We're living in the age of the hacker

Hack or be hacked.

Never in the history of written communication could 140 characters have the impact that they can have now

Two weeks ago, after gaining access to the Associated Press’s main Twitter account (@AP), the Syrian Electronic Army (SEA) posted a fake tweet reporting two explosions in the White House and the injury of President Barack Obama. Within seconds, US financial markets dropped by about 1%.

Minutes later, Twitter was abuzz with refutations. Reporters at the White House tweeted that they felt no explosion, and AP reporters and the AP Politics Twitter account announced that @AP had been hacked. At his afternoon briefing, White House press secretary Jay Carney confirmed that Obama was indeed unharmed. Financial markets returned to their pre-hoax level.

The @AP Twitter hoax represents systemic risk that cannot be eliminated, for it arises from the interaction of highly integrated financial markets and increasingly democratized news delivery. Given strong incentives for malicious parties to perpetrate such hoaxes, we should expect to see an increase in incidents.

Financial markets are vulnerable to manipulation, because they are not in the business of evaluating the truth. Trading often favours first movers, so being fast but wrong can still be profitable.

Imagine that a sophisticated trading firm has invested significant resources to develop an algorithm that quickly evaluates the potential market impact of news, and then automatically sends orders to trade based on that predicted impact. When that algorithm parses a tweet from the AP containing important keywords (explosion, White House, and Obama), it will send orders to sell with the expectation that the market will drop as others – first, slower algorithms, then even slower humans – start to process the same news.

The first mover is happy to make such trades without verifying that the news is true. If it is true, the market will stay down or continue dropping, and the first mover will profit from the sales that it has made. If the story is a hoax, the market will probably return to its earlier, fairly valued level, and the first mover will break even on its sales, and possibly profit from any position purchased as a hedge when the market was down. The first mover’s algorithm worked, regardless of the story’s veracity.

The likely losers in the @AP Twitter hoax were later movers who did not react quickly to the news, but reacted instead to the market’s movement.

These late movers were also likely to have been sophisticated electronic or institutional traders; some were probably using arbitrage-based strategies that relied on the futures market for a calculation of the fair price.

The market’s vulnerability to hoax stories is thus difficult to eliminate, for it is inherent in its structure. It cannot be regulated away or fixed by technology or surveillance.

Even if markets moved more slowly, there would still be a first mover who responded before such a news story was revealed as a hoax. This dynamic is similar to that of an asset bubble, albeit faster. In a bubble, valuations are based on collectively evaluated evidence, and those who enter the market earliest often benefit. Whether evaluating an assumption about the rise of house prices or whether a news story is true, the market does not provide a definitive answer instantaneously.

If protecting against hoaxes is not the market’s purview, can news agencies or new media entities like Twitter prevent such deception? To be sure, they have suffered reputational damage from this fiasco and will likely try to improve. But their efforts will not be enough.

Twitter’s vulnerabilities were technically understood before this event, and the service was already moving toward a more sophisticated authentication model (a password paired with a one-time key from a text message or other device). Twitter will likely implement this soon. It should also consider adding an optional “two-key” system, in which an independent signoff from a separate account is required before a proposed tweet is broadcast. But, while such measures would increase the difficulty of hacking the system, no technological fix can make it impenetrable.

What about the AP’s vulnerabilities? Attackers launched a “phishing” attempt against the AP’s emails shortly before the hoax tweet was sent. Phishing attacks, in which an employee is duped into sending a password to a third party or clicking an untrusted link that installs malicious software, represent a hybrid of cultural and technological failures.

As attackers become more sophisticated, they send better-crafted emails, sometimes impersonating trusted sources that lure unwary users. Crafting a culture of security is difficult and often at odds with the dynamic and decentralised work environment of a fast-moving newsroom.

This story can be read in full at economia

Chris Clearfield is a principal at System Logic, an independent research and consulting firm that focuses on issues of risk and complexity. András Tilcsik is an assistant professor of strategic management at the Rotman School of Management at the University of Toronto.

