| An interesting story. > The email addresses for your twitter accounts should be on a system that is isolated from your organization’s normal email. This will make your Twitter accounts virtually invulnerable to phishing (providing that you’re using unique, strong passwords for every account). That doesn't make a lot of sense. Sure, now your twitter account is somewhat protected against phishing (I think 'invulernable' is a bit too confident, even with 'virtually' added as qualifier). But what about any other possible account? So now you say every single other possible account related to your business should be associated with an email address isolated from normal email, to protect them from phishing. Right? Okay, so what makes is the 'normal email' again? You've just decided to split all your email amongst as many disparate systems as possible, to protect against phishing... which I guess it sort of does, but at cost of so much confusion that you've probably opened yourself up to something else. Unless twitter alone is so high value to protect in this way? Or am I missing something? |
The proposed solution is certainly pretty drastic, but when it comes to securing twitter accounts, there aren't a lot of options. The safest one I can see is to connect the accounts to an email address that isn't part of our google apps organization, as that is the common attack vector here.
Our twitter accounts are a high value resource, and are pretty hard to protect. We have almost 5 million followers, and two factor authentication isn't even an option. Once hackers change the email address on the account, we lose all access until we can get in touch with someone at Twitter (which takes a while, even for us).