The recent Bitcoin hack happened from within, but now is a great time to make sure your account is locked up.
Last night, a number of high-profile and verified Twitter users all shared a curious message at roughly the same time. They included big names such as Elon Musk and Bill Gates. The suspicious tweets promised to double any amount of Bitcoin sent to a specific wallet ID listed in the tweet itself. On its face, it screams of a scam, but these are verified accounts for certifiably rich people—some users took a chance. Quickly, the wallet had racked up more than $120,000 in bitcoin transactions, none of which will ever be doubled or even returned.
It was a massive security breach from Twitter. The company scrambled to delete the offending tweets and investigate. For a while, all verified Twitter users couldn’t send tweets at all in an effort to prevent the fraudulent message from propagating even further and duping more folks out of crypto currency.
Early reports claim the issue began when hackers got access to an internal tool meant for Twitter employees. Twitter’s official statement claims “social engineering” played a large part in the heist, though details are still sparse from the official investigation.
Even if you didn’t lose any Bitcoins to the scam, it’s a worrying event. After all, this was a large scale-attack on one of the biggest media platforms in the world at the moment. If they can poke around inside Elon Musk’s account, why not yours?
When someone is inside your account, they can send tweets, but they can also access your information. If they simply log in because they have your passwords, they can operate as if they’re you. As with most apps, two-factor authentication can help prevent this from happening since it puts an extra step between a hacker and your information.
The most familiar way to enable 2FA involves giving the app your phone number so it can text you a code when you log in from a new device. While this is a big jump up from no authentication, it is possible for hackers to impersonate or compromise your phone provider and get a hold of that code. According to Weidman, however, that’s pretty unlikely unless you’re a high-value target. “You’re going to be more likely to run afoul of hackers looking for sheer numbers,” she explains. “It’s unlikely they’re going to target you specifically since you’re not as valuable as someone like Elon Musk. It’s too much work.”
Twitter’s direct messages have never claimed to be the most secure method of communication on the web. Like Facebook Messenger, the messages aren’t end-to-end encrypted, which means anyone who intercepts them could feasibly get at their contents. But, in this case, encryption wouldn’t have helped. Since the attackers had access to the accounts, they almost certainly had access to direct messages, which would be the case with most services.
You can delete your sensitive direct messages, but that won’t delete the message from the receiver’s account. When you delete a Twitter DM, you get a dialog explaining that you’re only deleting the message for yourself and it will still show up in the other person’s account unless they also delete it. So, if they’re compromised, then so are you.
Use a password manager
By now, you may be sick of hearing about how you should be using a password manager. “Passwords should be strong, complex, and unique,” says Weidman. “It can be really difficult to keep track of 50 passwords like that, which is why you want a manager.”
Keep your apps and operating systems updated
Security updates happen all the time when it comes to apps and even your operating system. It’s easy to neglect them because they can be time-consuming to apply. They are, however, crucial for staying ahead of hacks. “This goes beyond the apps themselves and to the platforms they’re running on,” says Weidman. “Keep your phone and computer updated.”
Remember that political parody account you set up during the 2012 election? It probably doesn’t have much in the way of security, which could make it an easy get for a hacker. If you have old accounts sitting around that you never plan to use, delete them instead of letting them sit around forever. If you don’t want to lose that content even though you’re not actively posting to it, make sure that its security settings are up to date.
Watch for weird behaviour
Clicking links from accounts you don’t recognize is bad news. Clicking links from friends who are acting slightly odd is also bad news. If someone you know asks you to click on something, verify that it’s a real link—you can even text them to make sure it’s legit.
If you suspect an account is malicious or trying to trick you, report it instead of interacting with it. You don’t want to make yourself more of a target by showing your willingness to engage.
In recent years, Twitter has padded out its own security and privacy dashboards. Taking an occasional cruise through your settings can’t hurt. For instance, do you know what your tweet location settings are right now? If you don’t, you can dig into them here and make sure you’re not giving up more location data than you’re comfortable with.
Source: popsci.com