Photograph: Getty Images

This is a news story from economia.

John Moore
Show Hide image

The man who created the fake Tube sign explains why he did it

"We need to consider the fact that fake news isn't always fake news at the source," says John Moore.

"I wrote that at 8 o'clock on the evening and before midday the next day it had been read out in the Houses of Parliament."

John Moore, a 44-year-old doctor from Windsor, is describing the whirlwind process by which his social media response to Wednesday's Westminster attack became national news.

Moore used a Tube-sign generator on the evening after the attack to create a sign on a TfL Service Announcement board that read: "All terrorists are politely reminded that THIS IS LONDON and whatever you do to us we will drink tea and jolly well carry on thank you." Within three hours, it had just fifty shares. By the morning, it had accumulated 200. Yet by the afternoon, over 30,000 people had shared Moore's post, which was then read aloud on BBC Radio 4 and called a "wonderful tribute" by prime minister Theresa May, who at the time believed it was a genuine Underground sign. 

"I think you have to be very mindful of how powerful the internet is," says Moore, whose viral post was quickly debunked by social media users and then national newspapers such as the Guardian and the Sun. On Thursday, the online world split into two camps: those spreading the word that the sign was "fake news" and urging people not to share it, and those who said that it didn't matter that it was fake - the sentiment was what was important. 

Moore agrees with the latter camp. "I never claimed it was a real tube sign, I never claimed that at all," he says. "In my opinion the only fake news about that sign is that it has been reported as fake news. It was literally just how I was feeling at the time."

Moore was motivated to create and post the sign when he was struck by the "very British response" to the Westminster attack. "There was no sort of knee-jerk Islamaphobia, there was no dramatisation, it was all pretty much, I thought, very calm reporting," he says. "So my initial thought at the time was just a bit of pride in how London had reacted really." Though he saw other, real Tube signs online, he wanted to create his own in order to create a tribute that specifically epitomised the "very London" response. 

Yet though Moore insists he never claimed the sign was real, his caption on the image - which now has 100,800 shares - is arguably misleading. "Quintessentially British..." Moore wrote on his Facebook post, and agrees now that this was ambiguous. "It was meant to relate to the reaction that I saw in London in that day which I just thought was very calm and measured. What the sign was trying to do was capture the spirit I'd seen, so that's what I was actually talking about."

Not only did Moore not mean to mislead, he is actually shocked that anyone thought the sign was real. 

"I'm reasonably digitally savvy and I was extremely shocked that anyone thought it was real," he says, explaining that he thought everyone would be able to spot a fake after a "You ain't no muslim bruv" sign went viral after the Leytonstone Tube attack in 2015. "I thought this is an internet meme that people know isn't true and it's fine to do because this is a digital thing in a digital world."

Yet despite his intentions, Moore's sign has become the centre of debate about whether "nice" fake news is as problematic as that which was notoriously spread during the 2016 United States Presidential elections. Though Moore can understand this perspective, he ultimately feels as though the sentiment behind the sign makes it acceptable. 

"I use the word fake in inverted commas because I think fake implies the intention to deceive and there wasn't [any]... I think if the sentiment is ok then I think it is ok. I think if you were trying to be divisive and you were trying to stir up controversy or influence people's behaviour then perhaps I wouldn't have chosen that forum but I think when you're only expressing your own emotion, I think it's ok.

"The fact that it became so-called fake news was down to other people's interpretation and not down to the actual intention... So in many interesting ways you can see that fake news doesn't even have to originate from the source of the news."

Though Moore was initially "extremely shocked" at the reponse to his post, he says that on reflection he is "pretty proud". 

"I'm glad that other people, even the powers that be, found it an appropriate phrase to use," he says. "I also think social media is often denigrated as a source of evil and bad things in the world, but on occasion I think it can be used for very positive things. I think the vast majority of people who shared my post and liked my post have actually found the phrase and the sentiment useful to them, so I think we have to give social media a fair judgement at times and respect the fact it can be a source for good."

Amelia Tait is a technology and digital culture writer at the New Statesman.