Welcome to the third day of Tweet Week. Today, we’ll cover phishing.

I’ve covered phishing before, starting with the phishing attack on Twitter earlier this year and again with a brief overview of phishing. So, if you’re unfamiliar with phishing, I recommend reading those posts first, as I’m not going to re-invent the wheel here. Then come back and read this post, where I will discuss another phishing scheme to be aware of.

I’ll wait…

Okay. Now that you’re familiar with, or have brushed up on, phishing, here’s a new one to be careful of. This one is very tricky because it’s not always a phishing scheme! In fact, it may be perfectly innocent. But, even if the site is doing it in fun and with absolutely no phishing intent, a phisher could still make use of the information!

You’ve probably seen various tests and quizzes going around, as well as ones that will tell you your “Rock Star” name or whatnot. Many of these are innocent enough, but be careful of two things.

First, be careful of ones that want your eMail address to send you the results! There is no reason the results can’t be displayed in your web browser. Some want your eMail address to add you to a marketing list. That’s not an issue if you don’t object to being on such a list and as long as it is disclosed that you are being added to a list. (Also be ware that some may also sell or rent their list, so your eMail address could end up everywhere.) So, be sure to read the disclosures carefully. The problem, though, is when people want your eMail address not to add you to a marketing list to sell you stuff; the problem is when they want it in order to use it for phishing. (And that’s certainly not going to be indicated in their disclaimer!)

Again, be aware that many such sites are just for fun or marketing. But, it can be extremely hard to tell which are for phishing, and such sites may be few and far between. When in doubt, you have two options. The first, obviously, is not to use such sites. The second option is to use an eMail address you don’t use for anything else (more on this later). Sites like Yahoo and Google and many others will give you a free eMail account. Alternatively, if you have your own domain name, you may be able to set up an additional eMail account(s) on it through your ISP or webhost.

The other thing to be careful of is what kinds of questions are asked. Be suspicious of anything asking personal information. It may be sneakily done, such as is done with those “Find Your Such-and-Such Name!” sites. They might ask you your pet’s name, your mother’s maiden name, or even the street you grew up on.

For example, let’s say that the “Find Your Rock Star Name” (I just made that up–I don’t know if there is an actual such site, so don’t read anything into this example) asks you these questions:

Q. What is your mother’s maiden name?
A. MacKenzie

Q. What is your favorite pet’s name?
A. Spot

Q. What is the name of the street you grew up on?
A. Elm

Then, it takes your information and tells you your “Rock Star” name: MacKenzie Spotelm.

Silly and fun, and you don’t think anything of it. But, now that site has your personal information. And, if they also asked for your eMail address, they have all the information they need to try a phishing attack.

For many systems, your login name is your eMail address. Now, the phisher has that. Many people use their pet’s name for a password. Now the phisher has your login and password. But, you’re thinking, a-ha! I’m smart enough not to use my pet’s name as a password! Unfortunately, the phisher also has your mother’s maiden name, your pet’s name and the name of the street you grew up on, which are common security questions used to reset passwords! Armed with that, who knows what damage they could cause?

And, if they can wrestle access or control of your eMail account, what else can they get into? Your domain name registrations? Your banking accounts? Etc. Many people think, oh, the worst they can do is get into my Twitter account and send some annoying tweets. But, if they can get into your Twitter account, they can find out your eMail address. And, then use the security question answers to try access to that eMail address.

Okay, but what if the “Rock Star” name site is not a phishing site? What if it really is innocent and just for fun?

Remember the old adage “Loose lips sink ships”?

Well, let’s say that your friend’s “Rock Star” name is Smith Fluffyoak. How do you know that? Probably because he tweeted it, right? So, now phishers can see it. You see, there is a pattern. Look at your friend’s “Rock Star” name. You know his mother’s maiden name is Smith, his pet’s name is Fluffy and he grew up on Oak street. And phishers know that too.

And, be careful of what other information you tweet. Favorite color? Favorite book? These types of things are common security questions too. And, once public in a tweet, they are accessible. There’s a wealth of information people can find out about you by searching your tweets (as well as your blog and other profiles on the Internet). And some of that information can be discovered and used by phishers!

But, what if you have your profile set to private on Twitter? Then the phishers can’t see it, right? Unfortunately, that’s not necessarily the case. What if they manage to get into one of your friend’s accounts? Then they will be able to read your tweets! In fact, because you had your profile set to private, you might have been less careful about what you tweeted, thinking only your friends would see it. But, you’re also dependent on your friends keeping their Twitter accounts secure too. All it takes is for one of them to fall victim to a phishing attack or to be careless about their password and then some malicious person could be reading your tweets. So, even if you have your account set to private, you still need to be careful about what details you give out.

So, what can you do?

First, be suspicious of any site wanting personal information. Many people like to talk about their pets, so that should not necessarily be a red flag. However, your mother’s maiden name and the name of the street you grew up on are generally things other people really don’t need to know. So, be careful about giving that information to anyone.

Second, when possible, use a special eMail setup just for using those types of sites, if you choose to use them.

Third, in addition to having a special eMail for those sites or if doing so is not possible, at least use a different eMail account for financial and other important sites than you use for regular purposes. That way, if someone gets into your public eMail address, they won’t be able to get into your financial accounts because the eMail address is different. And, if your financial accounts use a username rather than an eMail address as a login, make sure your username is not the same as what you use on Twitter and other services. And still use a different eMail address as an extra layer of security. Just be sure that the eMail address you use is relatively secure. For one, it should not be guessed by a dictionary attack, it should not be used publicly, and it should be setup through a trusted provider. Don’t get a free eMail address from some site you’ve never heard of and use it for your checking account!

Fourth, use a different eMail address for your domain name registrations too. Do not use the same eMail for your domain name registration and banking accounts. Since domain name registrations are often public, your eMail address can be discovered there too.

Fifth, when permitted, setup your own unique security questions on your accounts. Some sites will let you choose from among several common security questions, which may include an option to write your own. When it’s offered as an option, choose it! Then, use a question and answer with information that you never ever reveal publicly. That way, even if an attacker figures out your mother’s maiden name, reads your tweets and reads your blog and whatnot, they will still be unable to answer the security question!

Sixth, use strong passwords. (I’ll cover passwords in another post this week.)

Are all these steps really necessary? Each of these steps adds additional security. You can choose how much or how little security you want to place on your accounts. The most important things are to keep your personal information as private as possible and use secure passwords, preferably ones unique to each site.

Don’t let the lure of a fun game (even if the game and website itself may be perfectly innocent) break down your defenses and release your private details. I would also strongly recommend using a different username and/or eMail address, as needed, for your financial and other important accounts.

Of course, your first line of defense is a strong password, which I’ll cover more in-depth in an upcoming Tweet Week post.

This entry was posted on Tuesday, May 26th, 2009 at 10:36 am and is filed under Twitter. You can follow any responses to this entry through the RSS 2.0 feed.
Del.icio.us | Digg It | Googlize this post! | reddit | Stumble it! | Technorati | Twitter
You can leave a response, or trackback from your own site.