If it can happen to Buffalo Exchange… it can happen to you.
If you are a con
signment, resale, and thrift shopkeeper, you probably follow Buffalo Exchange, a leader in our industry. And you might have noticed something strange over the past day or so:
odd tweets under the Buffalo Exchange banner which seem to be promoting some weird work-at-home get-filthy-rich scheme.
They’ve been twitjacked.
Make sure it doesn’t happen to you. Or at least as sure as you can. Below, some links to help you feel more secure:
- Here’s what you can do to avoid having your Twitter account hijacked.
- Here’s what Twitter says to do about it, if it’s already happened. And a worse-case scenario from Twitter.
- And watch the video here, which mentions https, a choice we can make, which Twitter didn’t bother promoting.
- Your Facebook account is set to https too isn’t it? Better go check.
Auntie Kate The Resale Expert 
Thanks Kate, I appreciate that you’re on the ball keeping resalers info and hard work safe online!! I did not know I had https as a setting option on fb and Twitter (I wasn’t following Buffalo Exchange yet either!).
Lynn
I’d say the primary way accounts are “hacked” is via Social Engineering. Whether it’s Facebook, Twitter or your email account, Social Engineering is the way in. Since most people, unfortunately, do not pay attention while ‘driving’, it makes it very easy for ‘them’ to take advantage of people.
Here is a great article on just how deep someone will go, even performing reconnaissance before they pull the trigger:
http://snosoft.blogspot.com/2009/02/facebook-from-hackers-perspective.html
In the 11th paragraph, he discusses how easy it was to drop a sensationalist link and voila, the begin. See what they did though? Create a fake persona, a 28 year old female. Why a 28 year old female? Because it’s going to be like shooting fish in a barrel when a pretty 28 year old girl’s Facebook profile shows up in a Facebook Group or as a Friend Request. In this case, they didn’t even have to send out friend requests – they all started pouring in once the guys saw a pretty girl appear in their Facebook Group.
Businesses should really be selective of which employees have access to the company Twitter, Facebook and/or Google accounts. Those are the “keys to the kingdom,” so to speak. If you’re letting a young college student who *loves* social networking, manage your Facebook and Twitter, how certain are you they are aware of online security? Have you performed any Social Engineering training with the employee?
Also, like you mention, Kate, the password itself is important. I have a feeling someone at Buffalo Exchange was sent a link, clicked it, then entered their login info – only it wasn’t the real Twitter site they logged-in to. A classic case of Phishing. Once they know your Twitter account, is the password for your Facebook the same?
The main thing we all should have taken away from the massive attacks on Sony, was that most people use the SAME email address and password for virtually all of their accounts. If someone finds out the login info for one account, all it takes is going to another site and trying the login info. 9 times out of 10, it’s probably going to work. I highly recommend creating and storing passwords via KeePass (http://keepass.info/). KeePass is a free password safe, storing your passwords and login information in an encrypted database. KeePass can also generate new, strong passwords for you.
It’s also possible this came in by way of virus/Trojan, which can drop a keylogger on your computer. Now anything you type is logged and sent back home to the virus writer. I don’t care if you own a Mac either – Malware exists on Macs.
https is great and it helps prevent attacks when you’re logged-in on a public network – e.g. a WiFi hotspot at a local coffee shop. If you or your employees aren’t paying attention though, it makes absolutely no difference if it’s https. If the ‘bad guys’ redirect you to a legitimate-looking Twitter page, the social proof is there – “Yep, looks like Twitter to me!”
We also know https is only as good as the companies issuing the certificates – https DOES NOT ALWAYS EQUAL SECURE. Just look what a CA in Europe let happen:
http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/
SSL is a ‘trust-based’ system. You trust that the company issuing the certificate is legitimate. To get an SSL cert you typically go through a series of phone calls, you have to submit information about your business, your personal background info, etc. Once they’re certain “you” are who you say you are, they issue the cert. A Social Engineering attack let some unsuspecting employee at DigiNotar was tricked into releasing a cert to someone posing as a Google employee. Needless to say, this will probably drive DigiNotar into the ground.
You have to pay attention, period. No matter how many seat belts or airbags you have in your car, nothing can compare to NOT getting into an accident in the first place. You don’t just cruise down the highway without a care in the world, all because you have seat belts on, do you? No. You pay attention, you keep an eye on the vehicles in front of you, next to you, and behind you. You remain focused so you can react to any sudden changes.
Computers have yet to reach the status of cars in our world though. We still treat computers as though they’re some sort of magical box and no one really knows how all the magic works. With cars though, everyone seems to know they need oil, oil needs to be changed, tune-ups need to take place, the right gas needs to be used, etc. Few of us are car mechanics, yet we know the core basics to help us operate and maintain our vehicle.
Great blog post, Kate!