Friday, October 7, 2011

Social Media Password Policies - More Than An Ounce Of Prevention

In early September, the Bank of Melbourne had its Twitter account hijacked by someone that used it to send phishing messages to its followers, many of whom were customers. The tweets sent from the Bank of Melbourne Twitter account contained malicious links.


The likely cause for the account compromise was a weak password used by a staffer with access to Twitter.


This event should serve as a lesson to banks with a social media presence. Just as banks maintain effective password policies to access internal systems, similar policies should be required for external systems.  Employees should be made aware of the damage that can result from lax/poor controls over passwords.  The lack of effective controls can result in reputational harm, regulatory criticism and legal action.

2 comments:

  1. It's very unlikely someone guessed BOM's password. Almost every time a password is compromised on Twitter, the ruse is exactly the same. Someone from a compromised account either sends an @reply or a DM. The message says something along the lines of "This video is so funny. Is this you? http://irresist.ible.url/6s8jW" The link does nothing but take you to a phony Twitter login screen. The recipient, who doesn't take the time to look at the URL's construction, simply thinks, "Oh, I guess I'm logged out of Twitter. I need to re-login to see the video." They type their username and password in and whammy… their account has now been handed over to a scammer. Oddly, the scammers never change the passwords, which would completely lock out the original owner of the account.

    The best ways to avoid compromising your Twitter account:

    1) A financial institution's Twitter staff should never, ever, never type their account password on *any* URL other than:
    https://twitter.com/
    https://twitter.com/#!/login/

    2) A financial institution should change its Twitter password about every month, more often for big banks wearing big targets on their backs.

    3) Tell your Twitter staff how the Twitter scam works and what to look out for.

    ReplyDelete
  2. GREAT advice. Thanks for that Jeffry!

    ReplyDelete