Security sucks: The Twitter example

The greatest enemy to security is security itself. People use easily crackable passwords, because trying to remember a bunch of random characters for each site demanding a secret code for entry is too difficult. To say it simply, security sucks.

The Twitter example

I was reminded of this truism recently when I got locked out of my Twitter account. Covering security leads to paranoia, so I use two-factor authentication on every site that offers it. Google, Facebook, Twitter, LinkedIn, Dropbox, you name it. If it offers that extra layer of protection, then I'm signing up to ease my anxiety over the Internet's boogeymen of hackers and spammers.

For reasons I cannot explain, after I upgraded my iPhone 4S to iOS 7, I was no longer able to receive a login verification from Twitter. If you don't know what that is, then here's a short explanation.

When logging into the site with your user name and password, Twitter sends a notification to the mobile phone you have listed with your account. Within the notification is a little square with a checkmark inside. Press the square and the page in your PC browser magically takes you to your Twitter home page where all the tweets of the people you follow await you.

In doing research for a story, I stumbled across an interview with smartphone security expert Charlie Miller and decided to check out what he had to say on Twitter.

Logging into the site on my Mac, I received the usual message telling me my login verification had been sent. Only this time, nothing was happening on my phone.

Now Twitter has a solution for this problem. When setting up this system, you generate a backup code that you tuck away in a secret place. If you don't receive the login notification, then type in the code and you're good to go.

However, this time, it didn't work. Instead of entering Twitter, I got a message saying the code was invalid. Feeling the anxiety a reporter gets when he knows time is being wasted and a deadline looms, I cursed at the screen and slammed my fist on the arm of my chair. After taking a deep breath, I headed to Twitter's support pages.

Let me tell you something, they couldn't have been more useless. The closest solution to my problem was to reset my password, which I did. It didn't help.

Like many Internet companies, Twitter doesn't give you a number to call, so I sent an email to Jim Prosser, a public relations person I've spoken to in the past. It's worth noting that most people wouldn't have had this option.

While waiting for a response, I started poking around the account settings in my iPhone's Twitter app, found login verification and turned it off. I was then able to sign in on my Mac, using only my user name and password. (I'm going to skip talking about how this makes Twitter's security brainchild pretty lame.)

Talking to Twitter

Before I figured this out, Prosser had gotten back to me, suggesting I fill out an online form in the Help Center and send him the ticket number. "I can escalate," he said.

I later told him about how I turned off login verification, but being a reporter, I wanted more information.

Me: So what's going on here? Is there a problem with login verification and iOS 7? Is there something people should know?

Prosser: Haven't had any meaningful reports of problems being caused by iOS 7.

Me: Twitter did send out a reminder that people getting a new iPhone should turn off login verification on their old phone. Does this also apply to people who are upgrading to iOS 7 on the phone they have?

That's where the conversation ended. Prosser never responded.

The big picture

If this was just about me, I would not be writing about my experience. But I see this as an example of why people avoid taking the extra steps necessary to strengthen security. The process is just too difficult, and when something goes wrong, you're stuck scrolling through FAQs (frequency asked questions) looking for something remotely close to your problem.

Meanwhile, the clock is ticking and you may have work to do. People with less anger control could end up acting like this guy.

When it comes to security, Internet companies are a long ways from getting it right. Meanwhile, there is a lot that won't happen while they struggle with the problem.

Studies show that people like the idea of buying stuff with their mobile phones, but do not out of fear that the sensitive data they need to share won't be protected. Jumio, which provides credit-card scanning technology, found that 65 percent of mobile shoppers abandon their carts, with more than half of them saying they were too worried about security.

To build trust, security has to be easy and it has to work. Also, people have to feel confident that if something goes wrong, they can get it fixed. In other words, security can't suck.

Copyright © 2013 IDG Communications, Inc.

9 steps to lock down corporate browsers
Shop Tech Products at Amazon