But last weekend their clients and colleagues got a little surprise. First Direct’s Twitter account was duped, sending direct messages – the Twitter equivalent to short emails – to contacts. What’s more? These weren’t just any direct messages – they were pornographic. I don’t think that boosted their image of professionalism. The direct messages sent out tantalizing links, and upon clicking, users were asked to login to Twitter. Of course, it was a phishing attack where the users were actually divulging their password to hackers.

The next day First Direct sent out a series of tweets that did little to allay fears – they mentioned twice that they’d been hacked, then tried to reassure clients that only the Twitter account had been hacked – not the bank – and that no user passwords were involved.

The Register reader Paul Eagles comments in Twitter style of 140 characters or less: “Let’s hope they are more secure with their banking systems than their twitter account,” he writes. Here’s the deal. This attack phished bank users and convinced them to give away their passwords for Twitter. The problem is that a large number of users have the same passwords for all their accounts, giving hackers potential access to more than just Twitter accounts.

So, a note to all users on all platforms. If a link sent to you looks suspect, it probably is. Clicking on it is unwise, and entering any information about yourself is plain foolishness. Your bank won’t send you porn. I promise.

Two of the ones I found somewhat surprising were shortened URLs (since fraudulent URLs look just like legitimate URLs when they’re shortened); and malware coming through sites with tricky URLs that look authentic but aren’t (like International Domain Names).

Scareware and computer hijacking are still on the list and probably always will be. Same song, different verse. It’s a fluid scheme, changing from season to season, but the motivation remains the same.

Another one we’re looking at? It isn’t part of the top 5, but its implications reach far and wide. Healthcare security. With more and more ways to manage health information online, that’s sure to be a target for breach in the near future.

When it comes down to it, hackers are as motivated by the laws of supply and demand as the free market is. Just as legitimate businesses look for new ways to earn income and meet needs, so do hackers. As long as there is money to be made, hackers will continue to find new methods to steal it.

Our job is to beat them at their own game – anticipating their next steps, preventing their success, and defending our clients’ information and assets.

In the last two years hackers have stolen over $40 million from small to medium enterprises that typically don’t have the resources or tech expertise to protect themselves from such attacks. They often do business with small banks and credit unions, which are typically considered “low hanging fruit” for hackers. Channel-Pro SMB interviewed our very own Stuart Morris about this issue, and the write-up points out some key issues – like the impact this can potentially have on small to medium businesses.

The solution the feds propose is a dedicated computer used only for banking. They recommend it because malware is often installed when surfing the net, gaming, emailing, and downloading programs. It isn’t fool-proof though. Crooks are smarter than we like to think and a computer dedicated to online banking isn’t a surefire way to stop them. And logistically, unless we’re talking about sole proprietors, it becomes both a hassle and prohibitive expense when every person who needs access to banking information requires a separate computer to do so.

Hey! I have an idea! What if banks, e-commerce sites, and other agencies requiring sensitive login procedures found a way to protect their users and consumers from this type of fraud? Is it possible? Is it plausible? What is this, 1976? Of course it is! And it has been for years.

The only real way to stop keyloggers is to stop typing passwords. You know how you use your mouse to click on buttons on the computer screen?  There’s no reason banks couldn’t use a clickable keypad on the screen to replace password typing, or even credit card entry. And guess what? It’s already being done. There’s a system that first recognizes the user and generates a customized keypad for them. If your keypad doesn’t look right you know you’re on a fraudulent site. When you see the keypad you recognize, you use your mouse to key in your password. Easy, breezy. And keyloggers don’t have a chance. (Neither do man-in-the-middle, man-in-the-browser, or any host of other hackers.)

Wanna give it shot? You can. Go ahead – try it now. I’ll give you a buck – a whole greenback for the minute you spent – if you think it’s too hard to use.

The good:

• if you’re trying to save dough, this could be a positive means of accountability – you spend frivolously and your friends immediately know it.
• couponing and bargain-hunting gone wild. If your friend found something on sale, this could be a valuable alert.
• a marketer’s dream. This takes ‘keeping up with the Jones’s’ to a whole new level.

The bad:

• it requires you to store your credit card information and login information on their site. Um… is our memory for corporate financial data leaks really that short? Are we fool enough to divulge this? If so, maybe we deserve to have our identities stolen…
• surely no burglar, criminal, or otherwise mischievous soul would ever use this for ill. And if you believe that, I have a bridge to sell you.
• are we really so materialistic and driven by instant gratification that we need a whole new social networking site to help retailers manipulate our spending habits?

Here at Tricerion, we think a site like this has the potential for more harm than good. It would certainly be useful to hackers to gain access to the data stored there, and we haven’t seen anything from Blippy to allay our fears about their site security. Maybe we’re just overcautious (or maybe we just know who we’re fighting really well).

How about you? What do you think of Blippy? Would you blip (or is it bleep? maybe bleet?)?

The same article tells us that identity theft is up 33.1%, according to CIFAS, and that’s before taking into account the increase in fraud that we expect over the holidays. It seems that come holidays, crooks get greedy, which corresponds with a year-end boost in opportunity.

Happy Christmas to all and to all good security.

Fake or rogue security software was the most prevalent threat of 2008. It seems criminals know that we as a population have a weakness for security products. We want to be safe, so they hit our vulnerability with security products that are far from secure. This malware product has the look and feel of McAffee, only it’s not quite right.

Email phishing seems to be on a decline, but phishing as a whole is increasing, with internet-based scams leading the pack. Our awareness campaigns to caution customers about email phishing paid off – the customers grew email-savvy, but the criminals grew more sophisticated.

As for 2010, CA expects to see an increase in Malvertising (advertising malware), threats to social networks, and – not so surprisingly – denial of service attacks like we saw this year in political showdowns in Moldova and Iran. Banking trojans are expected to be on the rise as well, and we’d be fool to think criminals would ever really back off financial institutions, since the carrot at the end of the stick is so big.

They could approach it the way AT&T did when they realized that 3% of users (iPhone owners) exploit 40% of bandwith – AT&T started looking for ways to discourage iPhone users from accessing the data services they so love. Instead of using the situation to build business and expand services (which is what any strategically driven company would do) AT&T looked for ways to hamstring their customers.

Banks could take the same approach, right? Encourage their customers to use online banking less. Scale back online services. Provide second-rate security. Promote fear in their customers.

Of course, that would mean technological dinosaurs that take the path of least resistance would inevitably lose customers to banks that provide the online services their customers want. Penalizing users for creating business process conundrums does nothing but propel corporations into decline.

So maybe, in an ideal world, banks might think to increase security to keep up with online threats. Novel idea, right? In fact it is, in a way. As online risks have grown, the majority of banks have done little to keep up with the threat level. Sometimes it’s easier from an operations perspective to reimburse money lost through identity fraud than it is to actively protect against it.

Come on, folks. Are we really lazy enough to believe that doing nothing and suffering attack is better than proactively adopting solutions to protect our customers? Check out Tricerion’s SafeLogin. It’s simple. It’s elegant. It’s easy from the bank’s side and seamless to the user.

Don’t make the mistake AT&T did. Move with the market. Take the lead. Get your groove on.