Phishing: From AOL to Twitter (and points in-between)

The act of fishing, according to Texas State Rep. Aaron Pena, can be described as “slow, methodical and patient.” The act of phishing, on the other hand, can be described as methodical, patient and unscrupulous.

The first time I saw the word phishing, I did not immediately think of phreaking (hacking a telephone system). I thought it was a clever “respelling” of the word “fishing” since the two verbs share a common theme: to seek to obtain something indirectly or by artifice.

Phishing was first described in a paper in 1987 and first mentioned online in 1996 in an AmericaOnline newsgroup. Fourteen years later, phishing has spread from the relatively closed garden of AOL instant messaging to semi-closed gardens like Facebook and wide-open spaces like email and Twitter. Almost all online definitions of phishing describe it as an email-based scheme.

The language of the phisher seems relatively unchanged. On AOL in the 1990s, phishers would directly ask poential victims to “verify your account” or “confirm billing information.” This week, they are indirectly asking us for our Twitter login credentials. The phisher provides a link to login page that looks like Twitter, unless we examine the URL visible in the address bar. The unsuspecting click “sign in” and the phisher then uses this newly-acquired access to send the phishing link, as a direct message, to everyone who is following us.

Clearly, this system is methodical. It is, after all, governed by the if-else logic of computer code. It is patient: the phisher is content with a very small click-through rate. This is, after all, how real-world viruses propagate; everyone who is exposed to a cold or flu virus does not get sick. And it is unscrupulous: the phisher poses as us to our (initially at least) unsuspecting friends.

There is less malice in the current Twitter scam than in the Facebook “I’m stranded and need money” phising example. The Twitter attack does not seek to directly separate you from your money and possessions. But many people use the same login credentials for multiple accounts. That same patient computer code which now has your Twitter ID and password could be used to try to open other accounts: email, online commerce, banking.

A Plea For Virtual Safety
Here are some steps to secure your online identity:

• Just say no. Be mindful before clicking on links in Tweets, Facebook status updates and email. Think before clicking. Use a browser with built-in safety features. For example, Chrome, Camino and Internet Explorer warned me about the current phishing attack on Twitter; however, neither Firefox nor Safari provided a warning.
• Avoid creating new accounts. When a website asks you to create an account, opt instead to login with Facebook, Twitter, OpenID, Disquus, TypePad. In other words, use a preexisting account. If the originating website only uses FacebookConnect, consider sending them a note asking for choice.
• Segregate login profiles. The login profile for your online banking should be substantially more secure than one for reading a news site or for commenting on your favorite blog or for editing a Wikipedia entry. I don’t believe that it is reasonable to say “create a new password for every account” … because I know you won’t. It is reasonable to suggest mindfulness.
• Develop a password strategy. After you’ve thought about the types of profiles in terms of risk and frequency of access, develop a password strategy. For non-monetary accounts like most news sites, Wikipedia and your favorite blog, pick a password that is easy to remember. What is the worst that could happen if someone figures out your password to one of these accounts?  They’re not going to get your mailing address or access to your bank account. In this case, memorable is probably more important than “strong.”
• Minimize duplicate instances of the same password when risk goes up. When the answer to “What is the worst that could happen?” includes access to personal or banking information, don’t use the same password for every account. As the risk goes up, make the password more secure. Whine loudly when a vendor (like Verizon) will not let you create a secure password on their system.
• Email passwords should be strong. In a perfect world, we’d use one email account for all of our financial transactions and a different account for corresponding with friends and yet  third account for mailing lists and such. The more that you co-mingle the way you use your email account the greater the risk if the account should get hacked. The greater the risk, the more secure the password. Remember that email is often used as the way to reset account passwords!
• Completely segregate online banking. Your online banking password should not be used on any other account.

Now excuse me, please, while I go practice a bit of what I’m preaching.