But last weekend their clients and colleagues got a little surprise. First Direct’s Twitter account was duped, sending direct messages – the Twitter equivalent to short emails – to contacts. What’s more? These weren’t just any direct messages – they were pornographic. I don’t think that boosted their image of professionalism. The direct messages sent out tantalizing links, and upon clicking, users were asked to login to Twitter. Of course, it was a phishing attack where the users were actually divulging their password to hackers.

The next day First Direct sent out a series of tweets that did little to allay fears – they mentioned twice that they’d been hacked, then tried to reassure clients that only the Twitter account had been hacked – not the bank – and that no user passwords were involved.

The Register reader Paul Eagles comments in Twitter style of 140 characters or less: “Let’s hope they are more secure with their banking systems than their twitter account,” he writes. Here’s the deal. This attack phished bank users and convinced them to give away their passwords for Twitter. The problem is that a large number of users have the same passwords for all their accounts, giving hackers potential access to more than just Twitter accounts.

So, a note to all users on all platforms. If a link sent to you looks suspect, it probably is. Clicking on it is unwise, and entering any information about yourself is plain foolishness. Your bank won’t send you porn. I promise.

2 of my 3 Twitter accounts asked me to reset my password this morning when I signed in. It seems that a third party application may have compromised accounts, but stories abound about what really happened.

What I can tell you is that I know enough about where to share my passwords that I didn’t accidentally give my credentials to a fraudulent site. I can also tell you that no one hijacked my account. My password is reset on both ‘compromised’ accounts and I’ve updated the legitimate applications I use to access Twitter.

I’m not quite sure why Twitter would be the target of a phishing attack. While they might be able to post what they ate for breakfast or follow a few celebrities (or whoever), no one can use my Twitter login information to access money or sensitive information. Not sure what the point to the whole Twitter phishing attack was, but I’m not too worried either. A minor inconvenience at worst, interesting blog fodder at best.

Update: Thanks to Malcolm for posting the following in the comments on one of our posts about phishing:

With the knowledge that many people use the same passwords across multiple sites, there is value in phishing ANY online login system. Because email+password can be identical on every site, any and every site is vunerable to phishing. Phishers need a single chink in the armour, if the phished person uses a hotmail/gmail etc email address for Twitter, there’s a high chance the email can then be comprimised with the same login details, and once you have the email you could wait for a ’statement’ email from a bank or credit card …

More online users know about phishing, while number of victims is up by 600% @ Tricerion Security Blog

We read stories about phishing and data breaches and we get worried. Some of us start thinking that maybe we’re better off (security-wise) with paper-based banking. Sending checks, receiving statements in the mail, paying bills the old fashioned way – manually with a checkbook and a stamp. But as Jean Chatzky said this morning on NBC’s Today Show, online banking is actually safer than paper-based for a few reasons.

1. People who use online banking check their account 4 times more often than those who use paper-based banking. That means if someone does fraudulently steal your identity or your banking information, you’ll find out about it more quickly and remedy the problem earlier, translating to potentially fewer losses.
2. Banks’ online systems are more secure than your mailbox and trash bin. Sure, they may not be 100% impervious to attack, but they’re much harder to hack into than your mailbox at the curb or the trash can full of sensitive information (even if it is shredded).
3. You can’t ‘wash’ an online transaction. Check washing still occurs today – where someone takes a legitimate check you signed, washes the original amount and payee information but retains your signature. They’re then free to put their own name and any amount they choose. Online transactions aren’t washable – they go where they’re meant to go, when they’re meant to go.

Basically what it boils down to is, choose a secure password that you can remember without writing it down. Keep your information to yourself, and don’t fall prey to scams inviting you “click here” to verify your information. You bank doesn’t need you to verify your information, and if they do they can find a more secure way to contact you than sending an email or putting a button on your Facebook page.

The debate on usability vs. security somehow always leans towards usability as the obvious choice (we all like “simple”).  Yet every day, all around us we are faced with the very same dilemma:

• Airport security. Yes, I want to just show my ticket at the counter and go straight to the airplane door … no frisking, please.  Unfortunately, not all people are getting on the plane just to travel from A to B.  Some of them try to carry explosives on board.  Our concern for safety will allow for more stringent access control to the planes.

• Government. The Bolshevik revolution started with the social ideal of universal equality.  The Communists believed that every man is inherently good, if he was only given the right tools and opportunities.  Give everyone an equal amount of food, money, clothes, housing, work, and paradise will descend upon us.  Of course, the masses should be defenseless because the State will protect them.  Being different or more gifted than others is also uncool, because you just make the others look bad (remember – universal equality).  If you had to live through that atrocious Communist experiment, would you rather have a meager, but stable and predictable existence where most of your basic needs are met, or would you chose total freedom and personal responsibility for your own success (and failures).  It is incredible, but usability (so to say) wins here too.  People want it easy when it comes to government – basic needs trump individual freedoms.  In a recent poll, 60% of Russians still regret the break up of the Soviet Union.

• Online Privacy. There’s been a major paradigm shift in how our society views personal issues.  We now easily discuss very private events and feelings with hundreds of our Twitter and Facebook followers.  Our trust in online privacy created a new (false) sense of security in believing that we still control the information. How much inconvenience would you bear (in terms of access security) to make sure that your social networking accounts are never compromised and misused?  My LinkedIn account is connected to many people I respect and appreciate.  The last thing I want is for someone to hijack my credentials and discredit my reputation or my network.

-       Zack Whittaker asks “How would you fix it?” (the password clutter vs. security issue).

I’d like to suggest that G.K. Chesterton’s response to the famous question “What is wrong with the world?” applies in this case.  Chesterton’s response was written in a form of a letter to “The Times” which initially posted the question:

Dear Sirs,
I am.
Sincerely yours,
G. K. Chesterton

What is wrong with the username and password?  I am.  The user is.  As long as the user has the ability to share authentication credentials, he is vulnerable to social engineering (phishing) attacks.  We assume (much like the Communists did) that the user is generally smart and responsible . . . we just need to build higher walls for the enterprise technology or web services (firewalls, etc.).  I agree that the usability has to remain high, and mutual authentication, specifically graphic passwords, is one of the few security approaches that increases access security, while targeting the weakest link – password shareability.  When using graphic passwords, the user has no ability to easily share his password by typing it, disclosing it on fake websites, sending it by email or even writing it down on a piece of paper.

Our use of technology in everyday life has changed how we live now, 45 years after the first mainframe computers were built.  Yet, we continue to use a 1960s access control mechanism.   Passwords have evolved into the 21^st century and it’s time to benefit from it.