While any form of two-factor authentication is better than none, there are still security holes.
In a story I read tonight, a tech-savvy user fell for a social engineering attack. He received what he thought was an Instagram message from a friend and responded to it. It turns out it was a social engineering attack.
Combine this with really crappy security services on the part of social media companies.
Then combine that with their effectively non-existent tech support.
In this particular case, the attack vector was a password reset attack. Most companies – and not just social media – opt for the least possibly secure password reset mechanism. Because they don’t have any tech support. After all, since you are paying zero dollars and zero cents for the service, they can’t give you a lot of tech support.
In the case that I will link to at the end, the user never did get his account back.
In my case, I might be a little sad – probably not – if I lost my Facebook account, but if you are a business and you depend on your social media presence, that could be a real problem.
So what do you do?
The first thing is to make sure that you have a CURRENT OFFLINE backup of any cloud data you care about. DO NOT count on your cloud provider to keep a backup and make it available. Especially if your account is compromised.
Make sure that you implement the best of the crappy security your cloud provider offers. This is not just social media. If you do not like that provider’s security AND YOU HAVE A CHOICE TO MOVE, do so. Vote with your feet. That is about the only thing they understand.
Train any user who has access to the account about security. In the case today, it was a very subtle mistake the user made. It didn’t seem like a security problem, but it was.
Finally, hope that good luck goes your way.
The problem is that online services are not responsible when things go badly and that is not likely to change without legislation. You can rest assured that if there is legislation, they will fight it tooth and nail because it means real money to them. And a precedent. They don’t want to be liable.
That means that you have to be careful enough for the both of you.