[This is a guest post by Doug Ward, an associate professor of journalism and the Budig Professor of Writing at the University of Kansas. You can find him online at www.kuediting.com and www.journalismtech.com, and follow him on Twitter @kuediting. Doug’s previous posts have looked at iPads in the classroom (one, two) and using music to engage students.--@jbj]
The spam that oozed from my Twitter account late last month both puzzled and frustrated me. I pride myself on using strong passwords, I hadn’t clicked on any stray links (at least I didn’t think I had), and I hadn’t turned over private information to anyone I didn’t trust (again, at least as far as I knew).
I was hardly alone in my frustrations with Twitter. The service drew criticism for its opaque verification system after the creation of a fake Twitter account under the name of Rupert Murdoch’s wife, Wendi Deng. My problems involved a valid existing account and a self-induced blunder, but they nonetheless offer lessons on keeping a Twitter account safe.
Never Let Your Guard Down
Neither “hacking” nor “virus” nor “phishing” is quite the right word for what happened to me. Rather, I had inadvertently turned over control of my account to a sham website that promised to show who had stopped following my Twitter feed. Not long after I tried to use the site, spam flowed out under my name. Some urged people to click for cheap loans and some contained odd hash tags like #lieoftheyear and #boymeetsworld.
I’m usually suspicious of new sites. I had even written on my own blog about spotting urban legends in forwarded email. But this deception slipped past me. I found the site through a tweet by someone I trust and overlooked obvious signs of a problem site: lack of an “about” page or identifying information, lack of a help section, lack of contact information. After I turned over permission to access my Twitter account, the site provided only the number of people who had supposedly “unfollowed” me. The number was fictional, I’m sure. I clicked a couple of more times. Nothing. That was another sign of a problem, though I didn’t find the lack of response unusual. I had been scammed, as had many others.
Security experts warned last spring that similar “unfollow” scams were likely to proliferate through Twitter and Facebook. The desire to find out who no longer follows a Twitter account is strong. The scam that snagged me resembled one that the online security service Sophos wrote about on its blog. The sham site had been taken down last I checked.
Watch the Timing
The spam from my account started going out about the time I left town for several days. A family member was having surgery, and I wasn’t checking my accounts. This was also a few days before Christmas, and my guess is that the sham site and messages about it were planned to take advantage of people like me who had gone offline.
Be Grateful for Your Followers
Almost immediately, people began pointing out the problem. Some tweeted me. Some emailed me. One left a message on my website. Another texted me. Thanks to those persistent warnings, I continued to look for the source of the problem.
Understand How Password-Sharing Works
Many websites, apps and plug-ins use what is known as “open API,” which allows users to log in with a password from, say, Twitter, Google or Facebook, and connect that account with another. For instance, by linking your Twitter account to TweetDeck, HootSuite or Flipboard, you can easily tweet stories from mobile devices or desktop apps without using several passwords. That approach is convenient and generally safe. Many apps use it effectively, as do Klout, the New York Times and other websites and services. Unfortunately, a hacker can use it just as easily, but only if you grant permission.
How I Fixed the Problem
I initially struggled with cutting off the source of the spam from my account. When I discovered the problem, I had access to only my iPod Touch and iPad. None of the Twitter clients for those devices offered full control over my account (a big weakness in them, I think). I was able to change my password, but the spam continued.
When I finally got access to a computer and searched Twitter’s help section, I found easy instructions for regaining control of my account and stanching the spam. I should have done that with an iPad browser, but I’m so used to using Twitter apps that I didn’t think about that until later.
Even if you haven’t been hacked, I’d suggest making sure you know which apps or sites you’ve given permission to use your Twitter stream. You can find that list by logging in to the Twitter site and clicking on “Profile,” “Edit your profile” and then “Applications.” From that area, you can revoke access if you need to. I did that not only with the sham site but with some apps I rarely use.
I don’t intend to let the hacking of my Twitter account get in the way of exploring the Web. I’ll be more cautious next time, but exploring and learning are what draw me to the Web in the first place. Occasional problems are inevitable. The spam episode left me chastened but wiser. It won’t hold me back, though.
Photo “twt” by Flickr user Rosaura Ochoa / Creative Commons licensed BY-2.0
