I got hacked (and so can you)January 24, 2013: 11:24 AM ET
Think you have a fool-proof security regime? So did I.
By Ryan Bradley, senior editor
FORTUNE -- My password security system is top-notch to the point of being borderline crazy: On or around the first of the month I change all the big ones—Gmail, Twitter, LinkedIn, Facebook, Amazon, Apple, Paypal, and all my banks (plus Mint.com). My aim is never to repeat, but I riff. I turn phrases around, pull numbers from the middle to the sides, maybe add a question mark in place of an exclamation point. Then I retire some of the tired phrases to my less vital accounts—Seamless, Zipcar, Opentable, and a slew of others. It's a good system. Still, I slipped. My Twitter account got hacked—phished, if you want to be precise—a few days ago, and sent out embarrassing messages about Acai berries and weight-loss to all my followers.
So much of that last sentence sounds absurd; it was impossible not long ago: phishing wasn't a verb, Twitter wasn't a platform, Acai berries weren't popular. The aftermath—so many emails from friends and colleagues saying, um, did you just send me that? Is your account hacked?—felt like I had just spent hours at a big party without realizing my fly was unzipped. How could this have happened? I look in the mirror, I check my fly. I have a system.
But my system had failed. The question was: Where? I called Jack Danahy, the director for advanced security at IBM (IBM). As his title suggests, Danahy's job is to stop online breaches at large and complex businesses. I thought my problem was small potatoes for a guy used to dealing with mega-corporations. It's not, Danahy told me. Often it's a single tiny slip-up by one employee that can give a hacker the keys to the kingdom.
"The problem is remarkably thorny," he began, "because the nature of the Internet today is relationship based. We are social creatures, we care about what people are writing and saying. Say you get a LinkedIn (LNKD) invite from someone, and he says how much he enjoyed your article from way back, and is glad to follow you. Again, two weeks from now, you get another note. The anchor of that relationship is nothing. I could be anyone, or anything—and yet that feels like a real dude to you."
Here I interjected because, of course: Anyone can be anyone on the Internet, and the more we move through the social web, the more susceptible we are to the lies, big and small, that the Internet makes so easy. Danahy agreed. "The more networked we are, the more exposed," he said.
Phishing, the trap that caught me, can be as simple as tricking a user into clicking on a link. Phishing is surprisingly sophisticated and insidious. Danahy described how he could create a link to a site that quickly reroutes to something "safe"—say, the article originally described—but en route to the safe site, it briefly visits another, compromising my account. I'm infected, but none the wiser. A relatively new development in this realm, is called spear-phishing, selectively targets certain employees in specific departments, in order to slowly overtake an organization. In a recent experiment targeted employees of utility companies, enticing them to click on a malicious link—26% clicked.
"If these are done in a thoughtful way—and I mean thoughtful in the worst way possible— errors are not sent back," Danahy continued. "Let's say my account is compromised, how many more people can be infected by someone posing as me, emailing my contacts, and tricking still more victims."
Phishing on Twitter and Facebook (FB) is especially successful, because so many links get shortened, so much of the language is clipped, and the very social nature of these sites is so easily manipulated, making even suspicious links difficult to ignore. The two most common phishing tricks on Twitter begin: "Look at this pic of you. lol" and "Someone is spreading nasty rumors about you." Everyone who has experienced high school is preconditioned to click.
Danahy has a system, too, which allows him to navigate cyberspace with confidence. Aware that phishing lurks at every corner, he's developed a method he applies to all links sent his way, even those from close family and friends: He right clicks on the link to copy the URL, then pastes it into a text window, and checks to make sure it matches up, contextually, with what was said about the link to begin with. Even then, he doesn't simply click the link. He copies and pastes it in a new window. "I do this all the time," he said, "I did it while researching phishing before this call."
But doesn't that slow him down? Isn't this kind of a ridiculous way to surf the hypertext-heavy internet? "Do you know why car brakes exist? To go faster. I can move with confidence, the same way I make my son wear a helmet when he's snowboarding."
MORE: 10 top-paying companies
Danahy's mother was a switchboard operator for a telephone company, and as much as he likes the Internet, he loves the telephone. It's a simple technology, the security hasn't improved one bit since his mom retired, but it's still a lot more secure than just about everything online. "I say the same thing to the biggest companies in the world, and regular people like you: the more you can root your relationship in the real world, even with just a phone call, the better off you'll be."
After we hung up, I went back through my Twitter history to try and find the moment my account became compromised. A few new followers had sent me direct messages, and two of those contained vague enough phrases about my writing, with links to other (supposedly) related stories.
I must have clicked on one. We are all painfully curious about how we are perceived, online and otherwise. We are social creatures, after all. When it's our work, and our work is as personal as writing, it's nearly impossible not to click. So I did. Just as the social web thrives on our egos and insecurities, so do its predators.