On one hand, I appreciate that Twitter was up front with their users, but it also bothers me when companies make use of bad practices to solve a security problem.
What Twitter did wrong
The email encourages me to click on a link to fix the problem. Bad bad bad! They should simply have told me to visit twitter.com (unlinked) and instruct me to login so that their system can direct me through the process of creating a new password. Yes, in most cases security poses some inconvenience. Users would prefer a direct link just like we would all like to eat cookies for breakfast.
Because of the way Twitter did this, it will be much easier for a future phishing attack to succeed. This is because:
- The bad guys are now armed with the exact template they can use in their phishing attack
- Users will more easily accept this as the behavior of twitter if there is a security breach
Protect yourself from a phishing attack
Even with the best of intentions, companies will continue to use these bad solutions, which means you must use your own best practices to protect yourself. Here are some simple recommendations to avoid phishing attacks:
- Be suspicious of any link your email, and try to avoid clicking on links in emails
- If you think the link is valid, its best to cut & paste the link and examine it first before putting it in your browser.
- Verify the domain is correct. If the site was going to twiiter.com (notice the two i’s) and be very very suspicious!
- Try just visiting the site directly to see if you can resolve the problem. This is what I did for the twitter incident and it worked perfectly.
Additionally you should be using different complex passwords for each site (see our tips for creating secure passwords) and always approach your use of the internet with caution and the assumption that you are a target of the bad guys.