First Direct falls foul of Twitter hack

Your story - like most reporting of this incident - uses the term 'hacked' which I think is misleading.

To be 'hacked' implies that your account has been attacked from the outside without any action from you. In reality, what happened here is that the Twitter users affected were the victims of so-called 'phishing': They were sent a link which they then clicked on. This took them to a page which looked like a Twitter log-in page but in fact had been set-up by the ‘phishers'. The victims then voluntarily entered their usernames and passwords. As a result, their accounts were compromised.

My concern here is that social media like Twitter is being portrayed as somehow inherently less secure than the rest of the Internet. It's not. As long as people use the same level as care with their social media passwords as they would their online banking or email passwords, they'll be just as safe.

I'm not belittling the incident - it's serious either way - but I do think it's important to distinguish 'hacked' from 'duped'.

First direct has posted a blog explaining how it got duped and apologising for its own response: "We tweeted quickly out of a desire to re-assure people and perhaps should have gone straight to the third of our three tweets. We should have got an apology up sooner, and we probably shouldn't have used the word "hack". Twice."

http://www.newsroom.firstdirect.com/press/release/first_direct_twitter_spam_an_a

Rather than fretting over the use and abuse of the 'h' word, I'd be rather more concerned that first direct could so easily fall victim to such an elementary social engineering/phishing scam.

Seems to me that the bank's Twitter account has indeed be hacked as the subsequent phishing messages have been sent the bank's name and apparently just to those 800+ people listed as "followers" of the bank. So this is not the typical widely distributed phishing spam usually coming from botnets.

While in this instance it was very easy to determine that this message is very unlikely to be originated by the bank, better phishing attempts might be more effective and could indeed result in serious fraud. So this is just another reminder that anything on the web is potentially unsecure, that the web's trustworthyness is pretty limited and at this time, unreasonably high efforts are required to establish a reasonable level of trust.

I'd believe that it would be up to the industry to change this - just delegating the risk to the general public is pretty unfair as the vast majority has not enough knowledge about the perils and can't be expected to become experts. Even those who are experts are just firefighting in a hare-and hedgehog race and are not really able to thwart cybercrime.