The Security—And Legal—Headaches With Retail Twitter Accounts Just Got Worse, Thanks To The SEC

Written by Mark Rasch
May 9th, 2013

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today is a lawyer in Bethesda, Md., specializing in privacy and security law.

The United States Securities and Exchange Commission (SEC) has approved a final rule allowing publicly traded companies to disclose “material nonpublic information” to the public through social media. In other words, if you have something you want to say to the public, instead of releasing a press release or putting it on your webpage, now you can comply with SEC rules by simply sending a tweet. But, as the Associated Press learned when its Twitter feed was hijacked, it’s not entirely clear when you send a tweet that it’s actually you who sent that tweet.

Companies spend a great deal of money to manage their social media presence. They hire consultants and experts to craft a message that they will be putting out on Twitter. They monitor these networks for disgruntled customers and respond when customers mention their names.

However, because of the inherent insecurity of social networks, companies need to do more to ensure that their Twitter feeds, Facebook pages and other social networking sites are secure. Otherwise, like the Associated Press learned, social networking can be decidedly antisocial.

The problem here is not with the security of the company. It is likely that the company’s overall security was not compromised. Rather, what was compromised was the link between the company and its Twitter account.

Different companies manage their social media networks differently; some have a dedicated team that is responsible for posting things to social media. Others allow a group of individuals within the company to post messages. Others have no social network policy at all, allowing anyone within the company to post to social networks either on their personal accounts or on the company account. Still others use third-party companies to post tweets on their behalf.

Whatever the social media policy is, it should be secure. Anything posted on your company’s account should actually be coming from you, which means of course you need to be monitoring and securing the connection.

This is particularly true now that the SEC is allowing companies to use social media for Portland corporate disclosures. If an unauthorized third party were to get access to your Twitter account, they could post fake earnings, fake results or even a news item indicating that the CEO had died, was sick, had been kidnapped, or whatever. Even if this causes only a momentary glitch in the stock price, we can be used for market manipulation or to help undermine consumer confidence in the stock. Similarly, rumors about products, sales, earnings, recalls, mergers, acquisitions or other information could be posted on the hacked Twitter feed. Thus, it’s critically important that companies not only monitor their own Twitter accounts continuously but also secure them.

But that is easier said than done. Access to most Twitter accounts or Facebook pages is accomplished only through a user ID and password. Although companies may speak with only one voice, many people may have access to that voice. This is done either by sharing the Twitter or Facebook credentials, or by using some other application to process the social networking posts into the Twitter or Facebook feed. If someone can hack these credentials, they can essentially become you.

A better approach is to require some form of multifactor authentication in order to access the Twitter account. Even if Twitter doesn’t currently support multifactor authentication, the company could set up a system whereby the individuals with the appropriate credentials to access the account must use multifactor authentication to do so. Any security assessment and privacy assessment of the company should include assessment of the security and privacy of access to social media.

The SEC guidance is related to the insider trading rules. In general, a corporate insider with access to material nonpublic information is not permitted to trade on that information unless and until that information becomes public. By allowing the use of social media to make that information public, corporate insider could post a tweet “disclosing” the material nonpublic information, and then shortly thereafter trade on the basis of that information – something they would have been prohibited from doing moments earlier. As a result, markets react immediately to information posted on social networking sites, often without validating the authenticity of the information. In fact, for computerized traders, is frequently more important to be fast than to be right.

All of this means that companies need not only to secure their social media sites but also to monitor them continuously as well. The Associated Press had the fake Twitter feed shut down within minutes, which is pretty good but not quite fast enough. Remember, those who live by social media often die by it as well. Keeping leasing secure takes a good deal of planning some knowledge of a lot of hard work. But in the end, it may be worth it. As long as you can explain your earnings in 140 characters.

If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.


One Comment | Read The Security—And Legal—Headaches With Retail Twitter Accounts Just Got Worse, Thanks To The SEC

  1. Twitter hack 2013 Says:

    I was more concered about other accounts I have that make use of the same user name the way to hack
    facebook account pass word same password. Trust your intuition, how
    to hack zynga account password if something doesnt look or really feel right, ignore it or delete it before hitting it.

    These applications request access to your personal information the best way to hack
    facebook account password you do not know what they will perform with that information.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.