The aftermath of Twitters biggest phishing scam

March 1, 2010 By Leave a Comment

Over the last week, many people have fallen foul of the latest phishing scam to do the rounds of Twitter. And an unusual number of high profile individuals have been included in the list of users affected, including the Press Complaints Commission, BBC correspondent Nick Higham, the Guardian’s Head of Audio Matt Wells, bank First Direct, and environment minister Ed Milliband.

Environment Minister Ed Milliband caught by phishing scam

Environment Minister Ed Milliband caught by phishing scam

Phishing scams have long been endured by most internet users – the traditional mechanism has been via email, but as social networks have becoming hugely popular, they’ve become the vector of choice. And Twitter is particularly attractive as the speed with which messages can spread is combined with the use of short urls, which help to mask the malevolence of the message.

While this is just another example of the huge amount of phishing attempts which exist, the higher profile of these attacks as they affect prominent politicians will hopefully lead to a better awareness and response by governments.

It’s probably a forlorn hope, but for example, here are some things which might change:

  • More education about phishing and spam to the ‘general public’ – how about a public awareness campaign?
  • More understanding about how normal users can have accounts compromised very easily – for instance, with ‘Three Strikes Rules’.
  • More people using offline backups of any content that is valuable or useful to them
  • More of a move towards data privacy, and Vendor Relationship Management, to allow users to only share the information they choose with any service provider under strict controls.
  • A rethink of the UK Identity Card scheme which includes private businesses taking fingerprint and photos.

Importantly, it should place the risks of Social Engineering alongside those of teenage cyberwarfare specialists taking down defence satellites from their bedroom. If a private company was, for example, storing fingerprint data, you wouldn’t need to target their infrastructure (Although I’m not sure most chemists have a particularly high level of internet security) – you’d use social engineering on their employees via Facebook, Twitter, or offline in person to gain information and access.

Of course, technology can play a part, and I’m sure Twitter will increase their response to phishers in future, particularly as a high profile attack via any platform is never good for PR. But any measures will always be part of a never-ending arms race, and only when every individual is educated enough will there be any noticeable difference…

Filed Under: twitter Tagged With: , , , , , , , , ,

How CNN and Citizen Journalism can move forwards…

October 5, 2008 By Leave a Comment

I’ve already covered why the fake Steve Jobs heart attack story published on CNN’s iReport shouldn’t be seen as a fault of Citizen Journalism as a whole, and why we should all be encouraged to verify and fact check articles before we take them as gospel, or reprint them.

The Silicon Valley Insider has published a defence of their repeition of the story, but for me, it does little to convince me that they did anything other than repeated the story quickly to grab page views.Especially when they appear to justify reprinting any rumour that is possibly credible enough to be worth publishing.

‘Sometimes this information is fact. Sometimes it is rumor or scuttlebutt. Sometimes it is speculation. Always it is information that we believe is credible or interesting enough to bring to our readers’ attention.’

In their defence, the original story did contain a disclaimer: ‘We’re making calls, but as yet we have no idea whether it’s true.  Confirmation/denial the moment we get it.’

Anyway, in my opinion, as someone who has worked on websites with User Generated Content, and various levels of moderation, I think there are a few ways that sites containing Citizen Journalism can evolve.

  • Scott Karp covers one method. Rather than a totally open system that just requires an email address and solving a Captcha code – effectively meaning anyone can publish fairly anonymously, CNN and other site owners could actively search out anyone already publishing content, and select people who demonstrate a verifiable responsibility/ability. Increasingly this will be the role of professional Editors online, and although it goes against the ‘open ideal’, the main downside is that it costs organisations time and effort. Scott goes into more detail, and the restrictions he’s applied to Publish2 in a post well worth reading.
  • Sam‘s post on my previous article highlights the legal dilemma – moderate everything at a huge cost, or let it be a free for all. I disagree that we shouldn’t blame a company that encounters problems because they’re not willing to pay for the resources to moderate a service – but I think there is a third alternative – crowdsource the moderation. An effective rating and reputation system would indicate reliability and past success rates in the hands of fellow Citizen Journalists. And although it will be tough to make a system than cannot be ‘gamed’ to a large extent, it would have avoided an event like the CNN one – where an account is used to make one fake story then disapear. The better the system and the more effort it takes to game it, the smaller the amount of fraudulent users that will make the effort.
  • Increase the private identification of users. One easy way is to offer a small payment for articles, which requires bank details/paypal account details etc – or even some proof of identity before being allowed to post. It may add to the need for resources – but it’s less work than moderating every article, and would also weed out many of the fraudulent accounts.

That’s three possibilities with a bit of thought. I’ve actually been thinking about this problem for a while, and I’m working on some ideas which may help to increase the reliability of Citizen Journalism and Blogging, whilst also removing some of the barriers the citizen journalists and bloggers undoubtedly face – if I heard Steve Jobs had suffered a heart attack, would I know who to contact for a fast response, and would they be likely to respond? Or would my attempts to verify the facts mean I get scooped by a larger site or mainstream media and miss out on the benefits of getting the news first?

In a 24 hour, second by second online world where every moment counts if you want to break a story first, we shouldn’t blame people for falling for the idea that accuracy can be discounted in the rush to publish before anyone else – especially as the result of it backfiring can be a loss of respect, authority and readers.

But I also don’t think we should excuse it as a necessary byproduct of online journalism which can’t be evolved and solved. That’s just laziness. And many of the comments on the Silicon Alley Insider story pick up on this. In our efforts to evolve online journalism, it’s just stupidity to disregard all that preceded us in ‘dead tree’ publications simply because the digital world offers new opportunities and challenges. In my next post, I’ll outline some of the things that should make the transition from ‘traditional’ to ‘digital’ journalism, if the online world wishes to base itself on solid foundations and be taken seriously in terms of reputation as well as numbers and revenue.

Filed Under: Digital Publishing Tagged With: , , , , , , , , , , , , , , , , , , , , , ,