First Direct falls foul of Twitter hack

First Direct falls foul of Twitter hack

First Direct's love affair with social media took a cold bath last night when the UK online bank's Twitter account was hacked and used to send pornographic messages to followers.

First direct's 800+ followers found an unusually passionate message from the bank when they opened their Twitter accounts Friday morning.

The tweet, posted at 05.30 read: 'hey, I've been having better sex and longer with this here', and pointed to a link to a third party site.

The attack is part of a viral malware infection that has spread like wildfire across Twitter, with other high-profile UK victims including Cabinet Minister Ed Milliband and the Press Complaints Commisssion.

The bank resumed control of its account during business hours with the following message: 'Hi all, I'm sure you can tell, but we were hacked last night - please disregard any inappropriate tweets that purport to come from us!'

This was followed by a slightly panicky clarification: 'Re. previous Tweet I just want to clarify that only our Twitter account has been hacked!!! We've changed our password so all should be well.'

Which prompted a third message: 'no password issues, it was a link in a DM. No customer / personal data has been compromised. Sorry for any offense caused.'

First Direct is so far the only UK bank to openly embrace the micro-blogging service, and it has won plaudits and applause in social media circles for its willingness to engage with customers in a Web 2.0-connected environment.

The UK bank's misfortunes come just a week after Westpac provided an example of the potential pitfalls of Twitter when an employee accidentally posted a self-pitying tweet using the firm's official account, prompting scorn from followers.

Comments: (3)

A Finextra member
A Finextra member 01 March, 2010, 09:27Be the first to give this comment the thumbs up 0 likes

Your story - like most reporting of this incident - uses the term 'hacked' which I think is misleading.

To be 'hacked' implies that your account has been attacked from the outside without any action from you. In reality, what happened here is that the Twitter users affected were the victims of so-called 'phishing': They were sent a link which they then clicked on. This took them to a page which looked like a Twitter log-in page but in fact had been set-up by the ‘phishers'. The victims then voluntarily entered their usernames and passwords. As a result, their accounts were compromised.

My concern here is that social media like Twitter is being portrayed as somehow inherently less secure than the rest of the Internet. It's not. As long as people use the same level as care with their social media passwords as they would their online banking or email passwords, they'll be just as safe.

I'm not belittling the incident - it's serious either way - but I do think it's important to distinguish 'hacked' from 'duped'.

Paul Penrose
Paul Penrose - Finextra - London 01 March, 2010, 11:28Be the first to give this comment the thumbs up 0 likes

First direct has posted a blog explaining how it got duped and apologising for its own response: "We tweeted quickly out of a desire to re-assure people and perhaps should have gone straight to the third of our three tweets. We should have got an apology up sooner, and we probably shouldn't have used the word "hack". Twice."

Rather than fretting over the use and abuse of the 'h' word, I'd be rather more concerned that first direct could so easily fall victim to such an elementary social engineering/phishing scam.

A Finextra member
A Finextra member 01 March, 2010, 11:40Be the first to give this comment the thumbs up 0 likes

Seems to me that the bank's Twitter account has indeed be hacked as the subsequent phishing messages have been sent the bank's name and apparently just to those 800+ people listed as "followers" of the bank. So this is not the typical widely distributed phishing spam usually coming from botnets.

While in this instance it was very easy to determine that this message is very unlikely to be originated by the bank, better phishing attempts might be more effective and could indeed result in serious fraud. So this is just another reminder that anything on the web is potentially unsecure, that the web's trustworthyness is pretty limited and at this time, unreasonably high efforts are required to establish a reasonable level of trust.

I'd believe that it would be up to the industry to change this - just delegating the risk to the general public is pretty unfair as the vast majority has not enough knowledge about the perils and can't be expected to become experts. Even those who are experts are just firefighting in a hare-and hedgehog race and are not really able to thwart cybercrime.