No sooner had the ink dried on my post about tweeting with care, than my feeds yielded this post from TechCrunch.
The short version is that a phisher hacked into some poor dude’s Facebook account, then whipped up a friend-in-need story and tried to sucker one of his friends into sending money using FB chat. Mad props to the friend who sniffed out the hoax and outed the phisher in chat and then over the ‘tubes.
Read the story. It’s both funny and scary all at once.
Microsoft Live's password strength indicator, Twitter and Facebook should take note.
But wait, there’s more. The night after I posted about Twitter and read that post about Facebook phishing, the geeky member of the Leverage crew used what looked a lot like a MySpace/Facebook profile to cook up a bogus story about a woman’s cat and an animal shelter. More social hacking, it’s bled over into scripts now.
Backing up, Leverage is a TV show; the episode was “The Mile High Job“, which isn’t available online yet. Oddly, it contained lots of coincidences with the US Airways emergency landing too. Creepy.
So, in retrospect, my post on tweeting with care should have a fourth, maybe not as obvious, point.
Should be obvious point 4. Change your password right now. And do that every few weeks.
No worries, I’ll wait.
Seriously, within the last month or so, we’ve seen:
- Hacking of famous people’s Twitter accounts.
- A phishing epidemic through direct messages.
- Hacking of a Twitter admin’s account.
- The sordid auction of a company that collected Twitter credentials.
If you haven’t changed your password to a much stronger one by now, you should do that right now. Twitter leap into the mainstream has brought along all the bad elements of the ‘tubes. While you’re at it, you should probably change Facebook too and why not reset all your social networks. Protip: Use different passwords 🙂
Facebook has been mainstream much longer, but this recent attack shows what I’m officially calling social hacking. I’ll say it again; read this article. It’s all too easy to guess passwords armed with a person’s social metadata. In the case of this Facebook attack, the phisher didn’t do enough homework before running the con, but still s/he now has a goldmine of personal information to use both online and IRL. Pretty scary stuff.
The ease at which social network profiles can be hacked is something that the networks will need to address soon. Sure, everyone hates strong password requirements, but I’m betting they hate having their identities stolen more. Facebook especially needs stronger passwords, since they’re pushing Facebook Connect as a means for authenticating to other sites.
We all love the social goodness, so IMO, Twitter and Facebook should force us to use stronger passwords. It’s not like we’re going to quit.
There’s really no good way to go back once you’ve created objects in Facebook and Twitter. It’s like the Mafia. Facebook’s painful account deletion process is widely documented, and since Twitter is indexed by Google, there’s a cached version of what you tweeted on the ‘tubes. I’m not sure if Twitter removes your tweets and all their related links (Twitter links @replies back to your tweets) when you delete your account.
Anyway, until your favorite social sites implement strong passwords, you really should take pre-emptive action and strength your passwords. And change them regularly.
While I’m at it, I should through in another not-so-obvious point:
Not so obvious point 5. Don’t DM anything on Twitter you wouldn’t want everyone to see.
Twitter’s direct message feature gives you the illusion of private communication. Too bad dms have been published to the public timeline at least once, although it feels like that’s happened more frequently.
If you must dm somebody, use the web interface. Too many people use “dm” in a client, giving rise to apps like DM Fail.
I rarely use dms for just this reason. Besides, it doesn’t really fit with the whole spirit of Twitter, like protecting your updates.
Anyway, do you have any social hacking stories to share? Or thoughts about Twitter and/or Facebook?
There’s a lot of ground covered here. Find the comments.
Jake: regarding your point number 4: I do use different passwords for different accounts, but don't have a process for changing them regularly. How do you manage that and keep track of everything? I suppose writing them down is one alternative, but that in itself is security risk.
Sure, this is always the Catch-22 problem, and one of the big promises of OpenID.
So, I use OpenID whenever possible, and for the others, if I feel it's something that should be secure, I'll use a strong password that I can remember. If not, I'll use a weaker one from the list of passwords I have memorized.
The trick is using the service enough to memorize the password, which I do for FB, Twitter, Google, etc.
FYI..just changed my Facebook password and they do now have a “password strength” o meter.
Weird, I don't recall one when I changed mine a few weeks ago. It's a good step, but I really think they need to force strong passwords. People are pretty hooked on FB now, so there's less worry they'll get annoyed and quit.