additional inconvenience is worth the extra security.
If your password on anything is “password” or “admin” or “fido”, or if it’s any easily guessable personal information like your name, stop reading this article right now and go change it.
I’ll watch that clip from Spaceballs where he talks about the combination he uses for his luggage til you get back.
2) Do the Twitter two-step.
In addition to secure passwords, Twitter now also has an optional feature that adds a significant additional layer of security by requiring login verification through a mobile device. There’s not much more I can say about it, other than that there’s not really any significant downside and it makes your account more secure by forcing somone to also steal your cell phone to compromise your account. You can learn more about this system by reading Twitter’s announcement.
3) Beware of shortened links.
Bitly, tinyurl, and other link shorteners became very popular in the early years of Twitter. People wanted to be able to share content, but URLs can get very long (especially if you’re using tracking URLs) and Twitter only gives you 140 characters. Because of this, people used link shorteners that would then redirect elsewhere.
Although this is no longer an issue from a character-counting perspective with the advent of Twitter’s native t.co shortener, URL shorteners are still used by many companies to help with analytics. For example, any of HubSpot’s customers can use our hub.am URL shortener to track their clicks inside of our social media marketing tools.
So while the vast majority of shortened links are just fine, if you even think that a shortened link may not have been authentically posted by the person you’re following, you can use a URL expander (such as LongURL) to see where that link would take you.
An ounce of paranoia is worth a pound of obfuscation.
4) Always check the URL when logging in.
Probably the most common method of hacking involves simply cloning a website, like Twitter, and sending people there to capture their login information. Cloning Twitter’s login page is as simple as saving the source code and swapping out the forms to send the information directly to the hacker. They might even be very smart and redirect you to a login failure page afterward so that you think you just mistyped a character and don’t change the password.
Once a login page is cloned, a hacker just needs to get you to go to it — usually by sending you an email or direct message that links to a page that looks like the normal login page, and might even have a very similar URL (such as http://twitter.stealyourinfo.com/login).
5) Beware of email phishing.
As mentioned before, getting you to click links to nefarious websites is a common tactic. A popular way of doing that is to send you an email posing as a site you trust — such as Twitter — and including a link to their site. Just because an email appears to come from Twitter doesn’t mean it actually did. I won’t go into the how-to specifics here, but pretending to email as someone else is shockingly easy.
The key here is to, again, make sure that if you click a link included in an email that it’s a URL that matches the site you expected to reach. Also, never send personal information via email as a reply. No legitimate company in 2014 will ever ask you for your login information via email. Ever. So if someone does, it’s probably an attempt to compromise your account.
6) Use protected internet protocols.
That sounds way fancier than I mean it to, but what I’m trying to say is that using an email address like info (at) mallikarjunan.com is actually less secure than using a free email address like Gmail. The reason is that people can call the customer service at, say, GoDaddy or whomever your domain registrar is and convince the fallible human being on the other end that they’re you, and need to reset or redirect incoming mail (or traffic — if they want to hijack your entire website) to them. Then, they just use the “reset password” functionality that Twitter (and most websites) have that send you an email that can be used to make any changes they want.
Ever try calling Gmail’s customer service? They don’t have any. So, unless you’re pretty confident in the security protocols of your domain registrar, you might want to consider using a system isolated by a layer of customer service apathy.
7) Beware public computers.
Public access to the internet is an awesome advantage in closing the digital divide. However, the very fact that anyone can access the computers at your local library or Kinko’s makes it less secure. Pieces of software known as “key loggers” can be installed that track every keystroke and its context, and can make it so that typing your password into the computer is recorded and available for use by the hacker.
Even without sophisticated technology, there are ways for your information to be compromised on public computers. Many internet browsers, for example, include the option to store or save passwords. You should obviously never store a password on a publicly accessible computer, even if you have a special profile on it or it’s a website you don’t think anyone else would try to access.
Never access personal information or private accounts on a public computer at all, if you can avoid it.
8) Beware public Wi-Fi.
Another common danger of the public domain is Wi-Fi. Although Wi-Fi is awesome for empowering computer and mobile device access to the internet on the go, it’s also much easier to access the packets of data travelling through the air than it is to access data moving through a hard line.
Your home or work Wi-Fi is probably safe to use, as long as you use the basic encryption that comes with most Wi-Fi systems. It’s unlikely people will hack in to your private Wi-Fi account (unless, like we discussed before, you use a weak password). However, once someone is already connected to the same Wi-Fi network as you, it becomes much easier to access the packets of data moving through it. Never, for example, log in to your bank or other personal account on an airport’s Wi-Fi network.
9) Beware of third-party apps.
Third-party apps have been one of the driving forces behind Twitter’s massive success and growth. Twitter’s user interface rarely has all of the features that you need, and third-party software helps you do things like sort your Twitter feed into smaller feeds based on who matters most. However, building an app that uses the Twitter API isn’t hard — and hackers could use it to access your account if you let them.
Never grant a third party system access to your Twitter account unless you trust the source and you’ve verified that it’s actually created by that organisation. Refer to our earlier points around how easy it is to clone a website and fake a URL, and make sure that if you’re granting access (usually known as OAUTH access) to your account that it’s a legitimate application.
Also, make sure to maintain and clean up apps that have access to your account. I had a small heart attack when I was writing this article and I looked at how many apps had access to my Twitter account. I couldn’t zoom out far enough to take a screenshot that would include them all. Some of the apps were made by companies that are no longer in business at all — and who knows who has access to their end of the app now? Be sure that you revoke the access of apps you no longer use regularly.
10) Control access inside your company.
This one can be painful – you may want employees within your company to be able to actively engage on social media with prospects and customers. However, the more people that have access to your account, the more opportunities there are for it to become compromised. An employee that doesn’t primarily work on social media but has access to your Twitter account may not think to be as careful in downloading the latest season of Doctor Who from a questionable source … along with malware that might use their computer.
Already been hacked? Have a read of What To Do If Your Twitter Account Is Hacked and then use the above tips to avoid it happening again.