In my research this afternoon, I came across this interesting article on PCWorld.com. The article describes a phishing scheme wherein a sea of users all sending the same message: "Want to know whos stalking you on twitter!?: http://TwitViewer.net."
According to the article, "The site, whose domain was registered today through an Arizona proxy service, promises a photo-gallery-like display of the last 200 people that came to your Twitter page." The so-called 'service' is FREE, but the catch is that to use the 'service' you must give up your Twitter username and password to a shady third-party service.
After providing your authentication detailes, the site automatically sends the aforementioned message through your Twitter account sans permission and auto-follows you to the Twitter accounts of any of the random photos you click on--people who you're led to believe visited your account. It works like a huge cascade, perpetuating the phishing scam to more and more users.
The article states that the domain was registered yesterday (July 27th, 2009), but is now offline, just one day later.
This reminded me of something interesting that I saw earlier today myself, a message from thousands of users stating "You are looking for new followers? Here a FREE Tool to help you. http://www.follower-power.com Please, Send your List!" I researched this a little bit and realized this is also a phishing scheme!
Beware! This doesn't just apply to services like twitter, but also any social services. Of course, there are some companies that are trying to be legitimate that use similar techniques of prompting and storing user credentials, but this is NOT a good practice.
One example is Power.com, which asks users to provide login credentials for Hi5, Orkut, MySpace, Twitter and other services. The problem is not that Power.com is a phishing scheme. The problem is that using this type of a technique creates havoc throughout the social web. Right now, Power.com is engaged in a legal battle with Facebook regarding scraping data from Facebook's social network and prompting and storing Facebook user credentials.
Of course, the problem is that users are looking for social data portability. Who wants to create yet another username and password on yet another social site? But the solution is NOT to ask users for their authentication credentials, but to use OAuth.
OAuth is an authentication protocol desktop and Web applications that's designed to keep your login credentials secure from third parties. Applications that support OAuth don't ask you for your user name or password directly. Instead, they send a request to Twitter and ask it for permission to access your account. OAuth is an emerging technology that addresses the problem of social graph data portability and is supported by Internet giants such as Google, Yahoo!, AOL, Bebo, Hi5, Orkut, YouTube, Blogger, ICQ, Groovy, MapQuest, Twitter and the list goes on and on...and on!
The lesson here is to NEVER give your login credentials to a third-party site. Rather, learn about the advantages of using OpenID and OAuth.
Right now the social web is like an awkward teenager trying to find itself, but it is growing up quickly. I expect that over the next year, more and more users will start to shun any site that asks for credentials and embrace sites that leverage the power of the portable social graph through OAuth!
Now, back to my research...
Wednesday, July 29, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment