For Burger King, the joke was over in about an hour — but in internet time, it might as well have been years.
On Presidents Day, hackers held the fast food chain's social identity hostage, changing BK's Twitter icon into its competitor's and announcing a fake acquisition by McDonald's. The news was a wake-up call for bank marketers. (Twitter did not respond to a request for comment.)
Since the Burger King incident, the number of banks interested in social media software that hedges against reputational risk has increased, says Devin Redmond, the chief executive of Social iQ Networks. The company launched a tool last year that helps banks and others prevent their online identities from getting trashed.
He says that the number of financial services companies approaching his team for its social media software has more than doubled, from six to nineteen. (Today, Citi is considering using Social iQ's software in addition to the social media publishing tools it already employs, says Frank Eliason, Citi's global director of social media.)
Indeed, social media has matured as a channel used by more and more banks to handle customer issues and monitor complaints that have the power to reach millions all at once.
"The thing I find very striking is the hacks you saw in 2011 look a lot like the same hacks you saw in 2012, and hacks you see today," says Redmond. "It is just that there are more of them."
The problem these banks are now encountering with their brands, however, is that on the social networks, all users are the same.
That means no matter who you are (bank or customer), you can be hacked. All are protected by the same basic authentication methods Twitter uses to fend off impersonators.
There are no foolproof methods to safeguard a Twitter account against an account takeover, says Eliason. "There are always these risks, and you have to mitigate these risks. The step that you can take, first and foremost, is to implement software," he says. Citi is using Sprinklr, a social media tool that allows marketers to manage their social media accounts across platforms (Facebook, LinkedIn, Youtube, etc.).
"We actually make it so [our marketing department] can access [Twitter] through this tool as opposed to directly through Twitter's website," Eliason says.
He adds that across all of Citi's dozens of branded Twitter accounts globally, only a select few have the passwords, which are frequently changed.
Eliason says that, mostly for "need to know reasons," not even he has access to the credentials to directly sign in to Twitter.
Citi follows protocols, such as deleting direct messages that involve customer correspondence after those issues have been resolved, to minimize the risk to its customers in case it does get hacked.
In addition, Eliason says the bank has strong relationships with all the social networks that would help it quickly shut down one of its accounts if it was hacked.
There are some built-in protections, as well.
For example, Eliason points out Citi has 'Verified' accounts that are validated by the social network in order to give special preference to specific people or brands with a high number of followers, such as the Melanie C of The Spice Girls.
The accounts also come with security features that might send up flags if Citi was compromised. For instance, if someone took over Citi's account and changed any of the email addresses attached those profiles, the accounts would lose 'Verified' status, potentially tipping off the bank or the social network that something was wrong.
All of this only masks the underlying question: Why doesn't Twitter improve its security?
"If online social media, like Facebook, video games, like World of Warcraft, and free email services, like Gmail, can offer multifactor authentication," why doesn't Twitter? asks Robert E. Lee, a security researcher who works on authentication issues. "It's amazing the lengths that these companies are having to go through to solve what is essentially an account-takeover problem. Since it's an account-takeover problem, it's up to [Twitter] to offer a higher assurance authentication control."
Twitter is believed to be working on a skunkworks project that it's testing with a limited number of high-profile accounts that involves smartphones and multi-factor authentication.
Those security protocols would be added on top of others that Twitter is already using to better protect its users from 'phishing' attacks over email.
However, not all banks have 'Verified' accounts on Twitter or detailed social media plans meant to immediately react and hedge against malicious attacks.
Regulators Stepping In
Regulators are attempting to give banks a framework for how they should approach the ever-maturing channel of social media.
In January, the Federal Financial Institutions Examination Council said it was working on guidelines for banks' social media use.
In a 31-page report, the agency said it was getting ready to help financial services companies identify potential risks and how to appropriately address them.
Some of the suggestions included putting in place risk management programs that allow banks to identify, measure, monitor and control risks related to platforms, such as Twitter. The federal government is now asking for input, and revising its proposed rules.
Twitter itself has released general security tips for all of its users, as well.
Bankers should also have security concerns that go beyond their own accounts, says Jacob Jegher, a senior analyst at Celent.
"Educate your customers, especially as they use online, mobile and social tools," he says.
In case of a compromised Twitter account, bank customers could be prodded to provide personal information in messages sent by hackers that take over a branded account. Also, criminals could set up Twitter handles that are similar to banks' (read: @CitiUSA, instead of the real @Citi) and do the same thing.
Social Commerce Risks
When companies go beyond marketing and customer service activities over Twitter, the security issues become more serious.
American Express and Chirpify of Portland, Ore. are among the best-known companies that allow customers to move money over the platform. For obvious reasons, social media commerce could be even more risky, which is why Amex is employing added authentication to each of its Sync transactions, explains Leslie Berland, a senior vice president of digital partnerships and development at the New York credit card company.
"There are controls in place," she says, adding that after a person makes a purchase there is an email sent to that cardholder to immediately notify the person of it. "And if a merchant's account is hacked, and there are weird tweets coming out of its Twitter presence or beyond, [Sync transactions] are not being triggered."
Chirpify's chief executive, Chris Teso, says Twitter is no less vulnerable than any other method. "Twitter is just a way to trigger a transaction," he says.
There are a variety of different methods hackers can employ to get access to a company's Twitter account, says Ken Baylor, a research vice president at the information security research and advisory company NSS Labs.
"It's actually pretty easy to do, the two main ways of doing it are you can use malware, or you can use a phishing attack," he says. "A lot of the malware that targets banks, a lot of the malware like Zeus, can pull all of your passwords from your browser so if you ever visit Twitter from your browser, they've already won."
In reality, he says, an employee who clicks on a bad link in a Twitter complaint could cede the company's control of its Twitter account. And many of the attacks can't easily be detected.
"Most people just have no knowledge" that their computers have been infected, says Baylor. "Especially if it's something as simple as plucking a password from a browser, there is no indicator."