This is a complicated post, but I know that some people in the IR profession are very interested in this right now.
First, I am on record on this blog as saying that until Twitter is more secure, investor relations departments should steer clear of using it as a news dissemination channel and use it instead only for engagement.
Basically, my view has been that if you suggest to investors that they can use your Twitter account for news alerts, then you should expect them to trade on that news — including possibly fake news sent by hackers.
But if you instead use Twitter only for engagement and caution investors against relying on your account for news updates, then you mitigate against the negative fallout that will follow if your account is hacked.Of course, in practice it’s almost impossible to engage with users on Twitter and not post news.
Now it is very important to understand Twitter’s security history and how that was factored into my views on using Twitter for IR. The service has been plagued with problems, both in terms of availability and security. Twitter downtime is no longer the big problem it once was. In fact, I no longer worry about Twitter’s availability. You can see why here.
However, it’s the security of Twitter’s technology that has been my primary concern. I’ve kept track of various security breaches and have documented dozens of separate incidents. The early incidents were what really concerned me because they all related to Twitter’s technology infrastructure being hacked.
The worst case in my view was the Mikeyy worm in April last year. In that case, merely visiting the profile of a compromised account on the Twitter website while logged in to Twitter resulted in your account being infected. In other words, it was extremely easy to be hacked, and short of not going to Twitter.com at all, there was no way to protect yourself. In fact, I fell victim to this, the only time I’ve ever fallen prey to something like this.
Now, remember that a few months earlier, in January 2009, 33 prominent Twitter accounts, including those of Barack Obama and Britney Spears, were hacked and offensive public messages sent from them to their followers. The hacker exploited a hole in Twitter’s technology to gain access to the accounts. To my mind, Mickeyy coming after the President of the United States’ account had been hacked suggests that Twitter management didn’t really take security of the service seriously between January and April. I mean, what could be more serious than the President’s account being hacked? Surely, they would have pulled out all the stops to plug the holes? And yet, along came Mickeyy in April and made a mockery of Twitter.
So, yeah, at that point, there was no way in hell that I was going to put my reputation on the line for Twitter and tell my investor relations clients that it was safe to use Twitter as a news alert channel. Mock me as a philistine in you want, but I’ll never put my clients’ reputations at risk for the sake of seeming trendy.
Since April 2009, there have been a number of security breaches on Twitter. Perhaps the most serious was in December 2009 when the site was taken down by Iranian hackers who appear to have guessed Twitter’s password at a third-party service that manages Twitter’s DNS servers. This was not an exploit of Twitter itself, but rather weak security practices by Twitter staff in managing their own accounts on other services.
There have also been a number of phishing attacks that have led to Twitter accounts being compromised. In fact, just this week, Intel Corp.’s UK Twitter account was hacked, as was Home Depot’s. In the case of Home Depot, the account is used for investor relations information. The video below explains how these accounts are compromised.
Importantly, though, none of the attacks since April have been of the Mickeyy variety and most have been phishing scams. There’s a big difference between a hacker exploiting holes in Twitter’s code and hackers exploiting human fallibility through phishing scams. While we have no control over Twitter’s code, we do have control over our own behavior, so I don’t worry too much about phishing scams because you can teach people how to avoid them.
Given that I haven’t seen anything for months that would cause me to worry about Twitter’s security, I’ve had to revisit my views on whether IR departments should use Twitter for news alerts. I take some additional comfort in the fact that some high profile Tech leaders have recently started Twitter accounts, Bill Gates and Google CEO Eric Schmidt, for instance. I have to assume that they wouldn’t take a chance on Twitter if they thought it wasn’t secure.
I now believe that Twitter is secure enough to be used for news alerts, as long as news is distributed on Twitter simultaneously to other channels. You cannot invite investors to follow you on Twitter and then be tardy in updating your feed.
Of course, as we’ve seen this week, security risks remain. Scammers will increase their attacks on social networking sites as they become more popular, and it’s possible that official corporate accounts will become prime targets. However, following some basic good practices should minimize the risks. Twitter suggests the following basic practices:
- Use a strong password.
- Watch out for suspicious links, and always make sure you’re on Twitter.com before you enter your login information.
- Don’t give your username and password out to untrusted third-parties, especially those promising to get you followers or make you money.
- Make sure your computer and operating system is up-to-date with the most recent patches, upgrades, and anti-virus software.
I’d add one more tip. Use a short URL expander extension in your browser or Twitter client. Since Short URLs mask the actual address of a link, it makes phishing scams somewhat more likely to succeed. Short URL expanders show you the full URL of the link, so you can see where they lead before you click them. Short URL expander extensions are available for Firefox and Chrome (not sure about the others).
In summary then, I think Twitter is secure enough for IR news dissemination purposes but remember that nothing is ever going to be 100% secure. And the biggest thing to worry about it not Twitter’s technology but rather you or your clients’ own gullibility.