Tuesday’s hack of the Associated Press’ Twitter account proves not only the vulnerability of social media accounts, but also the power.
At 1:07pm EST, the erroneous tweet claimed the White House was under attack and the President was injured.
To anyone who saw it, there were a lot of red flags.
- No media group would ever report the President was injured upon first learning of an explosion, it would simply take too long to confirm.
- The A.P. never calls the President “Barack Obama”
- The A.P. delivers an electronic wire service to tens of thousands of media outlets in the U.S. and would never have released this type of information to a single Twitter account.
Most people who saw the tweet knew it was suspicious. Within minutes, Twitter suspended the account and the A.P. announced it had been hacked. Except, the stock markets were already in motion. U.S. markets went into a short, but dramatic free fall. NBC reported at sell-off at Chicago’s Mercantile Exchange and Wall Street. The Dow Jones dropped 143 points, the S&P fell 1%, and traders began buying Treasury 10-year futures.
Why did stock markets suddenly plunge? Because while people have common sense, computers don’t.
Many traders use computer algorithms that trigger accounts to buy or sell. Some algorithms work on keywords that search online for combinations, like explosion and White House. Other algorithms use programs that follow trends, so if there is a sudden drop in the market the programs are designed to sell or buy rapidly. The systems are designed to react quickly so traders can get a jump on the market.
CNBC reports that 90 seconds after the tweet went out, those algorithms kicked in. A few minutes later, when word got out that the tweet was faked, the market righted itself. But there is no “take back” for sellers caught in the middle.
It could have been worse, but what if this was just a test? If a single bogus tweet can send the markets into a tailspin, what happens when hackers learn to use better verbiage? What happens when hackers do the same thing with multiple media accounts at the same time? Or set up fake accounts with a similar name that could also be picked up by algorithms?
In each case, it will take longer to dispel the phony information and could have a bigger impact on the markets. It brings security of U.S. markets into question, as well as just how much security media companies are putting into their social media accounts.
The FBI is now investigating the A.P.’s security breach, as well as recent compromises on social media pages run by CBS, NPR and the BBC. A group calling itself the Syrian Electronic Army has taken credit for all the hacks, although they don’t give a reason.
This follows a year where newspapers like The New York Times, Washington Post, and Wall Street Journal also admit to attacks. How can these massive organizations get hacked?
It can be as simple as a phishing scam; when someone in the organization unknowingly gives the password away by clicking on an infected email. It is also possible to get information using malicious software, or by searching underground forums for stolen log-ins.
Consider this, large media companies have a lot of people working off the same social media account, which means a lot of people have the password. Changing the password, or making it too complex, causes a lot of confusion and isn’t likely to occur unless absolutely necessary. Hackers know this, and count on it. That’s why company mandated password changes every 60 or 90 days are so valuable.
New York Magazine’s Kevin Roose writes that the only solution is a multi-step authentication process for breaking news. It’s a good idea that Twitter has explored, but still hasn’t put into place. Only time will tell if Tuesday’s hack will encourage media outlets to ask for the extra layer of security.
One other thought. The SEC now allows companies to use social media for investor announcements, giving Twitter and Facebook accounts much more weight than simply a tool to sell products. That means companies also have a greater responsibility to secure their passwords. Until all large companies start securing their passwords tightly, U.S. businesses and the markets will be vulnerable.
After all, just think how much power could hackers have if they are able to control our markets, even if it is just a few minutes at a time?
[Photo Credit: Biz Tech Day]