Phishing isn’t (just) about finding a person who is technically naive. It’s about attacking the seemingly impregnable defenses of the technically sophisticated until you find a single, incredibly unlikely, short-lived crack in the wall.Cory clicked through a shortened link from a tweet. Those are links that begin with: bit.ly, goo.gl, tinyurl.com, and too many others to list. Whenever you follow one of those, you have to confirm that the site you land on is legit before entering a username and password. Most of the time, you just end up at an interesting article and you're not prompted for your credentials, so it's not the sort of problem you run into regularly. Maybe the general solution is: alway check the link of a site before entering your username and password.
If I hadn’t reinstalled my phone’s OS the day before. If I hadn’t been late to the cafe. If I hadn’t been primed to hear from old friends wondering if some press mention was me, having just published a lot of new work. If I hadn’t been using a browser that didn’t fully expose URLs. If I hadn’t used the same password for Twitter as I use for lots of other services. If I’d been ten minutes later to the cafe, late enough to get multiple copies of the scam at once – for the want of a nail, and so on.
Saturday, June 19, 2010
Cory Doctorow explains how he fell victim to a phishing scam: