Got your new debit card!!!: Automatic-educating for digital security over Twitter

Good news — as of 12/11/12 noon, @CancelYourCard is back up. No explanation from Twitter as to why they made the decision, or response to the card-posting problem. Unsurprising, as acknowledgment might lead to legal liability, I guess.

Aaaaand as of 12/14 it’s back down again. — Gus

If you’re following me on Twitter (so closely that you’re reading my @tweets, the ones that don’t show up in your stream if you don’t know both parties to the conversation), you’ll have seen that I have been trying to respond to anyone whose post shows up on the @NeedADebitCard feed. @NeedADebitCard is a ‘bot, I believe, which automatically retweets any post in which someone mentions “bank card” or “debit card” or suchlike and attaches an image. The bulk of these posts are someone posting a picture of their card. Numbers, name, expiration date and all.

This cannot end well, as you’d imagine. Let me lay it out just in case any of you aren’t seeing what might be the problem, here: You put your numbers online, and anyone can use your card, charging things to your credit or even wiping out your bank account. That’s simple and intuitive for most of us, but apparently it is not clear to everyone.

@NeedADebitCard’s account has posted 131 tweets as of this writing. I don’t have solid numbers on who is posting these pictures, but I feel like I am seeing trends in the posters’ icons, names, and geographic locations:

  • Many are not in the US. Those who are, sadly, appear to be from minority communities.
  • There is a significant percentage from countries in the Global South.
  • Are they young? There’s a number of teenagers, but I’ve seen at least one parent on there who tweeted a picture of her card that featured her infant daughter.
  • There’s been an upswing recently from the UK in particular, and I was seeing some tweets from Australia and Canada as well.

In the past few weeks traffic on the @NeedADebitCard stream has gone up somewhat. Not a deluge yet, but still at least a couple of cards a day. The number doesn’t matter; the effects on any one poster’s finances could be catastrophic.

The Evening Standard controversially laid blame for this uptick on Barclays, which recently allowed for card customization with a personal picture. Many card pic posters are showing off their personalized cards. Obviously, the problem is the behavior and not the cards themselves, but at the same time, Barclays could do a better job of educating consumers. Every newly-issued card comes with a sticker on it telling you how to phone in and activate it, right? Why not add a warning on there telling people not to post pictures of their cards online?

Because I am naturally concerned about this as a digital literacy educator, and because I’ve seen endless repetitions of social engineering talks at HOPE and know how easy it would be to get these tweeters’ security codes on the back of the cards, I’ve been responding to as many tweets as I can, like chucking beached starfish back into the sea. But it’s occurred to me that if it was so easy to find and retweet the original card posts in a chaotic-neutral way, that could lead either to posters getting warned or to their card details being stolen, it would also be trivial to code a bot to respond to @NeedADebitCard and warn the posters to cancel their cards.

I floated the idea on Twitter the other day and got a lightning-fast response from other concerned citizens, @wirehead2501 and @is4tomj. The latter wrote up a bot, @CancelYourCard, so fast it was active for a day before I got around to thanking him. For a moment there, we had an automatic educator (albeit one that was saying “yo dawg” in the style of Xzibit) which attempted to help people be safer online.

Current status of this project: as of this afternoon @CancelYourCard is down, suspended by Twitter apparently. Yet @NeedADebitCard is still up, amplifying the reach of stealable credit cards. A heartbreaking mistake on the part of Twitter; Tom and I have tried to contact them to make our case for the bot. It’s quite possible it got itself into some sort of retweet loop that went out of control, or otherwise tripped their spam sentries. I suppose a possible happy side effect, though, could be bringing this card-posting phenomenon to Twitter’s attention, and giving them the option to warn users about security breaches like this.

Really, there’s a lot of things Twitter could do to help make people safer here. A warning flag could interrupt the posting process anytime someone tried to tweet something shaped like a street address, credit card number, password (preceded by “password”), or social security number (yes! it actually happens! I haven’t seen it on Twitter yet, but while writing my dissertation I actually saw it once, plus a handful of credit card numbers). I hope they’ll think about it. Things seem to be evolving as I write this, so I’ll post updates.

I fight with people periodically who, like so many commenters in my dissertation, say the card-pic posters are stupid and deserve to be weeded out of the gene pool. This is pretty ridiculous. Yes, it’s not the wisest move to post the information that leads to your bank account and credit reputation, but it’s worth keeping in mind that all of us alive today are still, and constantly, learning how to use rapidly-changing technology. Anyone alive over the past 20 years or so has had to learn all of this from scratch, and almost none of us learned any of it in school. What there even is to be learned is in flux. Not only do we need to be patient with each other, but we need to remember that what all of us — software developers, grandchildren, Twitter users — are doing when we respond to events like this is educating each other. There is no other school for digital education right now but us. (I’m working on that.)

Comments 1

  1. gus wrote:

    Tom and I have derpily been trying to raise Twitter’s attention via Twitter — today @delbius told us “file a trouble ticket kthxsheesh.” So I sent this:

    Hiya!

    I’ve been following @needadebitcard, a bot that retweets anytime someone writes “debit card,” “bank card,” “credit card,” etc. and attaches a picture — thereby amplifying tweets by poor hapless sods who post pictures of their cards online. As a digital literacy educator, this is pretty alarming to me.

    I put out a call for someone to make a bot that would warn posters. @is4tomj created @cancelyourcard, a bot which while it was working encouraged people RTed by @needadebitcard to take those pics down.

    Unfortunately, @cancelyourcard has now been suspended, while @needadebitcard is still at large, making identity theft easier. This hardly seems right. Could you please restore @cancelyourcard?

    If anything, in the ideal, I think Twitter should run the basic function that @needadebitcard does, identifying probable debit card pics and raising a warning dialogue to anyone trying to post them, slowing them down and encouraging them to think before they post. (Yes, as a sometime UX consultant, I realize getting people to pay attention to warnings is hard, but the incidence of this happening should be really low, the benefit would be high, and you have a real chance to stop this in its tracks.)

    It is regrettable that people don’t realize the threat this poses to their financial well-being; they shouldn’t be penalized for it. Many of the card pic tweeters appear to be in third-world countries, where perhaps norms of financial behavior are not as well-known. Almost all of the tweeters are very young, showing off their first card, or in a recent trend, custom cards with pictures on them (thank you, Barclays Bank, for encouraging kids to think of cards as just another pic for their social network :P)

    Clearly, Twitter is not to blame for this issue, but could you please do what you can to address what you can? Restoring @cancelyourcard would be great (and @is4tomj has given me the keys to customize its automatic message to be more educational and less mocking, so I’d do that). Adding a custom warning to Twitter would be even better. Thanks!

    (I’m a friend of Blaine Cook’s, btw, and Biz once designed a Blogger page for me waaaay back before the beginning of history… I wonder if he remembers the design he did for Today On The Subway?)

    Posted 20 Dec 2012 at 11:40 am

Post a Comment

Your email is never published nor shared. Required fields are marked *