Identity Security
Over the last couple of days Twitter users have been targeted by a phishing attack. This attack is similar to the email attacks that tempt users to access a URL with intriguing questions like ‘This you??’, but instead of trying to get you to download dodgy programs onto your computer, the Twitter attach attempts to get you to provide the compromised website with your Twitter username and password by faking the usual. This great explanation from mashable includes a video from UK security company Sophos.
What isn’t all that clear is what the benefit is for the hijackers. Unlike an email phishing attack, they are not taking over your PC in order to use it in a denial of service attack, or in order to steal your credit card details. They merely get to speak on your behalf. It doesn’t take too long for your twitter followers to notice that the tone and content of your tweets has changed and that it’s probably not actually you tweeting. So why would they want to send out a lot of inappropriate messages to people? I guess spammers have their own justifications.
The thing that did become clear is that we are still a long way from everyone understanding how to manage their own security. None of the people caught out by this phishing attack noticed that the faked twitter login was not on a twitter.com domain and was not using https. This is not their fault, we have reduced the visibility of these things – when was the last time you noticed the https padlock in your browser’s status bar and even our financial institutions sometimes inadvertently encourage us to provide sensitive information to sites with domains we don’t know.
On top of this users really don’t understand the control they have over access even when it is given to them. The additional security provided by Twitter OAuth, which lets you give permission to other applications to post on your behalf, becomes a security risk when people don’t realise that this control must be managed and monitored. This great post from Terrence Eden explains more.
0 responses to “Identity Security”
Leave your comment…
About the author
Saul Cozens's blog posts
- Information in its place 18/06/2010
- The rise of mobile devices and smartphones has led to crie…
- Google fanboy heaven 21/05/2010
- I was sad to have missed the Google I/O conference thi…
- Content management for life 12/02/2010
- During the last couple of pitches we’ve done a thought ha…
- Apple iPad: a solution waiting for a problem 29/01/2010
- This week’s announcement from Apple about their much awaite…
- Be a mini-murdoch 08/01/2010
- Are you mourning the decline of the newspaper industry? D…