Monday, October 31, 2011

The Perfect Storm


A few weeks back, my Twitter account was successfully phished.

Since I have an image of myself as a person who does not enter passwords willy-nilly on spurious websites, cognitive-dissonance reduction has kicked in to assure me that I couldn't have not entered my password on that fateful day. I was at the mercy of the perfect storm.




Let me introduce all the moving parts in this sequence.

About a month ago, I moved to Toronto. Since I figured I'd need to stay connected to the internet, I sniffed out the cheapest smart-phone & plan possible to get me started. My friends were playing a music festival in town, so I let them crash with me for a few days. Since the place was small, sharing beds was inevitable. Since one of my guests is a total shutterbug, there were plenty of photographs taken at inappropriate times, and threats of ruined political-careers flying about.

A few nights into their trip, we were all dispersed within a single pub, mingling with the locals. My friends and I had been using Twitter to stay in touch while we were apart, so when I got a direct message alerting me to a 'funny picture' of me making its way online, I didn't suspect its veracity. I had seen some of the incriminating photos on his phone, so I clicked on the link to see what the damage was.

The phone I've been using is a piece of junk. It's an Acatel 980S, and it's plagued with a grotesque lack of memory, so it regularly flushes the browser-cache to keep things moving. It's not unusual to be logged out of a website I was just using, so when I clicked on the link from within my TweetDeck app and was presented with the Twitter login page, it didn't set off any alarm bells. I wasn't thinking too much about what I was doing, other than pretending to still be interested in the Canuck droning on about how cool Ireland was when he visited as a nipper.

I wasn't on the real Twitter site, and I didn't realize until I had entered my username and password (probably incorrectly, since the tiny screen makes the onscreen keyboard worthless) and hit submit. The error page wasn't quite right. Something was wrong. I went looking for my friend in the pub and asked him if he has sent me a picture. He had no idea what I was talking about. I had just done something incredibly stupid.

Serves me right for being such a rude prick.

From there on, it was actually quite tricky to change my password - I couldn't find the option on the Twitter mobile site, and the regular Twitter site kept redirecting me to the mobile version. Eventually I had to Google 'Twitter password change' to be brought to the page I wanted.

Lesson learned: pay more attention to links you click on. Fundamental of internet-security proven: having different passwords for different services is essential, and in this case I was quite relieved to think that the password I volunteered to the phishers wouldn't get them in anywhere other than my fairly unimportant Twitter profile.

No comments: