1/5/2009

Twitter Phishing Scam Alert, Password Safety

I'd heard this was going on, but I just received my first one of these, so I figured I'd better share it with everybody. I received an email that looks like a Twitter direct message notification:

TwitterPhishing

I was a bit suspicious of the message and URL (http://twitterblog.access-logins.com/login), and Google Chrome (my new default browser since Firefox went crazy on me) was kind enough to give me a possible phishing alert when I went to the site.

The site looks exactly like Twitter -- the URL is the only give-away. But if you put your user name and password in, you've just let someone hack your Twitter account.

The notification will appear to be from someone you know -- the follower data is publicly available if your profile is open. It doesn't necessarily mean their account has been hacked. If uou only get an email notification, not an actual Twitter DM, then their account is probably OK. If you receive one of these as an actual Twitter DM, then they've probably been hacked and should immediately change their password.

On the topic of passwords, I know a lot of people use the same password everywhere. BAD IDEA!!!

I hope it's obvious why you shouldn't do it. The problem, of course, is trying to manage/remember multiple passwords. One approach is to use some kind of password management software, but that only works from your own computer, and you're in trouble if you want to log on from somewhere else.

In Chapter 16 (pp. 140-141) of The Virtual Handshake (free download or buy at Amazon), we offer a simple scheme for creating passwords that are unique for each site, but not easily decipherable if someone obtains a single password. I've found, though, that more and more sites are requiring longer passwords -- sometimes 8 characters -- and also doing things like requiring both numbers and letters in the password. A couple of years ago, I posted a little more complex password scheme that should meet those requirements.

Developing a secure password management scheme is one of the single best things you can do to protect against online identity theft.

  • Share/Save/Bookmark
Posted by Scott Allen   
in Chapter 16: Privacy & Safety, Tips
« Outsell report: Social Media in Scientific, Technical and Medical Information Part 1: Social Networking

Composing Music Collaboratively »
  • Nowadays, there are really lots of scammers trying to make malicious act of entering private files and property.. It's nice to know that you are sharing this password scheme to us.. Thanks a lot..
  • Bloggers are not journalists in the professional sense of the word. It’s not only a misconception, but judging by how quickly erroneous information can spread, it’s a very dangerous idea. [...] Amateurs can produce high-quality content and, in a particular area of expertise, can provide more depth on a subject. However, we should never kid ourselves that the amateurs have the same level of experience, nor do they support the same level of standards as the professional. Read carefully and watch those banners. You may see a professional logo at the top of the page, but that doesn’t mean the same level of trust can be transferred to the content beneath it. I think it’s time that organizations like CNN and ZDNet change the layout of their amateur sites. It’s too easy to mistake the work of an amateur for that of the professional and trusted journalist.

  • It seems that twitter is the best place for phishing and scams. Stay out from there.
    Just my opinion.
  • I recieved this same email about 1 week ago now. This is not something that has since gone away. People just need to always be careful with their private information, and they will be fine. When in doubt return to the actual site, such as twitter.com and not their link.
  • It happened for me to encounter this kind of suspicious messages like 6 months ago but i have to say it never worked for me if i composed a strong password from both numbers and letters. The guy was copying all my data into his computer and in this way he could see whatever i was typing, even if it was an account number or user and password for some game or website and so on.
  • A good password scheme is hard to find these days. One of the problems is that different sites require different password strengths. Some sites require at least one non-alphanumeric character, others only allow alphanumeric characters. In addition, at times you will want to (or be forced to) change your password.

    I've love to find a good solution to this problem. Your linked solution gets us partway there....
blog comments powered by Disqus
    Recommend Us On
    Facebook
    Search The Site
Archive

David Teten's Blogroll