For Burger King, the joke was over in about an hour — but in internet time, it might as well have been years.
On Presidents Day, hackers held the fast food chain's social identity hostage, changing BK's Twitter icon into its competitor's and announcing a fake acquisition by McDonald's. The news was a wake-up call for bank marketers. (Twitter did not respond to a request for comment.)
Since the Burger King incident, the number of banks interested in social media software that hedges against reputational risk has increased, says Devin Redmond, the chief executive of Social iQ Networks. The company launched a tool last year that helps banks and others prevent their online identities from getting trashed.
He says that the number of financial services companies approaching his team for its social media software has more than doubled, from six to nineteen. (Today, Citi is considering using Social iQ's software in addition to the social media publishing tools it already employs, says Frank Eliason, Citi's global director of social media.)
Indeed, social media has matured as a channel used by more and more banks to handle customer issues and monitor complaints that have the power to reach millions all at once.
"The thing I find very striking is the hacks you saw in 2011 look a lot like the same hacks you saw in 2012, and hacks you see today," says Redmond. "It is just that there are more of them."
The problem these banks are now encountering with their brands, however, is that on the social networks, all users are the same.
That means no matter who you are (bank or customer), you can be hacked. All are protected by the same basic authentication methods Twitter uses to fend off impersonators.
There are no foolproof methods to safeguard a Twitter account against an account takeover, says Eliason. "There are always these risks, and you have to mitigate these risks. The step that you can take, first and foremost, is to implement software," he says. Citi is using Sprinklr, a social media tool that allows marketers to manage their social media accounts across platforms (Facebook, LinkedIn, Youtube, etc.).
"We actually make it so [our marketing department] can access [Twitter] through this tool as opposed to directly through Twitter's website," Eliason says.
He adds that across all of Citi's dozens of branded Twitter accounts globally, only a select few have the passwords, which are frequently changed.
Eliason says that, mostly for "need to know reasons," not even he has access to the credentials to directly sign in to Twitter.
Citi follows protocols, such as deleting direct messages that involve customer correspondence after those issues have been resolved, to minimize the risk to its customers in case it does get hacked.
In addition, Eliason says the bank has strong relationships with all the social networks that would help it quickly shut down one of its accounts if it was hacked.
There are some built-in protections, as well.
For example, Eliason points out Citi has 'Verified' accounts that are validated by the social network in order to give special preference to specific people or brands with a high number of followers, such as the Melanie C of The Spice Girls.
The accounts also come with security features that might send up flags if Citi was compromised. For instance, if someone took over Citi's account and changed any of the email addresses attached those profiles, the accounts would lose 'Verified' status, potentially tipping off the bank or the social network that something was wrong.
All of this only masks the underlying question: Why doesn't Twitter improve its security?
"If online social media, like Facebook, video games, like World of Warcraft, and free email services, like Gmail, can offer multifactor authentication," why doesn't Twitter? asks Robert E. Lee, a security researcher who works on authentication issues. "It's amazing the lengths that these companies are having to go through to solve what is essentially an account-takeover problem. Since it's an account-takeover problem, it's up to [Twitter] to offer a higher assurance authentication control."
Twitter is believed to be working on a skunkworks project that it's testing with a limited number of high-profile accounts that involves smartphones and multi-factor authentication.
Those security protocols would be added on top of others that Twitter is already using to better protect its users from 'phishing' attacks over email.
However, not all banks have 'Verified' accounts on Twitter or detailed social media plans meant to immediately react and hedge against malicious attacks.
Regulators Stepping In
Regulators are attempting to give banks a framework for how they should approach the ever-maturing channel of social media.
In January, the Federal Financial Institutions Examination Council said it was working on guidelines for banks' social media use.
In a 31-page report, the agency said it was getting ready to help financial services companies identify potential risks and how to appropriately address them.