7 High-Tech Twitter Users Who Fell for Phishing Scams) This evening Twitter announced that a new program will intercept links sent out by Direct Message and through email, checking to make sure they are safe. Phishing prevention is no small matter.It never ceases to amaze me how many high-tech industry elites get ensnared in every Twitter phishing attack. (See our November story
Twitter's is a good move but a lot more is needed all over the web. If we want a transactional developer ecosystem of distributed identity and portable user data, there are both user education and technical changes that need to be made.
I don't mean to be pedantic about this, but here's my take on the subject.
It's only because there is a big developer ecosystem creating interesting new services on top of our Twitter identities that any of us would ever consider logging in to Twitter while on another website. That ecosystem is great, and it's the kind of thing that an interconnected web that leverages portable user data would be filled with. But if user data is a form of currency and even people who are professional technology analysts (paid hundreds of dollars an hour for their technology advice - and many of these people are falling for Twitter phishing scams) - if even these people can't tell the difference between a good transaction and a bad one, then what does that say for the future of distributed developer ecosystems and data portability?
Apparently, though, fooling people these days into handing over their Twitter login through an unsafe transaction is like taking candy from a baby. It's really easy.
That's a failing of user education and of the design of distributed authentication transactions, isn't it? (Though it's tempting to blame the users who fall for it, it really is!)
Remember when debit and credit cards were first introduced and many people didn't trust them? Aren't you glad we figured out how to make that work? Similarly, we need a combination of user education (don't give out your credit card number to random people who call you on the phone) and practical measures - credit card transaction receipts have two copies, your copy is the one with the full number printed on it - take it with you. Little things like that and more made plastic a viable platform for commerce. Distributed online identity needs similar measures taken.
You know what also doesn't help? People who try to be helpful by urging users to not even click on phishing links. It's not like these are mysterious poisonous substances that will kill you if you touch them. Go ahead and click on them! Just don't give the resulting spoof pages your username and password. That's the problem!
It's early days in all of this and more moves like Twitter's tonight will be needed. For the good of user security but also for the good of all the innovation this web has the potential to deliver.