AP Twitter hacking highlights defects in social media monitoring


The following article is syndicated from yesterday’s B&T article on the AP Twitter hacking scandal.

The article features We Are Social’s own Julian Ward who lays down insights and a few ideas on how to offset a potential crisis.

The hacking of Associated Press’ (AP) official Twitter feed last week was a sobering reminder of the unparalleled and unchecked power of the Twittersphere.

Last Tuesday a cyber hacking group known as The Syrian Electronic Army broke into AP’s account and posted a bogus Tweet declaring there had been explosions at the White House.

The Tweet, which claimed president Barack Obama had been injured in the attack, sent the stock market momentarily into freefall as Wall Street responded to the news.

AP Twitter hacking highlights defects in social media monitoring

The Dow Jones Industrial Average dropped almost 150 points in a matter of seconds before bouncing back when traders realised the tweet was fake.

The event showcased the enormous degree of trust global corporations have put in the social network to deliver them true insights – a trust which is now in question. Twitter’s simplistic security measures clearly need to be addressed.

But it also threw the spotlight on the shortcomings of automated data monitoring services used by corporations and businesses the world over to gain real time insights, Julian Ward, MD of We Are Social told B&T.

“It probably wasn’t even people the hackers were targeting. The real target looked to be the automated monitoring services for social media and the news sites.

“Some of these services scan 50,000 news sources and millions of social media sites and profiles, sifting through the data in an attempt to make some sense of the mass of information.

“Whereas an agency like ours is looking for real insight and emerging issues to offset potential crisis, the trading world is looking to execute on relevant strings of words in a micro second, so effectively without human analysis and without time for intervention,” he said.

The Tweet, posted at 10:07am on the 23rd of April, read: “Breaking: Two Explosions in the White House and Barack Obama is injured”.

According to Ward, the style and tone of the post was not typically ‘AP’. But data monitoring services don’t pick up nuances, and therein lies one of the greatest dangers of automated analytics.

“Questions have arisen around the unusual style of the news post, with it clearly not looking to blend in. It seemed to be a blatant attempt to trigger set up monitoring alerts which connected the string of keywords, packaged this as trading system data and delivered it in less than one thousandth of a second, triggering the algorithmic trading spiral – straight down,” said Ward.

“Access to this sort of data is incredibly powerful if you have the means to accurately interpret it. The scary side is the ease at which you could manipulate the systems in the trading domain.”

One of the major issues raised by the hacking has been Twitter’s lack of security.

According to international reports, Twitter is currently considering adding a two-step approval practice which would see Tweeters forced to log in with both their regular user name and password in addition to an extra code, which would be sent to a different device or email.

“Security is definitely an issue they are going to have to have a look it,” said Tommy Tudehope, social media strategist at Social@Ogilvy. “All organisations need to consider their security software and passwords and who has access to accounts. We know that hacking is on the rise and those who are engaged in hacking often have the best tools at their disposal and are pushing the boundaries every single day. So there is a case for increasing the security around social media tools.”

While Tudehhope believes stronger passwords might solve the problem – “ Many organisations still use the most simplistic password like ‘password’” he says – Ward believes the two step process has merit.

“Two step verification can help protect an account if a password is obtained,” he said. “It’s a simple enough approach that stops more basic attacks and means that dedicated hackers will need to have your physical phone or to have compromised the secondary device as well.

“The real world issue is many of the accounts that would be prime hacking targets would be using various management applications and possibly have multiple people contributing, so there are some obvious questions around practicality and whether this could or even would be used.”

And if not to protect reputation, publishers will no doubt be pressuring the social network to improve security to prevent severe legal ramifications from the distribution of false information.

Nick Economidis, an underwriter with Beazley, a financial-services company in London that sells data-breach insurance, told The Age at the time of the hacking:

‘‘A media publisher conceivably could be sued for negligence if things are published under their name that is not true and if they didn’t take reasonable steps to prevent the erroneous publication of information.

‘‘Some people may have lost money in the market today based on the news story. Those people may seek redress against the Associated Press.’’

The FBI is currently investigating the hackings.